-
Notifications
You must be signed in to change notification settings - Fork 1
/
Meterpreter_Defender.vbs
257 lines (239 loc) · 11.8 KB
/
Meterpreter_Defender.vbs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
'File Name: Meterpreter_Defender.vbs
'Version: v1.2, 11/20/2019
'Author: Justin Grimes, 11/18/2019
'--------------------------------------------------
'Declare the variables to be used in this script.
'Undefined variables will halt script execution.
Option Explicit
dim oShell, oShell2, oFSO, scriptName, tempFile, appPath, logPath, strComputerName, fgcPath, i, tempData, defaultPerimiterFile, _
strUserName, strSafeDate, strSafeTime, strDateTime, logFileName, strEventInfo, objLogFile, tempDir, tempDir0, tempDir1, _
mailFile, objDangerHashCache, oFile, tempOutput, companyName, companyAbbr, companyDomain, toEmail, cacheData, mpdMode, _
executionLimit, objFGCFile, sleepTime, infected, continuous
'--------------------------------------------------
' ----------
' Company Specific variables.
' Change the following variables to match the details of your organization.
' The "scriptName" is the filename of this script.
scriptName = "Meterpreter_Defender.vbs"
' The "appPath" is the full absolute path for the script directory, with trailing slash.
appPath = "\\SERVER\AutomationScripts\Meterpreter_Defender\"
' The "logPath" is the full absolute path for where network-wide logs are stored.
logPath = "\\SERVER\Logs"
' The "companyName" the the full, unabbreviated name of your organization.
companyName = "Company Inc."
' The "companyAbbr" is the abbreviated name of your organization.
companyAbbr = "Company"
' The "companyDomain" is the domain to use for sending emails. Generated report emails will appear
' to have been sent by "[email protected]"
companyDomain = "Company.com"
' The "toEmail" is a valid email address where notifications will be sent.
toEmail = "[email protected]"
' The "mpdMode" is the mode type for Meterpreter_Payload_Detection.exe.
' To enable detection without any remediation, specify "IDS".
' To enable detection AND remediation (kill infected process), specify "IPS".
mpdMode = "IDS"
'This application runs in a loop. Each loop takes approximately 5 minutes to complete.
'The "executionLimit" sets the number of loops which are performed before the entire application
'is restarted.
executionLimit = 3
'The "sleepTime" is the amount of time in ms that the loop will wait for Meterpreter detection to occur.
'Meterpreter detection happens constantly until Meterpreter_Payload_Detection.exe is restarted at the end of each loop.
sleepTime = 300000
'Setting "continuous" allows the script to run in the background indefinately or die after a designated amount of time.
'The execution duration of this application is determined by the number of loop iteration & duration of the sleepTimer.
'Increased execution time leads to an increase in resources required to scan cache report files for infection.
continuous = TRUE
' ----------
'--------------------------------------------------
'Set global variables for the session.
Set oShell = WScript.CreateObject("WScript.Shell")
Set oShell2 = CreateObject("Shell.Application")
Set oFSO = CreateObject("Scripting.FileSystemObject")
strComputerName = oShell.ExpandEnvironmentStrings("%COMPUTERNAME%")
strUserName = oShell.ExpandEnvironmentStrings("%USERNAME%")
tempDir0 = "C:\Program Files\Meterpreter_Defender"
tempDir1 = tempDir0 & "\Cache"
tempDir = tempDir1 & "\" & strComputerName
tempFile = tempDir & "\" & strComputerName & "-Cache.dat"
strSafeDate = DatePart("yyyy",Date) & Right("0" & DatePart("m",Date), 2) & Right("0" & DatePart("d",Date), 2)
strSafeTime = Right("0" & Hour(Now), 2) & Right("0" & Minute(Now), 2) & Right("0" & Second(Now), 2)
strDateTime = strSafeDate & "-" & strSafeTime
logFileName = logPath & "\" & strComputerName & "-" & strDateTime & "-Meterpreter_Defender.txt"
mailFile = tempDir & "\" & strComputerName & "-Meterpreter_Defender_Warning.mail"
i = 0
'--------------------------------------------------
'--------------------------------------------------
'A function to tell if the script has the required priviledges to run.
'Returns TRUE if the application is elevated.
'Returns FALSE if the application is not elevated.
Function isUserAdmin()
On Error Resume Next
CreateObject("WScript.Shell").RegRead("HKEY_USERS\S-1-5-19\Environment\TEMP")
If Err.number = 0 Then
isUserAdmin = TRUE
Else
isUserAdmin = FALSE
End If
Err.Clear
End Function
'--------------------------------------------------
'--------------------------------------------------
'A function to restart the script with admin priviledges if required.
Function restartAsAdmin()
oShell2.ShellExecute "wscript.exe", Chr(34) & WScript.ScriptFullName & Chr(34), "", "runas", 1
End Function
'--------------------------------------------------
'--------------------------------------------------
'A function to read files into memory as a string like PHP's file_get_contents.
'Inspired by https://blog.ctglobalservices.com/scripting-development/jgs/include-other-files-in-vbscript/
Function fileGetContents(fgcPath)
'Set a handle to the file to be opened.
Set objFGCFile = oFSO.OpenTextFile(fgcPath, 1)
'Read the contents of the file into a string.
fileGetContents = objFGCFile.ReadAll
'Close the handle to the file we opened earlier in the function.
objFGCFile.Close
'Clean up unneeded memory.
objFGCFile = NULL
End Function
'--------------------------------------------------
'--------------------------------------------------
'A function to verify the tempDir and clear the previous tempFile file and create a new one.
'Start by making C:\Program Files\Ransomware_Defender.
'Then make C:\Program Files\Ransomware_Defender\Cache.
'Then verify the cache files inside.
Function clearCache()
If Not oFSO.FolderExists(tempDir0) Then
oFSO.CreateFolder(tempDir0)
End If
If oFSO.FolderExists(tempDir0) Then
If Not oFSO.FolderExists(tempDir1) Then
oFSO.CreateFolder(tempDir1)
End If
If oFSO.FolderExists(tempDir1) Then
If Not oFSO.FolderExists(tempDir) Then
oFSO.CreateFolder(tempDir)
End If
If oFSO.FolderExists(tempDir) Then
If oFSO.FileExists(tempFile) Then
oFSO.DeleteFile(tempFile)
End If
End If
End If
End If
End Function
'--------------------------------------------------
'--------------------------------------------------
'A function to create a log file.
Function createLog(strEventInfo)
If Not strEventInfo = "" Then
Set objLogFile = oFSO.CreateTextFile(logFileName, TRUE)
objLogFile.WriteLine(strEventInfo)
objLogFile.Close
End If
End Function
'--------------------------------------------------
'--------------------------------------------------
'A function to create a Warning.mail file. Use to prepare an email before calling sendEmail().
Function createEmail()
If oFSO.FileExists(mailFile) Then
oFSO.DeleteFile(mailFile)
End If
If Not oFSO.FileExists(mailFile) Then
oFSO.CreateTextFile(mailFile)
End If
Set oFile = oFSO.CreateTextFile(mailFile, TRUE)
oFile.Write "To: " & toEmail & vbNewLine & "From: " & strComputerName & "@" & companyDomain & vbNewLine & _
"Subject: " & companyAbbr & " Meterpreter Defender Warning!!!" & vbNewLine & "This is an automatic email from the " & _
companyName & " Network to notify you that a Meterpreter payload was detected on a domain workstation." & _
vbNewLine & vbNewLine & "Please log-in and verify that the equipment listed below is secure." & vbNewLine & _
vbNewLine & "USER NAME: " & strUserName & vbNewLine & "WORKSTATION: " & strComputerName & vbNewLine & _
"This check was generated by " & strComputerName & " and is performed when Windows boots." & vbNewLine & vbNewLine & _
"Script: """ & scriptName & """"
oFile.close
End Function
'--------------------------------------------------
'--------------------------------------------------
Function searchCache(cacheData)
searchCache = FALSE
If InStr(cacheData, "Meterpreter Process Found") > 0 Then
searchCache = TRUE
End If
End Function
'--------------------------------------------------
'--------------------------------------------------
'A function to sleep script execution for 5 minutes.
Function searchSleep()
WScript.Sleep(sleepTime)
End Function
'--------------------------------------------------
'--------------------------------------------------
'A function for running SendMail to send a prepared Warning.mail email message.
Function sendEmail()
oShell.Run "c:\Windows\System32\cmd.exe /c """ & appPath & "sendmail.exe"" """ & mailFile & """", 0, FALSE
End Function
'--------------------------------------------------
'--------------------------------------------------
'A function to start the Meterpreter_Payload_Detection.exe process.
Function launchMPD(mpdMode)
'MsgBox "c:\Windows\System32\cmd.exe /c """ & appPath & "Meterpreter_Payload_Detection.exe"" " & mpdMode & " > """ & tempFile & """"
oShell.Run "c:\Windows\System32\cmd.exe /c " & appPath & "Meterpreter_Payload_Detection.exe " & _
mpdMode & " > """ & tempFile & """", 0, FALSE
End Function
'--------------------------------------------------
'--------------------------------------------------
'A function to kill the running Meterpreter_Payload_Detection.exe process that we started earlier.
Function killMPD()
oShell.Run "c:\Windows\System32\cmd.exe /c taskkill /u " & strUserName & " /s localhost /f /im Meterpreter_Payload_Detection.exe", 0, TRUE
'oShell.Run "c:\Windows\System32\cmd.exe /c taskkill /u " & strUserName & "/s localhost /f /im cmd.exe", 0, TRUE
End Function
'--------------------------------------------------
'--------------------------------------------------
'The main logic of the script which makes use of the code & functions above.
'Nake sure the script is being run with elevated priviledges.
If Not isUserAdmin() Then
'Restart the script with elevated priviledges if needed.
restartAsAdmin()
Else
'Run until the executionLimit is reached before restarting the entire application (~15m worth of scanning).
Do While i <= executionLimit
'Sleep for a moment to give locked files time to relax & killes processes time to die.
'I have tried 1second, 5seconeds, 10seconds, and 15seconds. 15s was the only one that worked reliably.
WScript.Sleep(15000)
'Verify that required directories exist & re-create a fresh cache file.
clearCache()
'Start Meterpreter_Payload_Detection.exe.
launchMPD(mpdMode)
'Sleep for 5 minutes to give Meterpreter_Payload_Detection.exe time to conduct a scan.
searchSleep()
'Load the Meterpreter_Payload_Detection.exe output from the temporary cache file into memory.
cacheData = fileGetContents(tempFile)
'Search the Meterpreter_Payload_Detection output contained in the cache file for indication of compromise.
infected = searchCache(cacheData)
'Check if any indication of compromise was detected.
If infected Then
'An indication of compromise was detected on the last iteration of the loop.
'Create a logfile and copy the data containing IOC to the logfile.
createLog("The workstation " & strComputerName & " has detected and mitigated a Meterpreter Payload! " & _
"The relevant detection information is below." & vbNewLine & vbNewLine & cacheData)
'Create an Warning.mail email file.
createEmail()
'Send the Warning.mail email file using Sendmail.exe.
sendEmail()
End If
'Clean up the cacheData so it doesn't consume memory until the next iteration of the loop.
cacheData = NULL
'Increment the execution counter.
i = i + 1
'Kill the Meterpreter_Payload_Detection.exe process so that we can start a new one on the next loop.
killMPD()
Loop
'Check if the "continuous" config entry is set so the script will restart automatically if required.
If continuous Then
'Restart the script.
restartAsAdmin()
'Kill the current instance of the scipt to reset all variables & handles.
WScript.Quit()
End If
End If
'--------------------------------------------------