end of labscon updates

Rurik · Sep 24, 2022 · 8cbe9e1 · 8cbe9e1
1 parent 49433fa
commit 8cbe9e1
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 17 deletions.
diff --git a/Noriben.config b/Noriben.config
@@ -49,7 +49,7 @@ vbox_uuid = c9a4e740-ed5f-42ae-ae31-e753319e3cc2  # Run: VBoxManage list vms
 
 
 
-[Filters]
+[Noriben_Filters]
 # Rules for creating rules:
 # 1. Python does not like single '%'. Always double them
 # 2. No backslashes at the end of a filter. Either:
@@ -58,11 +58,13 @@ vbox_uuid = c9a4e740-ed5f-42ae-ae31-e753319e3cc2  # Run: VBoxManage list vms
 # 3. To find a list of available '%%' variables, type `set` from a command prompt
 
 # These entries are applied to all approvelists
+# If these entries appear in any context, then ignore that entry
+# TODO: Rewrite these to include their actual paths
 global_approvelist =
         VMwareUser.exe,      # VMware User Tools
         CaptureBAT.exe,      # CaptureBAT Malware Tool
         SearchIndexer.exe,   # Windows Search Indexer
-        Fakenet.exe,         # Practical Malware Analysis FakeNET
+        Fakenet.exe,         # Mandiant (Google? ¯\_(ツ)_/¯) FakeNET
         idaq.exe,            # IDA Pro
         ngen.exe,            # Windows Native Image Generator
         ngentask.exe,        # Windows Native Image Generator
@@ -76,14 +78,16 @@ global_approvelist =
         Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\BackgroundDownload.exe
 
 
+# Compares these entries against process creation. 
+# Anything that launches there, or is launched by them, is ignored
 cmd_approvelist =
         AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe, # MS is so noisy
         %%SystemRoot%%\system32\wbem\wmiprvse.exe,
         %%SystemRoot%%\system32\wscntfy.exe,
         wuauclt.exe,
         jqs.exe,
-        avgrsa.exe,  # AVG AntiVirus
-        avgcsrva.exe,  # AVG AntiVirus
+        avgrsa.exe,        # AVG AntiVirus
+        avgcsrva.exe,      # AVG AntiVirus
         avgidsagenta.exe,  # AVG AntiVirus
         Program File.*\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe,
         TCPView.exe,
@@ -93,7 +97,8 @@ cmd_approvelist =
         /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF},  # DCOM error
         \??\%%WinDir%%\system32\conhost.exe .*-.*-.*-.*     # Experimental
 
-
+# Compares these entries against file activity
+# Many apply to abnormal methods of writing files, and to very loud and common folders
 file_approvelist =
         Desired Access: Execute/Traverse,
         Desired Access: Synchronize,
@@ -150,7 +155,8 @@ file_approvelist =
         Windows\Temporary Internet Files\counters.dat,
         Program Files.*\confer\*
 
-
+# Compares these entries against registry activity
+# These are applications that create a ton of registry calls, or keys that are very often written to
 reg_approvelist =
         CaptureProcessMonito,
         consent.exe,
@@ -288,13 +294,17 @@ reg_approvelist =
         UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}
 
 
+# Not widely supported. If these entries appear in a network-related activity, then ignore
+# Can be process names for known good apps that beacon, or specific IPs or ports
 net_approvelist =
         hasplms.exe                   # Hasp dongle beacons
         # 192.168.2.,                 # Example for blocking net ranges
         # Verizon_router.home']       # Example for blocking local domains
         #  -> .*\..*\..*\..*:1900
 
-
+# Not widely supported. List of known good MD5 hashes.
+# If any file, regardless of name, matches this then ignore that file activity
+# This may be cut as I doubt it's widely in use
 hash_approvelist =
         f8f0d25ca553e39dde485d8fc7fcce89,  # WinXP ntdll.dll
         b60dddd2d63ce41cb8c487fcfbb6419e,  # iexplore.exe 8.0

diff --git a/Noriben.py b/Noriben.py
@@ -265,18 +265,19 @@ def read_config(config_filename):
 
 def human():
     import pyautogui
-    import math
 
-    SIZE_X, SIZE_Y = pyautogui.size()
-    STEPS = 20
-    TIME_STEP = 0
+    screenwidth, screenheight = pyautogui.size()  
+    x_pos = screenwidth/2
+    y_pos = screenheight/2
+    for i in range(5):
+        pyautogui.moveTo(x_pos, y_pos, duration = 0.1)
 
-    for i in range(0,STEPS):
-        j = (((i/STEPS)*2)*math.pi)
-        x = math.cos(j) 
-        y = math.sin(j) 
-        pyautogui.moveTo( SIZE_X/2 + (SIZE_Y/3)*x
-                ,SIZE_Y/2 + (SIZE_Y/3)*y, duration=TIME_STEP)
+        pyautogui.moveTo(x_pos+250, y_pos+250, duration = 0.1)
+        pyautogui.moveTo(x_pos-250, y_pos, duration = 0.1)
+
+        pyautogui.moveTo(x_pos-500, y_pos, duration = 0.1)
+        pyautogui.moveTo(x_pos-250, y_pos+500, duration = 0.1)
+
 
 
 def terminate_self(error):
@@ -1280,6 +1281,9 @@ def main():
     else:
         print('[*] Procmon is running. Run your executable now.')
 
+    if config['human']:
+        human()
+
     if config['timeout_seconds']:
         print('[*] Running for {} seconds. Press Ctrl-C to stop logging early.'.format(config['timeout_seconds']))
         # Print a small progress indicator, for those REALLY long sleeps.