SitRep is intended to provide a lightweight, extensible host triage alternative. Checks are loaded dynamically at runtime from stand-alone files. This allows operators to quickly modify existing checks, or add new checks as required.
Checks are grouped by category and can be marked as OpSec safe/unsafe. unsafe checks are only loaded if the /AllowUnsafe flag is provided.
Interesting results are highlighted with a “[*]”
Checks
Checks are separated into categories. This allows them to be displayed in appropriate groups. The following checks are currently available:
You should review this configuration and update the OpSec tags as required.
Disabling Checks
All checks are enabled by default. However, as checks are loaded dynamically, it is possible to disable them.
CheckBase includes a boolean “Enabled” property, which defaults to true. This can be set in the derived class by adding a constructor. The example below disables the CurrentUser check (CurrentUser.cs):
public CurrentUser()
{
base.Enabled = false;
}
As checks are loaded dynamically, it is possible to exclude a check from the build without other modifications. The easiest way to do this is to right-click on the check class in Visual Studio and select “exclude from project”. The check can be re-added by selecting “include in project” from the same context menu.
This approach has the advantage of removing the code from the compiled artifact.
Example Usage
SitRep.exe /AllowUnsafe
SitRep.exe
SitRep is designed to be executed via execute-assembly (or equivalent)
Adding Checks
Checks inherit from CheckBase and implement the ICheck interface. This enforces the patterns needed for the dynamic check loading. Other methods and classes can be added as required.
The ICheck interface exposes the following properties and methods:
Derived classes must override the “ToString()” method defined in CheckBase. This method is called when displaying the output of each check.
Access to native methods is provided via classes in the “NativeMethods” folder. Each class is named after the dll it interacts with.
Checks are responsible for providing their own error handling. Current checks wrap the entire “check” method in a try-catch block, the use of this pattern is encouraged.
An example, empty check is shown below;
using SitRep.Interfaces;
using System;
namespace SitRep.Checks.Software
{
class ExampleCheck : CheckBase, ICheck
{
public bool IsOpsecSafe => true;
public int DisplayOrder => 1;
public Enums.Enums.CheckType CheckType => Enums.Enums.CheckType.Credential;
public void Check()
{
try
{
throw new NotImplementedException();
}
catch
{
Message = “Check failed [*]”;
}
}
public override string ToString()
{
throw new NotImplementedException();
}
}
}
bomber is an application that scans SBOMs for security vulnerabilities. So you've asked a vendor…
Embed a payload within a PNG file by splitting the payload across multiple IDAT sections.…
Exploit-Street, where we dive into the ever-evolving world of cybersecurity with a focus on Local…
Shadow Dumper is a powerful tool used to dump LSASS (Local Security Authority Subsystem Service)…
shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…
Extract and execute a PE embedded within a PNG file using an LNK file. The…