Ross Wolf
a0d3b4bd23
Co-Authored-By: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-Authored-By: Daniel Stepanic <57736958+dstepanic17@users.noreply.github.com> Co-Authored-By: David French <56409778+threat-punter@users.noreply.github.com> Co-Authored-By: Joe Desimone <56411054+joe-desimone@users.noreply.github.com> Co-Authored-By: Justin Ibarra <brokensound77@users.noreply.github.com>
57 lines
1.4 KiB
Python
57 lines
1.4 KiB
Python
# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
|
|
# or more contributor license agreements. Licensed under the Elastic License;
|
|
# you may not use this file except in compliance with the Elastic License.
|
|
|
|
# Name: Unexpected Network Activity from Microsoft Tools
|
|
# RTA: unusual_ms_tool_network.py
|
|
# ATT&CK: T1127
|
|
# Description: Creates network traffic from a process which is named to match common administration and developer tools
|
|
# that do not typically make network traffic unless being used maliciously.
|
|
|
|
import os
|
|
import shutil
|
|
import sys
|
|
|
|
from . import common
|
|
|
|
if sys.version_info > (3,):
|
|
urlliblib = "urllib.request"
|
|
else:
|
|
urlliblib = "urllib"
|
|
|
|
process_names = [
|
|
"bginfo.exe",
|
|
"msdt.exe",
|
|
"ieexec.exe",
|
|
"cdb.exe",
|
|
"dnx.exe",
|
|
"rcsi.exe",
|
|
"csi.exe",
|
|
"cmstp.exe",
|
|
"xwizard.exe",
|
|
"fsi.exe",
|
|
"odbcconf.exe"
|
|
]
|
|
|
|
|
|
def http_from_process(name, ip, port):
|
|
path = os.path.join(common.BASE_DIR, name)
|
|
common.log("Making HTTP GET from %s" % path)
|
|
shutil.copy(sys.executable, path)
|
|
common.execute([path, "-c", "from %s import urlopen ; urlopen('http://%s:%d')" % (urlliblib, ip, port)])
|
|
common.remove_file(path)
|
|
|
|
|
|
@common.requires_os(common.WINDOWS)
|
|
def main():
|
|
server, ip, port = common.serve_web()
|
|
|
|
for process in process_names:
|
|
http_from_process(process, ip, port)
|
|
|
|
server.shutdown()
|
|
|
|
|
|
if __name__ == "__main__":
|
|
exit(main())
|