-
Notifications
You must be signed in to change notification settings - Fork 222
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
5 changed files
with
1,235 additions
and
736 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,336 @@ | ||
| [Noriben] | ||
| procmon = procmon.exe # Change this if you have a renamed procmon.exe | ||
| generalize_paths = True # Generalize paths to their base environment variable | ||
| debug = False # Debugging collects additional information during execution for troubleshooting bugs | ||
| headless = False # | ||
| troubleshoot = False # If True pause before all exits | ||
| timeout_seconds = 0 # Set to 0 to manually end monitoring with Ctrl-C | ||
| virustotal_api_key = # Set VirusTotal API here | ||
| virustotal_upload = False # Set to True to automatically upload all created files to VirusTotal | ||
| yara_folder = | ||
| hash_type = SHA256 | ||
| txt_extension = txt | ||
| human = True | ||
| output_folder = | ||
| global_approvelist_append = | ||
|
|
||
|
|
||
| [Noriben_host] | ||
| debug = False | ||
| # timeout_seconds = 300 | ||
| timeout_seconds = 10 | ||
| vm_user = Admin | ||
| vm_pass = password | ||
| noriben_path = C:\Users\{}\Desktop #.format(VM_USER) | ||
| guest_noriben_path = C:\Users\{}\Desktop\ | ||
| host_noriben_path = | ||
| procmon_config_path = C:\Users\{}\Desktop\ProcmonConfiguration.pmc | ||
| report_path_structure = {}/{}_NoribenReport.zip # (malware path, host_malware_name_base) | ||
| host_screenshot_path_structure = {}/{}.png # (host_malware_path, host_malware_name_base) | ||
| guest_log_path = C:\Noriben_Logs | ||
| guest_zip_path = C:\Tools\UnixUtils\zip.exe | ||
| guest_temp_zip = C:\Noriben_Logs\NoribenReports.zip | ||
| # guest_python_path = C:\Program Files (x86)\Python36-32\python.exe | ||
| guest_python_path = C:\Users\Admin\AppData\Local\Programs\Python\Python39\python.exe | ||
| guest_malware_path = C:\Malware\malware_ | ||
| error_tolerance = 5 | ||
| dontrun = False | ||
| #vm_snapshot = YourVMSnapshotNameHere | ||
|
|
||
| # VMware Settings: | ||
| # Windows | ||
| # vmrun = C:\Program Files (x86)\VMware\VMware Workstation\vmrun.exe | ||
| # vmx = E:\VMs\Windows.vmwarevm\Windows.vmx | ||
|
|
||
| # macOS | ||
| vmrun = /Applications/VMware Fusion.app/Contents/Library/vmrun | ||
| vmx = ~/VMs/Win10\ Malware.vmwarevm/Win10\ Malware.vmx | ||
|
|
||
| # VirtualBox Settings: | ||
| vboxmanage = /usr/local/bin/VBoxManage | ||
| vbox_uuid = c9a4e740-ed5f-42ae-ae31-e753319e3cc2 # Run: VBoxManage list vms | ||
|
|
||
|
|
||
|
|
||
| [Filters] | ||
| # Rules for creating rules: | ||
| # 1. Python does not like single '%'. Always double them | ||
| # 2. No backslashes at the end of a filter. Either: | ||
| # 2.a. truncate the backslash, or | ||
| # 2.b. use '\*' to signify 'zero or more slashes'. | ||
| # 3. To find a list of available '%%' variables, type `set` from a command prompt | ||
|
|
||
| # These entries are applied to all approvelists | ||
| # If these entries appear in any context, then ignore that entry | ||
| # TODO: Rewrite these to include their actual paths. Sometimes this isn't captured | ||
| global_approvelist = | ||
| VMwareUser.exe, # VMware User Tools | ||
| CaptureBAT.exe, # CaptureBAT Malware Tool | ||
| SearchIndexer.exe, # Windows Search Indexer | ||
| Fakenet.exe, # Mandiant (Google? ¯\_(ツ)_/¯) FakeNET | ||
| idaq.exe, # IDA Pro | ||
| ngen.exe, # Windows Native Image Generator | ||
| ngentask.exe, # Windows Native Image Generator | ||
| consent.exe, # Windows UAC prompt | ||
| taskhost.exe, | ||
| SearchIndexer.exe, | ||
| RepUx.exe, | ||
| RepMgr64.exe, | ||
| Ecat.exe, | ||
| OneDriveStandaloneUpdater.exe, | ||
| WindowsApps\Microsoft.Windows.Photos.*\Microsoft.Photos.exe, | ||
| Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\BackgroundDownload.exe, | ||
| Program File.*\Google\Update\GoogleUpdate.exe, | ||
| Program File.*\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe, | ||
| EDGEMITMP_.*.tmp\setup.exe, | ||
| MSEDGE_PATCH.PACKED.7Z, | ||
| Packages\Microsoft.Windows.Cortana, | ||
| /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}, | ||
| /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}, # Thumbnail server | ||
| /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} # DCOM error | ||
|
|
||
|
|
||
| # Compares these entries against process creation. | ||
| # Anything that launches there, or is launched by them, is ignored | ||
| cmd_approvelist = | ||
| AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe, # MS is so noisy | ||
| %%SystemRoot%%\system32\wbem\wmiprvse.exe, | ||
| %%SystemRoot%%\system32\wscntfy.exe, | ||
| wuauclt.exe, | ||
| jqs.exe, | ||
| avgrsa.exe, # AVG AntiVirus | ||
| avgcsrva.exe, # AVG AntiVirus | ||
| avgidsagenta.exe, # AVG AntiVirus | ||
| TCPView.exe, | ||
| %%WinDir%%\System32\mobsync.exe, | ||
| XblGameSaveTask.exe, | ||
| \??\%%WinDir%%\system32\conhost.exe | ||
|
|
||
| # Compares these entries against file activity | ||
| # Many apply to abnormal methods of writing files, and to very loud and common folders | ||
| file_approvelist = | ||
| %%AllUsersProfile%%\Application Data\Microsoft\OFFICE\DATA, | ||
| %%AllUsersProfile%%\Microsoft\MapData\*, | ||
| %%AllUsersProfile%%\Microsoft\RAC, | ||
| %%AllUsersProfile%%\Microsoft\Windows\AppRepository\StateRepository, | ||
| %%AppData%%\Microsoft\Proof\*, | ||
| %%AppData%%\Microsoft\Templates\*, | ||
| %%AppData%%\Microsoft\Windows\Recent\AutomaticDestinations\*, | ||
| %%LocalAppData%%\Google\Drive\sync_config.db*, | ||
| %%LocalAppData%%\GDIPFONTCACHEV1.DAT, | ||
| %%LocalAppData%%\Microsoft\OneDrive\StandaloneUpdater\*, | ||
| %%LocalAppData%%\Microsoft\VSApplicationInsights\vstelAIF, | ||
| %%LocalAppData%%\Packages\Microsoft.Windows.Photos_, | ||
| %%ProgramFiles%%\Capture\*, | ||
| %%SystemDrive%%\Python, | ||
| %%SystemRoot%%\assembly, | ||
| %%SystemRoot%%\Microsoft.NET\Framework64, | ||
| %%SystemRoot%%\Prefetch\*, | ||
| %%SystemRoot%%\system32\wbem\Logs\*, | ||
| %%SystemRoot%%\System32\LogFiles\Scm, | ||
| %%SystemRoot%%\System32\Tasks\Microsoft\Windows, # Some may want to remove this | ||
| %%UserProfile%%$, | ||
| %%UserProfile%%\Desktop$, | ||
| %%UserProfile%%\AppData\LocalLow$, | ||
| %%UserProfile%%\Recent\*, | ||
| %%UserProfile%%\Local Settings\History\History.IE5\*, | ||
| %%WinDir%%\AppCompat\Programs\RecentFileCache.bcf, | ||
| %%WinDir%%\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\*, | ||
| %%WinDir%%\ServiceProfiles\LocalService\AppData\Local\Microsoft\Dlna\*, | ||
| %%WinDir%%\SoftwareDistribution\DataStore\DataStore.edb, | ||
| %%WinDir%%\SoftwareDistribution\DataStore\Logs\edb...., | ||
| %%WinDir%%\SoftwareDistribution\ReportingEvents.log, | ||
| %%WinDir%%\System32\catroot2\edb...., | ||
| %%WinDir%%\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\*, | ||
| %%WinDir%%\System32\spool\drivers\*, | ||
| %%WinDir%%\System32\sru\SRU, | ||
| %%WinDir%%\Temp\fwtsqmfile00.sqm, # Software Quality Metrics (SQM) from iphlpsvc | ||
|
|
||
| # Filter on requested access. Note, hard commas are not supported. | ||
| # You will need to use regex to assume a comma | ||
| Desired Access: Execute/Traverse, | ||
| Desired Access: Synchronize, | ||
| Desired Access: Generic Read/Execute, | ||
| Desired Access: Read EA, | ||
| Desired Access: Read Data/List Directory, | ||
| Desired Access: Generic Read.* Write Attributes, | ||
| Desired Access: Generic Read.* Write Data, | ||
| Desired Access: Read Attributes, | ||
|
|
||
| desktop.ini$, | ||
| Google\Chrome\User Data\.*.tmp, | ||
| MAILSLOT\NET\NETLOGON, | ||
| Microsoft\Windows\Explorer\iconcache_*, | ||
| Microsoft\Windows\Explorer\thumbcache_.*.db, | ||
| Program Files.*\confer\*, | ||
| Thumbs.db$, | ||
| Windows\Temporary Internet Files\counters.dat, | ||
| wuauclt.exe, | ||
| wmiprvse.exe | ||
|
|
||
|
|
||
| # Compares these entries against registry activity | ||
| # These are applications that create a ton of registry calls, or keys that are very often written to | ||
| reg_approvelist = | ||
| CaptureProcessMonito, | ||
| consent.exe, | ||
| verclsid.exe, | ||
| wmiprvse.exe, | ||
| wscntfy.exe, | ||
| wuauclt.exe, | ||
| PROCMON, | ||
| }\DefaultObjectStore\*, | ||
| }\LocalState\SessionSummaryData\.*\*, | ||
|
|
||
| HKCR$, | ||
| HKCR\AllFilesystemObjects\shell, | ||
|
|
||
| HKCU$, | ||
| HKCU\Printers\DevModePerUse, | ||
| HKCU\SessionInformation\ProgramCount, | ||
| HKCU\Software$, | ||
| HKCU\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide, | ||
| HKCU\Software\Classes\Local Settings\MuiCache\*, | ||
| HKCU\Software\Classes\Local Settings\MrtCache\*, | ||
| HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\SyncMgr\*, | ||
| HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\*, | ||
| HKCU\Software\Microsoft\Calc$, | ||
| HKCU\Software\Microsoft\.*\Window_Placement, | ||
| HKCU\Software\Microsoft\Internet Explorer\TypedURLs, | ||
| HKCU\Software\Microsoft\Notepad, | ||
| HKCU\Software\Microsoft\Office, | ||
| HKCU\Software\Microsoft\Shared Tools, | ||
| HKCU\Software\Microsoft\SystemCertificates\Root$, | ||
| HKCU\Software\Microsoft\VisualStudio\*, | ||
| HKCU\Software\Microsoft\Windows\CurrentVersion\Applets, | ||
| HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CIDOpen, | ||
| HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CIDSave\Modules\GlobalSettings, | ||
| HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\.*MRU.*, | ||
| HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Modules, | ||
| HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2, | ||
| HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU, | ||
| HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo, | ||
| HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage, | ||
| HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2, | ||
| HKCU\Software\Microsoft\Windows\Currentversion\Explorer\StreamMRU, | ||
| HKCU\Software\Microsoft\Windows\Currentversion\Explorer\Streams, | ||
| HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy, | ||
| HKCU\Software\Microsoft\Windows\CurrentVersion\HomeGroup, | ||
| HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\*, | ||
| HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony, | ||
| HKCU\Software\Microsoft\Windows\Shell, | ||
| HKCU\Software\Microsoft\Windows\Shell\BagMRU, | ||
| HKCU\Software\Microsoft\Windows\Shell\Bags, | ||
| HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache, | ||
| HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU, | ||
| HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags, | ||
| HKCU\Software\Microsoft\Windows NT\CurrentVersion\Devices, | ||
| HKCU\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\*, | ||
| HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\UserSelectedDefault, | ||
| HKCU\Software\Policies$, | ||
| HKCU\Software\Policies\Microsoft$, | ||
|
|
||
| HKLM$, | ||
| HKLM\.*\Enum$, | ||
| HKLM\Software$, | ||
| HKLM\Software\Microsoft\Cryptography\RNG\Seed, # Some people prefer to leave this in. | ||
| HKLM\Software\Microsoft$, | ||
| HKLM\SOFTWARE\Microsoft\Device Association Framework\Store\*, | ||
| HKLM\Software\MICROSOFT\Dfrg\Statistics, | ||
| HKLM\Software\Microsoft\Reliability Analysis\RAC, | ||
| HKLM\Software\MICROSOFT\SystemCertificates, | ||
| HKLM\SOFTWARE\Microsoft\Tracing, # Reference: https://www.allthingsdfir.com/tracing-malicious-downloads/ | ||
| HKLM\Software\Microsoft\WBEM, | ||
| HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\History\PolicyOverdue, | ||
| HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List, | ||
| HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products, | ||
| HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\*, | ||
| HKLM\Software\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Rende, | ||
| HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions, | ||
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony, | ||
| HKLM\Software\Microsoft\Windows Media Player NSS\*, | ||
| HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Appraiser\*, | ||
| HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Inventory, | ||
| HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\*, | ||
| HKLM\Software\Microsoft\Windows NT\CurrentVersion\Prefetcher\*, | ||
| HKLM\Software\Microsoft\Windows NT\CurrentVersion\Print\*, | ||
| HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\.*\RefCount$, | ||
| HKLM\Software\Microsoft\Windows NT\CurrentVersion\Tracing\*, | ||
|
|
||
| HKLM\Software\Policies$, | ||
| HKLM\Software\Policies\Microsoft$, | ||
| HKLM\Software\Wow6432Node\Google\Update\ClientState\{, | ||
| HKLM\Software\Wow6432Node\Google\Update\old-uid, | ||
| HKLM\Software\Wow6432Node\Google\Update\uid, | ||
|
|
||
| HKLM\System\CurrentControlSet\Control\Class\{.*-E325-11CE-BFC1-08002BE10318}, | ||
| HKLM\System\CurrentControlSet\Control\Class\{6bdd1fc6-810f-11d0-bec7-08002be2092f}, | ||
| HKLM\System\CurrentControlSet\Control\DeviceClasses, | ||
| HKLM\System\CurrentControlSet\Control\DeviceContainers\{.*}\Properties\{.*}\*, | ||
| HKLM\System\CurrentControlSet\Control\MediaProperties, | ||
| HKLM\System\CurrentControlSet\Control\Network\{.*-e325-11ce-bfc1-08002be10318}, | ||
| HKLM\System\CurrentControlSet\Control\Network\NetCfgLockHolde, | ||
| HKLM\System\CurrentControlSet\Control\NetworkSetup2\Interfaces\{.*}\*, | ||
| HKLM\System\CurrentControlSet\Control\Nsi\{eb.*0050047759bc}, | ||
| HKLM\System\CurrentControlSet\Control\Print\Environments\*, | ||
| HKLM\System\CurrentControlSet\Enum\*, | ||
| HKLM\System\CurrentControlSet\Services\CaptureRegistryMonito, | ||
| HKLM\System\CurrentControlSet\Services\Eventlog\*, | ||
| HKLM\System\CurrentControlSet\Services\iphlpsvc\*, | ||
| HKLM\System\CurrentControlSet\Services\ksthunk\*, | ||
| HKLM\System\CurrentControlSet\Services\NetBT\*, | ||
| HKLM\System\CurrentControlSet\Services\RasMan\*, | ||
| HKLM\System\CurrentControlSet\Services\SharedAccess\Epoch2, | ||
| HKLM\System\CurrentControlSet\Services\Tcpip\Parameters, | ||
| HKLM\System\CurrentControlSet\Services\Tcpip6\Parameters, | ||
| HKLM\System\CurrentControlSet\Services\tunnel\*, | ||
| HKLM\System\CurrentControlSet\Services\W32Time\*, | ||
| HKLM\System\CurrentControlSet\Services\WinSock2\Parameters, | ||
| HKLM\System\CurrentControlSet\Services\WSD, | ||
| HKLM\System\CurrentControlSet\Services\VSS\Diag, | ||
| HKLM\SYSTEM\Maps\*, | ||
|
|
||
| HKU\.DEFAULT\Printers\*, | ||
| HKU\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache, | ||
|
|
||
| LEGACY_CAPTUREREGISTRYMONITO, | ||
| Microsoft\Device Association Framework\Store\DAFUPnPProvide, | ||
| Microsoft\EdgeUpdate, | ||
| Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\*, | ||
| Root\InventoryD.*\*, | ||
| Software\Microsoft\Multimedia\Audio$, | ||
| Software\Microsoft\Multimedia\Audio Compression Manage, | ||
| Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrde, | ||
| Software\Microsoft\Windows\ShellNoRoam\Bags, | ||
| Software\Microsoft\Windows\ShellNoRoam\BagMRU, | ||
| Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.doc, | ||
| Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs, | ||
| Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, | ||
| Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, | ||
| UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}, | ||
| UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}, | ||
| UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA} | ||
|
|
||
| # Not widely supported. If these entries appear in a network-related activity, then ignore | ||
| # Can be process names for known good apps that beacon, or specific IPs or ports | ||
| net_approvelist = | ||
| hasplms.exe # Hasp dongle beacons | ||
| # 192.168.2., # Example for blocking net ranges | ||
| # Verizon_router.home'] # Example for blocking local domains | ||
| # -> .*\..*\..*\..*:1900 | ||
|
|
||
| # Not widely supported. List of known good MD5 hashes. | ||
| # If any file, regardless of name, matches this then ignore that file activity | ||
| # This may be cut as I doubt it's widely in use? | ||
| hash_approvelist = | ||
| f8f0d25ca553e39dde485d8fc7fcce89, # WinXP ntdll.dll | ||
| b60dddd2d63ce41cb8c487fcfbb6419e, # iexplore.exe 8.0 | ||
| 6fe42512ab1b89f32a7407f261b1d2d0, # kernel32.dll | ||
| 8b1f3320aebb536e021a5014409862de, # gdi32.dll | ||
| b26b135ff1b9f60c9388b4a7d16f600b, # user32.dll | ||
| 355edbb4d412b01f1740c17e3f50fa00, # msvcrt.dll | ||
| d4502f124289a31976130cccb014c9aa, # rpcrt4.dll | ||
| 81faefc42d0b236c62c3401558867faa, # iertutil.dll | ||
| e40fcf943127ddc8fd60554b722d762b, # msctf.dll | ||
| 0da85218e92526972a821587e6a8bf8f # imm32.dll | ||
|
|
Oops, something went wrong.