From c2217a03a79ae97cf0cb3b7b0ff291d8a452d6c6 Mon Sep 17 00:00:00 2001 From: cccs-kevin Date: Tue, 21 Jun 2022 20:44:01 +0000 Subject: [PATCH] Add aux module that can protect critical directories for CAPE analysis --- analyzer/windows/analyzer.py | 4 +- .../windows/modules/auxiliary/permissions.py | 57 +++++++++++++++++++ conf/auxiliary.conf | 1 + 3 files changed, 60 insertions(+), 2 deletions(-) create mode 100644 analyzer/windows/modules/auxiliary/permissions.py diff --git a/analyzer/windows/analyzer.py b/analyzer/windows/analyzer.py index 283de14a8cc8..c734bb39186c 100644 --- a/analyzer/windows/analyzer.py +++ b/analyzer/windows/analyzer.py @@ -462,8 +462,8 @@ def run(self): aux_avail.append(aux) # log.debug('Trying to start auxiliary module "%s"...', module.__name__) aux.start() - except (NotImplementedError, AttributeError): - log.warning("Auxiliary module %s was not implemented", module.__name__) + except (NotImplementedError, AttributeError) as e: + log.warning("Auxiliary module %s was not implemented: %s", module.__name__, e) except Exception as e: log.warning("Cannot execute auxiliary module %s: %s", module.__name__, e) else: diff --git a/analyzer/windows/modules/auxiliary/permissions.py b/analyzer/windows/modules/auxiliary/permissions.py new file mode 100644 index 000000000000..095cbd53cbf2 --- /dev/null +++ b/analyzer/windows/modules/auxiliary/permissions.py @@ -0,0 +1,57 @@ +import logging +from subprocess import call, STARTUPINFO, STARTF_USESHOWWINDOW +from threading import Thread +from lib.common.abstracts import Auxiliary +from lib.core.config import Config + +log = logging.getLogger(__name__) + +__author__ = "[Canadian Centre for Cyber Security] @CybercentreCanada" + + +class Permissions(Auxiliary): + """ + Change permissions for injected directory and Python interpreter + to prevent malware from messing with analysis + """ + + def __init__(self, options, config): + Auxiliary.__init__(self, options, config) + self.config = Config(cfg="analysis.conf") + self.enabled = self.config.file_pickup + self.do_run = self.enabled + self.startupinfo = STARTUPINFO() + self.startupinfo.dwFlags |= STARTF_USESHOWWINDOW + + def start(self): + # Put locations here that you want to protect, such as the analyzer path or the Python path + locations = ["C:\\tmp*"] + log.debug("Adjusting permissions for %s", locations) + for location in locations: + + # First add a non-inherited permission for Admin Read+Execute + # icacls /grant:r "BUILTIN\Administrators:(OI)(CI)(RX)" "BUILTIN\\Administrators:(RX)" /t /c /q + modify_admin_params = [ + "icacls", + location, + "/grant:r", + "BUILTIN\\Administrators:(OI)(CI)(RX)", + "BUILTIN\\Administrators:(RX)", + "/t", + "/c", + "/q", + ] + t1 = Thread(target=call, args=(modify_admin_params,), kwargs={"startupinfo": self.startupinfo}) + t1.start() + t1.join(timeout=15) + if t1.is_alive(): + log.warning("'Modify admin' call was unable to complete in 15 seconds") + + # Then remove all inherited permissions so that only SYSTEM has Write access + # icacls /inheritancelevel:r /t /c /q + inheritance_params = ["icacls", location, "/inheritancelevel:r", "/t", "/c", "/q"] + t2 = Thread(target=call, args=(inheritance_params,), kwargs={"startupinfo": self.startupinfo}) + t2.start() + t2.join(timeout=15) + if t2.is_alive(): + log.warning("'Inheritance' call was unable to complete in 15 seconds") diff --git a/conf/auxiliary.conf b/conf/auxiliary.conf index ca9b2fefad45..4a58fc5aac93 100644 --- a/conf/auxiliary.conf +++ b/conf/auxiliary.conf @@ -22,6 +22,7 @@ sysmon = no procmon = no evtx = no filepickup = no +permissions = no [sniffer] # Enable or disable the use of an external sniffer (tcpdump) [yes/no].