Merge pull request #292 from ION28/develop

Merge Develop to Master for Alpha Release #4.3

Author: Jack-McDowell

.github/workflows/main.yml

@@ -34,6 +34,7 @@ jobs:
         cd vcpkg
         .\bootstrap-vcpkg.bat
         .\vcpkg.exe install yara:${{ matrix.buildarch }}-windows-static
+        .\vcpkg.exe install libzip:${{ matrix.buildarch }}-windows-static
         .\vcpkg.exe integrate install
         cd ..
 
@@ -49,6 +50,14 @@ jobs:
       run: powershell set-executionpolicy Unrestricted
       shell: powershell
 
+    - name: Run Atomic Red Team Prep Script
+      run: testing\run-atomic-prep.ps1
+      shell: powershell
+
+    - name: Run Atomic Red Team Tests
+      run: testing\run-atomic-tests.ps1
+      shell: powershell
+
     - name: Run BLUESPAWN Hunt
       run: artifacts\${{ matrix.buildarch }}\${{ matrix.buildtype }}\BLUESPAWN-client.exe --hunt -l Normal --log=xml --reaction=log
       shell: cmd
@@ -57,11 +66,20 @@ jobs:
       run: Get-ChildItem "bluespawn*.xml" | Rename-Item -NewName BLUESPAWNHuntResults.xml
       shell: powershell
 
+    - name: TESTS - Check BLUESPAWN Hunt Results against Atomic Red Team Results
+      run: testing\run-hunt-results-comparison.ps1
+      shell: powershell
+
     - uses: actions/upload-artifact@master
       with:
         name: BLUESPAWN-client-${{ matrix.buildarch }}-${{ matrix.buildtype }}
         path: artifacts\${{ matrix.buildarch }}\${{ matrix.buildtype }}\BLUESPAWN-client.exe
 
+    - uses: actions/upload-artifact@master
+      with:
+        name: AtomicTestsResults-${{ matrix.buildarch }}-${{ matrix.buildtype }}.csv
+        path: AtomicTestsResults.csv
+
     - uses: actions/upload-artifact@master
       with:
         name: BLUESPAWNHuntResults-${{ matrix.buildarch }}-${{ matrix.buildtype }}.xml

.gitignore

@@ -5,10 +5,11 @@ packages/
 vcpkg/
 BLUESPAWN-client/external/
 BLUESPAWN-client/resources/severe
+BLUESPAWN-client/resources/severe2
 BLUESPAWN-client/resources/indicators
-BLUESPAWN-client/resources/BLUESPAWN-client.aps
 *.user
 *.filters
 *.cache
 *.bak
 *.lib
+*.aps

.gitmodules

@@ -19,3 +19,6 @@
 [submodule "vcpkg"]
 	path = vcpkg
 	url = https://github.com/Microsoft/vcpkg.git
+[submodule "BLUESPAWN-client/external/signature-base"]
+	path = BLUESPAWN-client/external/signature-base
+	url = https://github.com/Neo23x0/signature-base

BLUESPAWN-client/BLUESPAWN-client.vcxproj

@@ -26,8 +26,10 @@
     <ClInclude Include="headers\hunt\HuntRegister.h" />
     <ClInclude Include="headers\hunt\hunts\HuntT1004.h" />
     <ClInclude Include="headers\hunt\hunts\HuntT1015.h" />
+    <ClInclude Include="headers\hunt\hunts\HuntT1035.h" />
     <ClInclude Include="headers\hunt\hunts\HuntT1037.h" />
     <ClInclude Include="headers\hunt\hunts\HuntT1050.h" />
+    <ClInclude Include="headers\hunt\hunts\HuntT1053.h" />
     <ClInclude Include="headers\hunt\hunts\HuntT1055.h" />
     <ClInclude Include="headers\hunt\hunts\HuntT1060.h" />
     <ClInclude Include="headers\hunt\hunts\HuntT1099.h" />
@@ -39,8 +41,10 @@
     <ClInclude Include="headers\hunt\hunts\HuntT1138.h" />
     <ClInclude Include="headers\hunt\hunts\HuntT1182.h" />
     <ClInclude Include="headers\hunt\hunts\HuntT1183.h" />
-    <ClInclude Include="headers\hunt\reaction\RemoveValue.h" />
-    <ClInclude Include="headers\hunt\reaction\SuspendProcess.h" />
+    <ClInclude Include="headers\mitigation\mitigations\MitigateV71769.h" />
+    <ClInclude Include="headers\reaction\CarveMemory.h" />
+    <ClInclude Include="headers\reaction\RemoveValue.h" />
+    <ClInclude Include="headers\reaction\SuspendProcess.h" />
     <ClInclude Include="headers\hunt\RegistryHunt.h" />
     <ClInclude Include="headers\hunt\Scope.h" />
     <ClInclude Include="headers\mitigation\Mitigation.h" />
@@ -58,6 +62,7 @@
     <ClInclude Include="headers\mitigation\mitigations\MitigateV3340.h" />
     <ClInclude Include="headers\mitigation\mitigations\MitigateV3344.h" />
     <ClInclude Include="headers\mitigation\mitigations\MitigateV3379.h" />
+    <ClInclude Include="headers\mitigation\mitigations\MitigateV3479.h" />
     <ClInclude Include="headers\mitigation\mitigations\MitigateV63597.h" />
     <ClInclude Include="headers\mitigation\mitigations\MitigateV63687.h" />
     <ClInclude Include="headers\mitigation\mitigations\MitigateV63753.h" />
@@ -66,6 +71,7 @@
     <ClInclude Include="headers\mitigation\mitigations\MitigateV63829.h" />
     <ClInclude Include="headers\mitigation\mitigations\MitigateV72753.h" />
     <ClInclude Include="headers\mitigation\mitigations\MitigateV73519.h" />
+    <ClInclude Include="headers\mitigation\mitigations\MitigateV73585.h" />
     <ClInclude Include="headers\monitor\ETW_Wrapper.h">
       <ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">true</ExcludedFromBuild>
       <ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Release|x64'">true</ExcludedFromBuild>
@@ -135,9 +141,10 @@
       <ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Release|x64'">true</ExcludedFromBuild>
     </ClInclude>
     <ClInclude Include="headers\util\processes\Analyzer.h" />
-    <ClInclude Include="headers\hunt\reaction\Detections.h" />
-    <ClInclude Include="headers\hunt\reaction\Log.h" />
-    <ClInclude Include="headers\hunt\reaction\Reaction.h" />
+    <ClInclude Include="headers\reaction\Detections.h" />
+    <ClInclude Include="headers\reaction\Log.h" />
+    <ClInclude Include="headers\reaction\Reaction.h" />
+    <ClInclude Include="headers\util\processes\PERemover.h" />
     <ClInclude Include="headers\util\processes\ProcessChecker.h" />
     <ClInclude Include="headers\util\processes\ProcessUtils.h" />
   </ItemGroup>
@@ -147,8 +154,10 @@
     <ClCompile Include="src\hunt\HuntRegister.cpp" />
     <ClCompile Include="src\hunt\hunts\HuntT1004.cpp" />
     <ClCompile Include="src\hunt\hunts\HuntT1015.cpp" />
+    <ClCompile Include="src\hunt\hunts\HuntT1035.cpp" />
     <ClCompile Include="src\hunt\hunts\HuntT1037.cpp" />
     <ClCompile Include="src\hunt\hunts\HuntT1050.cpp" />
+    <ClCompile Include="src\hunt\hunts\HuntT1053.cpp" />
     <ClCompile Include="src\hunt\hunts\HuntT1055.cpp" />
     <ClCompile Include="src\hunt\hunts\HuntT1060.cpp" />
     <ClCompile Include="src\hunt\hunts\HuntT1099.cpp" />
@@ -160,8 +169,10 @@
     <ClCompile Include="src\hunt\hunts\HuntT1138.cpp" />
     <ClCompile Include="src\hunt\hunts\HuntT1182.cpp" />
     <ClCompile Include="src\hunt\hunts\HuntT1183.cpp" />
-    <ClCompile Include="src\hunt\reaction\RemoveValue.cpp" />
-    <ClCompile Include="src\hunt\reaction\SuspendProcess.cpp" />
+    <ClCompile Include="src\mitigation\mitigations\MitigateV71769.cpp" />
+    <ClCompile Include="src\reaction\CarveMemory.cpp" />
+    <ClCompile Include="src\reaction\RemoveValue.cpp" />
+    <ClCompile Include="src\reaction\SuspendProcess.cpp" />
     <ClCompile Include="src\hunt\RegistryHunt.cpp" />
     <ClCompile Include="src\hunt\Scope.cpp" />
     <ClCompile Include="src\mitigation\Mitigation.cpp" />
@@ -179,6 +190,7 @@
     <ClCompile Include="src\mitigation\mitigations\MitigateV3340.cpp" />
     <ClCompile Include="src\mitigation\mitigations\MitigateV3344.cpp" />
     <ClCompile Include="src\mitigation\mitigations\MitigateV3379.cpp" />
+    <ClCompile Include="src\mitigation\mitigations\MitigateV3479.cpp" />
     <ClCompile Include="src\mitigation\mitigations\MitigateV63597.cpp" />
     <ClCompile Include="src\mitigation\mitigations\MitigateV63687.cpp" />
     <ClCompile Include="src\mitigation\mitigations\MitigateV63753.cpp" />
@@ -187,6 +199,7 @@
     <ClCompile Include="src\mitigation\mitigations\MitigateV63829.cpp" />
     <ClCompile Include="src\mitigation\mitigations\MitigateV72753.cpp" />
     <ClCompile Include="src\mitigation\mitigations\MitigateV73519.cpp" />
+    <ClCompile Include="src\mitigation\mitigations\MitigateV73585.cpp" />
     <ClCompile Include="src\monitor\etw\ETW_Wrapper.cpp">
       <ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">true</ExcludedFromBuild>
       <ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Release|x64'">true</ExcludedFromBuild>
@@ -252,8 +265,9 @@
       <ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Release|x64'">true</ExcludedFromBuild>
     </ClCompile>
     <ClCompile Include="src\util\processes\Analyzer.cpp" />
-    <ClCompile Include="src\hunt\reaction\ReactLog.cpp" />
-    <ClCompile Include="src\hunt\reaction\Reaction.cpp" />
+    <ClCompile Include="src\reaction\ReactLog.cpp" />
+    <ClCompile Include="src\reaction\Reaction.cpp" />
+    <ClCompile Include="src\util\processes\PERemover.cpp" />
     <ClCompile Include="src\util\processes\ProcessUtils.cpp" />
     <ClInclude Include="resources\resource.h" />
   </ItemGroup>
@@ -271,13 +285,14 @@
   <ItemGroup>
     <None Include="resources\indicators" />
     <None Include="resources\severe" />
+    <None Include="resources\severe2" />
   </ItemGroup>
   <ItemDefinitionGroup>
     <BuildLog>
       <Path>$(SolutionDir)build\$(PlatformTarget)\$(Configuration)\$(MSBuildProjectName).log</Path>
     </BuildLog>
     <ClCompile>
-      <AdditionalIncludeDirectories>$(SolutionDir)BLUESPAWN-client\external\pe-sieve\include;$(SolutionDir)BLUESPAWN-client\external\cxxopts\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>$(SolutionDir)BLUESPAWN-client\external\pe-sieve\libpeconv\libpeconv\include;$(SolutionDir)BLUESPAWN-client\external\pe-sieve\;$(SolutionDir)BLUESPAWN-client\external\pe-sieve\include;$(SolutionDir)BLUESPAWN-client\external\cxxopts\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <RuntimeLibrary Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">MultiThreaded</RuntimeLibrary>
       <RuntimeLibrary Condition="'$(Configuration)|$(Platform)'=='Release|x64'">MultiThreaded</RuntimeLibrary>
       <RuntimeLibrary Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">MultiThreadedDebug</RuntimeLibrary>

BLUESPAWN-client/external/signature-base

@@ -7,7 +7,7 @@
 #include "Scope.h"
 #include "HuntInfo.h"
 
-#include "hunt/reaction/Reaction.h"
+#include "reaction/Reaction.h"
 #include "monitor/Event.h"
 
 class HuntRegister;

BLUESPAWN-client/headers/hunt/Hunt.h

@@ -26,9 +26,10 @@ class HuntRegister {
 public:
 	HuntRegister(const IOBase& oIo);
 
-	void RunHunts(DWORD dwTactics, DWORD dwDataSource, DWORD dwAffectedThings, const Scope& scope, Aggressiveness aggressiveness, const Reaction& reaction);
+	void RunHunts(DWORD dwTactics, DWORD dwDataSource, DWORD dwAffectedThings, const Scope& scope, Aggressiveness aggressiveness, const Reaction& reaction, vector<string> vExcludedHunts, vector<string> vIncludedHunts);
 	void RunHunt(Hunt& hunt, const Scope& scope, Aggressiveness aggressiveness, const Reaction& reaction);
 
+	bool HuntRegister::HuntShouldRun(Hunt& hunt, vector<string> vExcludedHunts, vector<string> vIncludedHunts);
 	void SetupMonitoring(Aggressiveness aggressiveness, const Reaction& reaction);
 	void RegisterHunt(std::shared_ptr<Hunt> hunt);
 };

BLUESPAWN-client/headers/hunt/HuntRegister.h

@@ -1,7 +1,7 @@
 #pragma once
 #include "../Hunt.h"
-#include "hunt/reaction/Reaction.h"
-#include "hunt/reaction/Log.h"
+#include "reaction/Reaction.h"
+#include "reaction/Log.h"
 
 namespace Hunts {
 

BLUESPAWN-client/headers/hunt/hunts/HuntT1004.h

@@ -1,16 +1,16 @@
 #pragma once
 #include "../Hunt.h"
 
-#include "hunt/reaction/Reaction.h"
-#include "hunt/reaction/Log.h"
+#include "reaction/Reaction.h"
+#include "reaction/Log.h"
 
 namespace Hunts {
 
 	/**
 	 * HuntT1015 looks for Windows Accessibility Features to be messed with in some way
 	 * 
-	 * @scans Cursory checks for any Debugger keys + binaries are signed
-	 * @scans Normal Scan not supported.
+	 * @scans Cursory checks for any Debugger keys and if they are signed
+	 * @scans Normal checks for any Debugger keys, checks if signed, scans with YARA
 	 * @scans Intensive Scan not supported.
 	 */
 	class HuntT1015 : public Hunt {
@@ -21,7 +21,7 @@ namespace Hunts {
 		std::wstring wsIFEOWow64 = L"SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\";
 
 		int HuntT1015::EvaluateRegistry(Reaction& reaction);
-		int HuntT1015::EvaluateFiles(Reaction& reaction);
+		int HuntT1015::EvaluateFiles(Reaction& reaction, bool bScanYara);
 	public:
 		HuntT1015();
 

BLUESPAWN-client/headers/hunt/hunts/HuntT1015.h

@@ -0,0 +1,30 @@
+#pragma once
+#include <Windows.h>
+
+#include <vector>
+
+#include "../Hunt.h"
+#include "reaction/Reaction.h"
+#include "reaction/Log.h"
+
+namespace Hunts {
+
+	/**
+	 * HuntT1035 examines the system for malicious services
+	 * 
+	 * @scans Cursory scans the services that are installed and their binaries
+	 * @scans Normal Scan not supported.
+	 * @scans Intensive Scan not supported.
+	 */
+	class HuntT1035 : public Hunt {
+	private:
+		std::vector<std::wstring> vSuspicious = { L"cmd.exe", L"powershell.exe", L"cscript.exe", L"wscript.exe", L"net.exe", L"net1.exe" };
+		int EvaluateService(Registry::RegistryKey key, Reaction reaction);
+
+	public:
+		HuntT1035();
+
+		virtual int ScanNormal(const Scope& scope, Reaction reaction);
+		virtual std::vector<std::shared_ptr<Event>> GetMonitoringEvents() override;
+	};
+}