Skip to content

Instantly share code, notes, and snippets.

@mgreen27
Created June 1, 2019 08:08
Show Gist options
  • Save mgreen27/036c2b33f928d188ddc60f26b4c9a097 to your computer and use it in GitHub Desktop.
Save mgreen27/036c2b33f928d188ddc60f26b4c9a097 to your computer and use it in GitHub Desktop.
Binary Rename static detection
<#
.SYNOPSIS
Find BinaryRename of commonly abused Living off the Land Binaries
Name: Get-BinaryRename.ps1
Date: 2019-05-31
Version: 0.2
Author: Matt Green (@mgreen27)
Requirements:
Get-FileHash Powershell 4.0+
Rest Powershell 2+
.DESCRIPTION
The script leverages Powershell VersionInfo method.
It checks all exe files and compares OriginalName to FileName and special cases.
The script will also generate a hash and add to the output for identification.
Time for run is included in the script and can easily be commented out.
.EXAMPLE
Get-BinaryRename.ps1
.NOTES
Add additional OriginalNames to the OriginalNames hashtable to expand detection.
.LINK
https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html
#>
# Set CPU prioirty
$Process = Get-Process -Id $Pid
$Process.PriorityClass = 'IDLE'
$StopWatch = [System.diagnostics.stopwatch]::StartNew()
# OriginalName lowercase
$originalNames = @{
'cmd.exe' = $TRUE
'powershell.exe' = $TRUE
'psexec.c' = $TRUE
'cscript.exe' = $TRUE
'wscript.exe' = $TRUE
'mshta.exe' = $TRUE
'regsvr32.exe' = $TRUE
'wmic.exe' = $TRUE
'certutil.exe' = $TRUE
'rundll32.exe' = $TRUE
'cmstp.exe' = $TRUE
'msiexec.exe' = $TRUE
'7z.exe' = $TRUE
'WinRAR.exe' = $TRUE
}
Get-ChildItem -force -Recurse -File -filter "*.exe" \ -ErrorAction SilentlyContinue |
ForEach-Object {
Try {
$fileName = $_.Name.ToString()
$origName = [System.Diagnostics.FileVersionInfo]::GetVersionInfo($_.FullName).OriginalFileName
If ($origName) {
$origName = $origName.ToString().ToLower().TrimEnd(".mui")
if ( $origName -ne $fileName.toLower() -and $fileName.ToLower().SubString(0,6) -ne 'psexec' ) {
if ( $originalNames[$origName] ) {
$fileHash = Get-FileHash $_.FullName -Algorithm SHA1 -ErrorAction SilentlyContinue
$result = [System.Diagnostics.FileVersionInfo]::GetVersionInfo($_.FullName) | select *
$result | Add-Member -NotePropertyName Sha1Hash -NotePropertyValue $fileHash.hash
$result
}
}
}
}
Catch { Write-host $_ }
}
"TotalSeconds = " + $StopWatch.elapsed.TotalSeconds
$StopWatch.Stop()
<#
.SYNOPSIS
YARA loader script to pass filename as an external variable to a yara scan for binary rename use case.
.DESCRIPTION
YARA loader script to pass filename as an external variable to a yara scan for binary rename use case.
Add yara binaries and rename.yar to same folder as inverseYara.ps1.
Target of "\" can be changed as required.
Variable passed to Yara can be changed as required.
Measured time of script to run also output.
.EXAMPLE
powershell -ExecutionPolicy ByPass -f inverseYara.ps1
.LINK
https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html
#>
# Set CPU prioirty
$Process = Get-Process -Id $Pid
$Process.PriorityClass = 'IDLE'
$StopWatch = [System.diagnostics.stopwatch]::StartNew()
If ([System.Environment]::Is64BitOperatingSystem) {
Get-ChildItem -Recurse -filter *.exe \ -ErrorAction SilentlyContinue |
ForEach-Object {
.\yara64.exe -d filename=$(($_.Name).ToLower()) rename.yar $_.FullName 2> $null
}
}
Else {
Get-ChildItem -Recurse -filter *.exe \ -ErrorAction SilentlyContinue |
ForEach-Object {
.\yara32.exe -d filename=$(($_.Name).ToLower()) rename.yar $_.FullName 2> $null
}
}
"TotalSeconds = " + $StopWatch.elapsed.TotalSeconds
$StopWatch.Stop()
/*
Binary Rename Detection POC
This ruleset was used to test performance of yara PE module vs Powershell VersionInfo
Author: @mgreen27
Reference: https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html
*/
import "pe"
rule renamedCMD
{
condition:
pe.version_info["InternalName"] == "cmd" and
not filename == "cmd.exe"
}
rule renamedPowershell
{
condition:
pe.version_info["InternalName"] == "POWERSHELL" and
not filename == "powershell.exe"
}
rule renamedPsExec
{
condition:
pe.version_info["InternalName"] == "PsExec" and
not filename == "psexec.exe" and
not filename == "psexec64.exe" and
not filename == "psexesvc.exe"
}
rule renamedCscript
{
condition:
pe.version_info["InternalName"] == "cscript.exe" and
not filename == "cscript.exe"
}
rule renamedWscript
{
condition:
pe.version_info["InternalName"] == "wscript.exe" and
not filename == "wscript.exe"
}
rule renamedCertutil
{
condition:
pe.version_info["InternalName"] == "CertUtil.exe" and
not filename == "certutil.exe"
}
rule renamedWmic
{
condition:
pe.version_info["InternalName"] == "wmic.exe" and
not filename == "wmic.exe"
}
rule renamedMshta
{
condition:
pe.version_info["InternalName"] == "MSHTA.EXE" and
not filename == "mshta.exe"
}
rule renamedRegsvr32
{
condition:
pe.version_info["InternalName"] == "REGSVR32" and
not filename == "regsvr32.exe"
}
rule renamedRundll32
{
condition:
pe.version_info["InternalName"] == "rundll" and
not filename == "rundll32.exe"
}
rule renamedCmstp
{
condition:
pe.version_info["InternalName"] == "CMSTP" and
not filename == "cmstp.exe"
}
rule renamedMsiexec
{
condition:
pe.version_info["InternalName"] == "msiexec" and
not filename == "msiexec.exe"
}
rule renamed7zip
{
condition:
pe.version_info["InternalName"] == "7z" and
not filename == "7z.exe"
}
rule renamedWinRar
{
condition:
pe.version_info["InternalName"] == "WinRAR" and
not filename == "winrar.exe"
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment