Final wrap ups

Noriben.config

@@ -36,7 +36,8 @@ guest_malware_path = C:\Malware\malware_
 error_tolerance = 5
 dontrun = False
 #vm_snapshot = YourVMSnapshotNameHere
-vm_snapshot = 1 Mar 21
+#vm_snapshot = 1 Mar 21
+vm_snapshot = test_malware
 
 # VMware Settings:
 # vmrun = C:\Program Files (x86)\VMware\VMware Workstation\vmrun.exe    # For Windows
@@ -75,8 +76,17 @@ global_approvelist =
         RepUx.exe,
         RepMgr64.exe,
         Ecat.exe,
+        OneDriveStandaloneUpdater.exe,
         WindowsApps\Microsoft.Windows.Photos.*\Microsoft.Photos.exe,
-        Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\BackgroundDownload.exe
+        Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\BackgroundDownload.exe,
+        Program File.*\Google\Update\GoogleUpdate.exe,
+        Program File.*\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe,
+        EDGEMITMP_.*.tmp\setup.exe,
+        MSEDGE_PATCH.PACKED.7Z,
+        Packages\Microsoft.Windows.Cortana,
+        /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E},
+        /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}, # Thumbnail server
+        /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}  # DCOM error
 
 
 # Compares these entries against process creation. 
@@ -90,33 +100,14 @@ cmd_approvelist =
         avgrsa.exe,        # AVG AntiVirus
         avgcsrva.exe,      # AVG AntiVirus
         avgidsagenta.exe,  # AVG AntiVirus
-        Program File.*\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe,
         TCPView.exe,
         %%WinDir%%\System32\mobsync.exe,
         XblGameSaveTask.exe,
-        /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5},  # Thumbnail server
-        /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF},  # DCOM error
-        \??\%%WinDir%%\system32\conhost.exe .*-.*-.*-.*     # Experimental
+        \??\%%WinDir%%\system32\conhost.exe
 
 # Compares these entries against file activity
 # Many apply to abnormal methods of writing files, and to very loud and common folders
 file_approvelist =
-        Desired Access: Execute/Traverse,
-        Desired Access: Synchronize,
-        Desired Access: Generic Read/Execute,
-        Desired Access: Read EA,
-        Desired Access: Read Data/List,
-        Desired Access: Generic Read,
-        Desired Access: Read Attributes,
-
-        desktop.ini$,
-        Google\Chrome\User Data\.*.tmp,
-        Microsoft\Windows\Explorer\iconcache_*,
-        Microsoft\Windows\Explorer\thumbcache_.*.db,
-        Thumbs.db$,
-        wuauclt.exe,
-        wmiprvse.exe,
-
         %%AllUsersProfile%%\Application Data\Microsoft\OFFICE\DATA,
         %%AllUsersProfile%%\Microsoft\MapData\*,
         %%AllUsersProfile%%\Microsoft\RAC,
@@ -152,9 +143,29 @@ file_approvelist =
         %%WinDir%%\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\*,
         %%WinDir%%\System32\spool\drivers\*,
         %%WinDir%%\Temp\fwtsqmfile00.sqm,  # Software Quality Metrics (SQM) from iphlpsvc
+
+        # Filter on requested access. Note, hard commas are not supported.
+        # You will need to use regex to assume a comma
+        Desired Access: Execute/Traverse,
+        Desired Access: Synchronize,
+        Desired Access: Generic Read/Execute,
+        Desired Access: Read EA,
+        Desired Access: Read Data/List Directory,
+        Desired Access: Generic Read.* Write Attributes,
+        Desired Access: Generic Read.* Write Data,
+        Desired Access: Read Attributes, 
+
+        desktop.ini$,
+        Google\Chrome\User Data\.*.tmp,
         MAILSLOT\NET\NETLOGON,
+        Microsoft\Windows\Explorer\iconcache_*,
+        Microsoft\Windows\Explorer\thumbcache_.*.db,
+        Program Files.*\confer\*,
+        Thumbs.db$,
         Windows\Temporary Internet Files\counters.dat,
-        Program Files.*\confer\*
+        wuauclt.exe,
+        wmiprvse.exe
+
 
 # Compares these entries against registry activity
 # These are applications that create a ton of registry calls, or keys that are very often written to
@@ -204,6 +215,7 @@ reg_approvelist =
         HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy,
         HKCU\Software\Microsoft\Windows\CurrentVersion\HomeGroup,
         HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\*,
+        HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony,
         HKCU\Software\Microsoft\Windows\Shell,
         HKCU\Software\Microsoft\Windows\Shell\BagMRU,
         HKCU\Software\Microsoft\Windows\Shell\Bags,
@@ -224,14 +236,16 @@ reg_approvelist =
         HKLM\SOFTWARE\Microsoft\Device Association Framework\Store\*,
         HKLM\Software\MICROSOFT\Dfrg\Statistics,
         HKLM\Software\Microsoft\Reliability Analysis\RAC,
-        HKLM\Software\MICROSOFT\SystemCertificates$,
+        HKLM\Software\MICROSOFT\SystemCertificates,
+        HKLM\SOFTWARE\Microsoft\Tracing,  # Reference: https://www.allthingsdfir.com/tracing-malicious-downloads/
         HKLM\Software\Microsoft\WBEM,
         HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\History\PolicyOverdue,
         HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List,
         HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products,
         HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\*,
         HKLM\Software\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Rende,
         HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions,
+        HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony,
         HKLM\Software\Microsoft\Windows Media Player NSS\*,
         HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Appraiser\*,
         HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Inventory,
@@ -255,14 +269,15 @@ reg_approvelist =
         HKLM\System\CurrentControlSet\Control\Network\{.*-e325-11ce-bfc1-08002be10318},
         HKLM\System\CurrentControlSet\Control\Network\NetCfgLockHolde,
         HKLM\System\CurrentControlSet\Control\NetworkSetup2\Interfaces\{.*}\*,
-        HKLM\System\CurrentControlSet\Control\Nsi\{eb004a03-9b1a-11d4-9123-0050047759bc},
+        HKLM\System\CurrentControlSet\Control\Nsi\{eb.*0050047759bc},
         HKLM\System\CurrentControlSet\Control\Print\Environments\*,
         HKLM\System\CurrentControlSet\Enum\*,
         HKLM\System\CurrentControlSet\Services\CaptureRegistryMonito,
         HKLM\System\CurrentControlSet\Services\Eventlog\*,
         HKLM\System\CurrentControlSet\Services\iphlpsvc\*,
         HKLM\System\CurrentControlSet\Services\ksthunk\*,
         HKLM\System\CurrentControlSet\Services\NetBT\*,
+        HKLM\System\CurrentControlSet\Services\RasMan\*,
         HKLM\System\CurrentControlSet\Services\SharedAccess\Epoch2,
         HKLM\System\CurrentControlSet\Services\Tcpip\Parameters,
         HKLM\System\CurrentControlSet\Services\Tcpip6\Parameters,
@@ -278,7 +293,7 @@ reg_approvelist =
 
         LEGACY_CAPTUREREGISTRYMONITO,
         Microsoft\Device Association Framework\Store\DAFUPnPProvide,
-        Microsoft\EdgeUpdate\ClientState\{.*}\CurrentState\*,
+        Microsoft\EdgeUpdate,
         Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\*,
         Root\InventoryD.*\*,
         Software\Microsoft\Multimedia\Audio$,
@@ -293,7 +308,6 @@ reg_approvelist =
         UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837},
         UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9},
         UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}
-
 
 # Not widely supported. If these entries appear in a network-related activity, then ignore
 # Can be process names for known good apps that beacon, or specific IPs or ports
@@ -305,7 +319,7 @@ net_approvelist =
 
 # Not widely supported. List of known good MD5 hashes.
 # If any file, regardless of name, matches this then ignore that file activity
-# This may be cut as I doubt it's widely in use
+# This may be cut as I doubt it's widely in use?
 hash_approvelist =
         f8f0d25ca553e39dde485d8fc7fcce89,  # WinXP ntdll.dll
         b60dddd2d63ce41cb8c487fcfbb6419e,  # iexplore.exe 8.0

Noriben.py

@@ -150,8 +150,6 @@
 except ImportError:
     json = None
     has_internet = False
-    print('[+] Python module "requests" not found. Internet functionality is disabled.')
-    print('[+] This is acceptable if you do not wish to upload data to VirusTotal.')
 
 try:
     import configparser
@@ -306,8 +304,8 @@ def terminate_self(error):
     Returns:
         none
     """
-    if not error == 0:
-        print('[*] Exiting with error code: {}: {}'.format(error, get_error(error)))
+    if error != 0:
+        print(f'[*] Exiting with error code: {error}: {get_error(error)}')
     if config['troubleshoot']:
         errormsg = '[*] Configured to pause for troubleshooting. Press enter to close Noriben.'
         input(errormsg)
@@ -328,16 +326,15 @@ def log_debug(msg, override=False):
     global debug_messages
 
     if msg and (config['debug'] or override):
-        if debug_file:  # File already set, check for message buffer
+        if debug_file:
             if debug_messages:  # If buffer, write and erase buffer
-                debug_file_handle = open(debug_file, 'a', encoding='utf-8')
-                for item in debug_messages:
-                    debug_file_handle.write(item)
-                debug_file_handle.close()
+                with open(debug_file, 'a', encoding='utf-8') as debug_file_handle:
+                    for item in debug_messages:
+                        debug_file_handle.write(item)
                 debug_messages = []
             else:
-                open(debug_file, 'a', encoding='utf-8').write('{}\n'.format(msg))
-        else:  # Output file hasn't been set yet, append to buffer
+                open(debug_file, 'a', encoding='utf-8').write(f'{msg}\n')
+        else:
             debug_messages.append(msg + '\r\n')
 
 
@@ -637,9 +634,7 @@ def open_file_with_assoc(fname):
     Returns:
         integer value for command return code
     """
-    if config['headless']:
-        # Headless is for automated runs, don't open results on VM
-        return None
+    log_debug('[*] Opening with OS associated application: {}'.format(fname))
 
     if os.name == 'mac':
         return subprocess.call(('open', fname))
@@ -743,7 +738,7 @@ def approvelist_scan(approvelist, data):
     Returns:
         boolean value of if item exists in approvelist
     """
-    for event in data:
+    for event in data.values():
         for bad in approvelist + global_approvelist:
             bad = os.path.expandvars(bad).replace('\\', '\\\\')
             try:
@@ -869,8 +864,8 @@ def parse_csv(csv_file, report, timeline):
 
         try:
             if field['Operation'] == 'Process Create' and field['Result'] == 'SUCCESS':
-                cmdline = field['Detail'].split('Command line: ')[1]
                 if not approvelist_scan(cmd_approvelist, field):
+                    cmdline = field['Detail'].split('Command line: ')[1]
                     log_debug('[*] CreateProcess: {}'.format(cmdline))
 
                     if config['generalize_paths']:
@@ -994,7 +989,7 @@ def parse_csv(csv_file, report, timeline):
                 # SUCCESS is commented out to allow all attempted deletions, whether or not the value exists
                 if not approvelist_scan(reg_approvelist, field):
                     outputtext = '[RegDeleteValue] {}:{} > {}'.format(field['Process Name'], field['PID'], field['Path'])
-                    tl_text = '{},Registry,RegDeleteVal ue,{},{},{}'.format(date_stamp, field['Process Name'],
+                    tl_text = '{},Registry,RegDeleteValue,{},{},{}'.format(date_stamp, field['Process Name'],
                                                                             field['PID'], field['Path'])
                     reg_output.append(outputtext)
                     timeline.append(tl_text)
@@ -1211,9 +1206,8 @@ def main():
         config['hash_type'] = args.hashtype
 
     # Load hash approvelist and append to global approve list
-    if args.hash:
-        if file_exists(args.hash):
-            read_hash_file(args.hash)
+    if args.hash and file_exists(args.hash):
+        read_hash_file(args.hash)
 
     # Check for a valid filter file
     if args.filter:
@@ -1372,8 +1366,9 @@ def main():
         try:
             subprocess.Popen(exe_cmdline)
         except OSError as e:  # Occurs if VMWare bug removes Owner from file
-            print('[*] Execution failed. File is potentially not an executable. Trying to open with associated application.')
+            print('[*] Execution failed. File is potentially not an executable.')
             print(e)
+            print('[*] Attempting to open with associated application...')
             try:
                 open_file_with_assoc(exe_cmdline)
             except OSError:
@@ -1397,8 +1392,8 @@ def main():
         try:
             timeout_seconds = int(config['timeout_seconds'])
             for i in range(timeout_seconds):
-                progress = (100 / timeout_seconds) * i
-                sys.stdout.write('\r{} complete'.format(progress))
+                progress = round((100 / timeout_seconds) * i)
+                sys.stdout.write('\r{}% complete'.format(progress))
                 sys.stdout.flush()
                 time.sleep(1)
         except KeyboardInterrupt: