Skip to content

Commit

Permalink
Add aux module that can protect critical directories for CAPE analysis
Browse files Browse the repository at this point in the history
  • Loading branch information
cccs-kevin committed Jun 21, 2022
1 parent fd515d6 commit c2217a0
Show file tree
Hide file tree
Showing 3 changed files with 60 additions and 2 deletions.
4 changes: 2 additions & 2 deletions analyzer/windows/analyzer.py
Original file line number Diff line number Diff line change
Expand Up @@ -462,8 +462,8 @@ def run(self):
aux_avail.append(aux)
# log.debug('Trying to start auxiliary module "%s"...', module.__name__)
aux.start()
except (NotImplementedError, AttributeError):
log.warning("Auxiliary module %s was not implemented", module.__name__)
except (NotImplementedError, AttributeError) as e:
log.warning("Auxiliary module %s was not implemented: %s", module.__name__, e)
except Exception as e:
log.warning("Cannot execute auxiliary module %s: %s", module.__name__, e)
else:
Expand Down
57 changes: 57 additions & 0 deletions analyzer/windows/modules/auxiliary/permissions.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
import logging
from subprocess import call, STARTUPINFO, STARTF_USESHOWWINDOW
from threading import Thread
from lib.common.abstracts import Auxiliary
from lib.core.config import Config

log = logging.getLogger(__name__)

__author__ = "[Canadian Centre for Cyber Security] @CybercentreCanada"


class Permissions(Auxiliary):
"""
Change permissions for injected directory and Python interpreter
to prevent malware from messing with analysis
"""

def __init__(self, options, config):
Auxiliary.__init__(self, options, config)
self.config = Config(cfg="analysis.conf")
self.enabled = self.config.file_pickup
self.do_run = self.enabled
self.startupinfo = STARTUPINFO()
self.startupinfo.dwFlags |= STARTF_USESHOWWINDOW

def start(self):
# Put locations here that you want to protect, such as the analyzer path or the Python path
locations = ["C:\\tmp*"]
log.debug("Adjusting permissions for %s", locations)
for location in locations:

# First add a non-inherited permission for Admin Read+Execute
# icacls <location> /grant:r "BUILTIN\Administrators:(OI)(CI)(RX)" "BUILTIN\\Administrators:(RX)" /t /c /q
modify_admin_params = [
"icacls",
location,
"/grant:r",
"BUILTIN\\Administrators:(OI)(CI)(RX)",
"BUILTIN\\Administrators:(RX)",
"/t",
"/c",
"/q",
]
t1 = Thread(target=call, args=(modify_admin_params,), kwargs={"startupinfo": self.startupinfo})
t1.start()
t1.join(timeout=15)
if t1.is_alive():
log.warning("'Modify admin' call was unable to complete in 15 seconds")

# Then remove all inherited permissions so that only SYSTEM has Write access
# icacls <location> /inheritancelevel:r /t /c /q
inheritance_params = ["icacls", location, "/inheritancelevel:r", "/t", "/c", "/q"]
t2 = Thread(target=call, args=(inheritance_params,), kwargs={"startupinfo": self.startupinfo})
t2.start()
t2.join(timeout=15)
if t2.is_alive():
log.warning("'Inheritance' call was unable to complete in 15 seconds")
1 change: 1 addition & 0 deletions conf/auxiliary.conf
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ sysmon = no
procmon = no
evtx = no
filepickup = no
permissions = no

[sniffer]
# Enable or disable the use of an external sniffer (tcpdump) [yes/no].
Expand Down

0 comments on commit c2217a0

Please sign in to comment.