MultCheck : A User-Friendly, Open-Source Malware AV Testing Tool

An innovative, open-source tool designed to streamline malware analysis by testing the effectiveness of multiple antivirus (AV) engines simultaneously.

Developed by the resourceful @Pengrey, MultCheck stands out for its user-friendly interface and customizable framework, allowing users to easily integrate new AV engines as needed.

Whether you’re a cybersecurity professional or an enthusiast, MultCheck provides a practical solution for assessing file detection capabilities across different security platforms.

Dive into this article to explore how to install, use, and extend the functionalities of MultCheck, enhancing your malware defense toolkit.

MultCheck is a malware-analysis tool that can be used to test the detection of a file by multiple AV engines.

It is designed to be easy to use, and to be able to test multiple AV engines. It is also designed to be easy to extend, and to be able to add custom AV engines.

Installation

  • Run go build under the root directory of the project.
  • Or directly run the compiled binaries in the bin directory.
$ cd src
# Build for Windows
## 64-bit
$ GOOS=windows GOARCH=amd64 go build -o ../bin/multcheck_64.exe

## 32-bit
$ GOOS=windows GOARCH=386 go build -o ../bin/multcheck_32.exe

CLay – Enhancing Web Security hrough Deceptive Reverse Proxies

CLay offers a unique and powerful feature that goes beyond traditional security measures.

CLay takes deception to a new level by mimicking the appearance of a website with information from a different framework.

The primary objective is to mislead and deceive potential attackers, leading them to gather false information about the web application.

Features

  • Request filtering by User Agent
  • HTML Comment Filtering
  • Informative Response Header Filtering
  • Adding Dummy HTML Comments
  • Adding Decoy Informative Response Headers
  • Adding Decoy Cookies
  • Error Template Changing

Supported Decoy Frameworks

  • PHP
  • Laravel
  • Microsoft ASP.NET
  • Flask
  • Django

Supported Decoy Webservers

  • Nginx
  • Apache HTTP Server

Requirements

  • Python 3.11+
  • mitmproxy is a set of tools that provide an interactive, SSL/TLS-capable intercepting proxy for HTTP/1, HTTP/2, and WebSockets. CLay utilizes mitmproxy‘s capabilities to intercept and modify HTTP/HTTPS traffics on the fly.
  • Jinja is a fast, expressive, extensible templating engine.

Quick Start

  1. Fetch and start CLay package installation.
git clone https://github.com/kisanakkkkk/CLay.git
cd CLay
pip3 install .

2. Generate new configuration file. On the menu prompt, choose [1] Run CLay (default config), then enter the target URL for which you’d like to set up the CLay.

CLay -g

For more information click here.

Entraspray – Enhancing Password Spraying Tools For Microsoft Azure Security

Entraspray is a rewrite of MSOLSpray in python. The main purpose of this tool remains the same: to perform password spraying against Microsoft Azure accounts while also providing detailed information about account status and errors; such as if MFA is enabled, if a tenant or user doesn’t exist, if the account is locked or disabled and more.

Enhancements:

  • The script will remove “compromised” users from the input list.
    • This feature prevents password spraying against accounts where the correct password has already been identified in previous execution of the script.
      • A backup of the original user input list is created in the output directory.
        • While seemingly minor, this change can reduce repeated password spraying and account lockouts, a feature I have not seen in most of the other password spraying tools.
          • The operator can safely keep using the same user input list without risking unnecessary account lockout and alerting.
  • Random selection of user-agent for each request.
  • Some additional error codes have also been added based on conditional access policy.

The tool supports using FireProx to rotate source IP addresses on authentication requests, avoiding being blocked by Microsoft Entra Smart Lockout.

Usage

Create/Activate Virtual ENV And Install Requirements:

python3 -m venv venv
source venv/bin/activate
python3 -m pip install -r requirements.txt

Password Spraying

provide a userlist file with the target email addresses one per line for example ‘user@example.com‘. Use caution to avoid locking out accounts, as this tool can trigger Microsoft Entra Smart Lockout if used incorrectly.

python3 entraspray.py --userlist userlist.txt --password Password123

Script Options

  --userlist   : Path to a file containing usernames one-per-line in the format 'user@example.com'.
  --password   : Password to be used for the password spraying.
  --url        : URL to spray against. Useful if using FireProx to randomize the IP address you are authenticating from.
  --delay      : Number of seconds to delay between requests.
  --verbose    : Show invalid password attempts.
  --force      : Force the spray to continue even if multiple account lockouts are detected.
  --debug      : Show web request and response.
  --proxy      : Specify a proxy host to send all traffic through.

IAT-Tracer V2 : Streamlining API Function Tracing For Enhanced Cybersecurity

IAT-Tracer V2 is a plugin for Tiny-Tracer framework (by @hasherezade) for automatically detecting and resolving functions’ parameters out of the IAT or trace logs (.tag files) of PE files.

The plugin has a GUI that allows the user to choose what imported or called functions to trace and watch and then automatically fills the parameters (library, function’s name, and the number of parameters) into the “params.txt” file used by Tiny-Tracer.

Using this tool, the user can log all the dynamically called API functions and their arguments for each call.

Changelog (V2)

  •  .tag file parsing capabilities
  •  Search box for automatic filtering by functions’ names
  •  Using .pickle file to reduce DB size
  •  Pyinstaller compatibility for one file application (see Releases for downloading the .exe file)
  •  Bug fixes

Usage (IAT Tracing)

Example: tracing and watching interesting API functions from the Vipasana ransomware binary.

Usage (.tag File Tracing)

Example: tracing and watching all the dynamically called functions from the SameCoin Wiper binary.

Motivation

Currently, to trace and watch a program with the Tiny-Tracer framework one needs to perform several steps manually:

  1. Finding which interesting functions are imported/called by the program.
  2. Finding the library and the number of parameters required by those functions (this step usually requires online access to MSDN).
  3. Manually writing each function’s library, name, and number of parameters to the params.txt file.

The plugin is intended to automate this process, enabling the user to complete steps 1-3 offline in a matter of seconds.

Installation

The plugin is intended to be used after the installation of Tiny-Tracer.

git clone https://github.com/YoavLevi/IAT-Tracer.git
cd IAT-Tracer\
pip install -r requirements.txt
python .\IAT-Tracer.py

For more information click here.

Gouge – The Essential Burp Suite Extension For URL Extraction

Gouge is a Burp Suite extension to extract or GOUGE all URLs. It is a Burp Suite extension written in Python and uses the Burp Suite API to extract URLs from a webpage & all its JS files too!

How To Use Gouge?

  1. Download the latest release of Gouge from the releases page.
  2. Extract the Gouge zip file to a directory of your choice.
  3. Open Burp Suite and go to the Extender tab.
  4. Click on the “Add” button and select the Gouge.py file from the extracted Gouge directory.
  5. Go to the Gouge tab and click on the “Gouge” button to start Gouging.

How To Build Gouge?

Gouge is written in Python and uses the Burp Suite API to extract URLs from JS files.

To build Gouge, you need to have Python installed on your computer. You can download Python from the official Python website.

Once you have Python installed, you can build Gouge by following these steps:

  1. Open a terminal or command prompt and navigate to the directory where you have extracted the Gouge source code.
  2. Run the following command to install the required dependencies:
pip install -r requirements.txt

Microsoft-Analyzer-Suite (Community Edition) : A Deep Dive Into Analyzing Microsoft 365 Security

Explore the capabilities of the Microsoft-Analyzer-Suite (Community Edition), a powerful collection of PowerShell scripts designed to enhance your security analysis.

This suite provides automated processing of logs from Microsoft 365 and Microsoft Entra ID, leveraging tools developed by Invictus-IR.

Dive into the intricacies of these tools and learn how they can bolster your cybersecurity efforts.

A collection of PowerShell scripts for analyzing data from Microsoft 365 and Microsoft Entra ID.

TL;DR

Automated Processing of Microsoft 365 Logs and Microsoft Entra ID Logs extracted by Microsoft-Extractor-Suite.

The Following Microsoft Data Sources Are Supported Yet:

Output Files of Microsoft-Extractor-Suite v1.3.5 by Invictus-IR

  • Get-ADSignInLogsGraph → ADSignInLogsGraph-Analyzer v0.1
  • Get-MFA → MFA-Analyzer v0.2
  • Get-OAuthPermissions → OAuthPermissions-Analyzer v0.2
  • Get-RiskyDetections → RiskyDetections-Analyzer v0.2
  • Get-RiskyUsers → RiskyUsers-Analyzer v0.2
  • Get-UALAll → UAL-Analyzer v0.3
  • Get-Users → Users-Analyzer v0.1
  • Get-TransportRules → TransportRules-Analyzer v0.1

Cloud_Enum – Advancing Cloud Security Through Multi-Cloud OSINT Tools

I built this tool in 2019 for a pentest involving Azure, as no other enumeration tools supported it at the time. It grew from there, and I learned a lot while adding features.

Building tools is fun, but maintaining tools is hard. I haven’t actively used this tool myself in a while, but I’ve done my best to fix bugs and review pull requests.

Moving forward, it makes sense to consolidate this functionality into a well-maintained project that handles the essentials (web/dns requests, threading, I/O, logging, etc.). Nuclei is really well suited for this. You can see my first PR to migrate cloud_enum functionality to Nuclei here.

I encourage others to contribute templates to Nuclei, allowing us to focus on detecting cloud resources while leaving the groundwork to Nuclei.

I’ll still try to review PRs here to address bugs as time permits, but likely won’t have time for major changes.

Thanks to all the great contributors. Good luck with your recon!

Overview

Multi-cloud OSINT tool. Enumerate public resources in AWS, Azure, and Google Cloud.

Currently enumerates the following:

Amazon Web Services:

  • Open / Protected S3 Buckets
  • awsapps (WorkMail, WorkDocs, Connect, etc.)

Microsoft Azure:

  • Storage Accounts
  • Open Blob Storage Containers
  • Hosted Databases
  • Virtual Machines
  • Web Apps

Google Cloud Platform

  • Open / Protected GCP Buckets
  • Open / Protected Firebase Realtime Databases
  • Google App Engine sites
  • Cloud Functions (enumerates project/regions with existing functions, then brute forces actual function names)
  • Open Firebase Apps

See it in action in Codingo‘s video demo here.

Usage

Setup

Several non-standard libaries are required to support threaded HTTP requests and dns lookups. You’ll need to install the requirements as follows:

pip3 install -r ./requirements.txt

Running

The only required argument is at least one keyword. You can use the built-in fuzzing strings, but you will get better results if you supply your own with -m and/or -b.

You can provide multiple keywords by specifying the -k argument multiple times.

Keywords are mutated automatically using strings from enum_tools/fuzz.txt or a file you provide with the -m flag.

Services that require a second-level of brute forcing (Azure Containers and GCP Functions) will also use fuzz.txt by default or a file you provide with the -b flag.

Let’s say you were researching “somecompany” whose website is “somecompany.io” that makes a product called “blockchaindoohickey”. You could run the tool like this:

./cloud_enum.py -k somecompany -k somecompany.io -k blockchaindoohickey

For more information click here.

EDRPrison – Advanced Evasion Techniques Using Legitimate WFP Drivers

EDRPrison leverages a legitimate WFP callout driver, WinDivert, to effectively silence EDR systems. Drawing inspiration from tools like Shutter, FireBlock, and EDRSilencer, this project focuses on network-based evasion techniques.

Unlike its predecessors, EDRPrison installs and loads an external legitimate WFP callout driver instead of relying solely on the built-in WFP.

Additionally, it blocks outbound traffic from EDR processes by dynamically adding runtime filters without directly interacting with the EDR processes or their executables.

In summary, EDRPrison has the following key features and capabilities

  • Legitimate WFP Callout Driver: Utilizes a legitimate WFP callout driver to enhance capabilities while maintaining a benign profile.
  • EDR Process Detection: Searches for running EDR processes based on predefined process names.
  • Packet Identification: Identifies packets originating from EDR processes.
  • Dynamic Filter Addition: Dynamically adds WFP filters based on the source process of the packets.
  • Non-Intrusive Approach: Avoids direct interaction with EDR processes and their executables, ensuring stealth and reducing the risk of detection.

Please refer to the article for more technical.

Components

Elevated privileges are required to run EDRPrison successfully. EDRPrison comprises the following three components:

  • EDRPrison: They are the main program and its dependencies. Its first execution installs the WinDivert driver.
  • WinDivert64.sys: This is the signed WFP callout driver.
  • WinDivert.dll: A component of the WinDivert project.

Benefits And Improvements

EDRPrison offers several enhancements and improvements over its predecessors, making it a more robust and stealthy tool for network-based EDR evasion:

  1. Instead of adding static WFP filters to EDR process executables, EDRPrison dynamically adds runtime WFP filters based on the packets’ source process.
  2. Avoids obtaining a handle to EDR processes or EDR executables, reducing the risk of detection and interference with the EDR systems.
  3. By loading a legitimate WFP callout driver, EDRPrison extends its capabilities while maintaining a benign profile.

Known Issues

  1. Currently, EDRPrison is written in C#, requiring multiple files to be present on disk, which compromises stealth. I plan to reimplement it in C++ to allow the main program to be executed entirely in memory, enhancing its stealth capabilities.
  2. There is a delay between the program’s execution and the initial blocking of some EDR processes’ network connections.
    • This delay could permit telemetry to be sent to cloud servers within the first few seconds.
      • I am working on resolving this issue to ensure immediate interception and blocking.

Test Example

Due to the resources available to me, I have tested EDRPrison against Elastic Endpoint and Microsoft Defender for Endpoint (MDE) on my physical server so far.

Relevant processes for Elastic Endpoint and MDE are hardcoded in the source code. During the tests, neither the main program nor WinDivert was detected by the security systems.

I tested a few common malware samples, such as Mimikatz. These samples can still be detected because, even without internet connectivity, EDR systems retain basic detection capabilities such as hash-based signatures.

After executing the malware, the number of packets increased, indicating that they contained alert data.

For more information click here.

Using Hardware -Based Exploits : A Comprehensive Guide To Braktooth, Internalblue, And Automated Techniques

You need to buy the following hardware to be able to run the exploits: The installation is partially automated in the toolkit. Consult repository for other information.

Once you have needed hardware:

  • you need to connect it to your machine
  • Then run the following command
ls -la /dev/tty*
  • If you see /dev/ttyUSB0 and /dev/ttyUSB1 then the development board is connected and you can start writing to it
  • To continue Braktooth installation run the following commands
chmod +x /usr/share/Btoolkit/installation/braktooth_additional_install.sh
/usr/share/Btoolkit/installation/braktooth_additional_install.sh

Internalblue

Currently, we support only Nexus 5 phones, but you can add your hardware that supports internalblue as well LINK_TO_HOW_TO_ADD_HARDWARE.

The phone should already be set up according to Internalblue recommendations

On the first run, you might need to allow adb to debug your device and then install a BluetoothAssistant on your mobile device.

Useful commands:

  • would list devices (if needed change your user to root)
adb devices

For more information click here.

Manual Exploits – Assessing Device Security Through Direct Interaction

This check could be used to assess the severity of the attacks. If the target device is pairable even if the user does not navigate to the pairing/discovery menu then such a device has a higher exposure to the threats.

It should be noted that previous research showed that Bluetooth MAC addresses could be passively collected with a high probability.

To check the target device:

  • obtain a MAC address of a target
  • do not navigate to the pairing/discovery menu
  • try to connect to the target using bluetoothctl and hcitool

Only The Vehicle Can Initiate A Connection

This check applies mainly to the In-vehicle-infotainment systems (IVI).

IVI systems generally allow the phone to connect to them but lack the capability of connecting back.

There are also such IVI systems that allow the connection to be initiated in both ways.

The most secure one is a connection initiated by the IVI system.

It should be also noted that defences for the attacks might be implemented for a connection initiated by the phone but the same defences might be lacking when the connection is initiated by the IVI system.

Fast Reboot

This is a check whether or not it is possible to reboot the target device.

Some devices like In-Vehicle-Infotainment systems mainly do not allow to be rebooted unless one switches off and closes the vehicle for 10-20 minutes.

The result could be additionally used to assess the severity of Denial of Service exploits.