Merge pull request #329 from ION28/develop

Merge of develop into master for v0.4.4-alpha Release

Author: Jake Smith

.github/workflows/cloud-web.yml

@@ -0,0 +1,57 @@
+name: Deploy Project Website to bluespawn.cloud
+on:
+  push:
+    branches:
+    - master
+    - develop
+  pull_request:
+    branches:
+    - master
+    - develop
+
+jobs:
+  build:
+    name: Update Project site
+    runs-on: ubuntu-latest
+    steps:
+    - name: SSH into server and update
+      uses: appleboy/ssh-action@master
+      with:
+        host: bluespawn.cloud
+        username: ubuntu
+        key: ${{ secrets.PRIVATE_KEY }}
+        port: 22
+        script: |
+          cd ~/BLUESPAWN
+          git fetch --all
+          git checkout ${{ github.ref }}
+          git pull origin ${{ github.ref }}
+          source ~/venv/bin/activate
+          cd docs
+          pip install -r requirements.txt
+          python3 manage.py makemigrations
+          python3 manage.py migrate
+          sudo service uwsgi restart
+          sudo /etc/init.d/nginx restart
+      if: github.event_name == 'push'
+
+    - name: SSH into server and update
+      uses: appleboy/ssh-action@master
+      with:
+        host: bluespawn.cloud
+        username: ubuntu
+        key: ${{ secrets.PRIVATE_KEY }}
+        port: 22
+        script: |
+          cd ~/BLUESPAWN
+          git fetch --all
+          git checkout ${{ github.head_ref }}
+          git pull origin ${{ github.head_ref }}
+          source ~/venv/bin/activate
+          cd docs
+          pip install -r requirements.txt
+          python3 manage.py makemigrations
+          python3 manage.py migrate
+          sudo service uwsgi restart
+          sudo /etc/init.d/nginx restart
+      if: github.event_name == 'pull_request'

.gitignore

@@ -13,3 +13,10 @@ BLUESPAWN-client/resources/indicators
 *.bak
 *.lib
 *.aps
+
+# BLUESPAWN Project Site - docs/
+*.lock
+docs/db.sqlite3
+__pycache__/
+docs/media/scans/
+docs/*/migrations/

BLUESPAWN-client/BLUESPAWN-client.exe.manifest

@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
+  <description>BLUESPAWN Active Defense and EDR Software</description>
+  <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
+        <application>
+            <!-- Windows 10 -->
+            <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>
+            <!-- Windows 8.1 -->
+            <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
+            <!-- Windows 8 -->
+            <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
+            <!-- Windows 7 -->
+            <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
+            <!-- Windows Vista -->
+            <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> 
+        </application>
+    </compatibility>
+  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
+    <security>
+      <requestedPrivileges>
+        <requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel>
+      </requestedPrivileges>
+    </security>
+  </trustInfo>
+</assembly>

BLUESPAWN-client/BLUESPAWN-client.vcxproj

@@ -25,24 +25,39 @@
     <ClInclude Include="headers\hunt\HuntInfo.h" />
     <ClInclude Include="headers\hunt\HuntRegister.h" />
     <ClInclude Include="headers\hunt\hunts\HuntT1004.h" />
+    <ClInclude Include="headers\hunt\hunts\HuntT1013.h" />
     <ClInclude Include="headers\hunt\hunts\HuntT1015.h" />
+    <ClInclude Include="headers\hunt\hunts\HuntT1031.h" />
     <ClInclude Include="headers\hunt\hunts\HuntT1035.h" />
+    <ClInclude Include="headers\hunt\hunts\HuntT1036.h" />
     <ClInclude Include="headers\hunt\hunts\HuntT1037.h" />
     <ClInclude Include="headers\hunt\hunts\HuntT1050.h" />
     <ClInclude Include="headers\hunt\hunts\HuntT1053.h" />
     <ClInclude Include="headers\hunt\hunts\HuntT1055.h" />
     <ClInclude Include="headers\hunt\hunts\HuntT1060.h" />
+    <ClInclude Include="headers\hunt\hunts\HuntT1068.h" />
+    <ClInclude Include="headers\hunt\hunts\HuntT1089.h" />
     <ClInclude Include="headers\hunt\hunts\HuntT1099.h" />
     <ClInclude Include="headers\hunt\hunts\HuntT1100.h" />
     <ClInclude Include="headers\hunt\hunts\HuntT1101.h" />
     <ClInclude Include="headers\hunt\hunts\HuntT1103.h" />
+    <ClInclude Include="headers\hunt\hunts\HuntT1122.h" />
+    <ClInclude Include="headers\hunt\hunts\HuntT1128.h" />
     <ClInclude Include="headers\hunt\hunts\HuntT1131.h" />
     <ClInclude Include="headers\hunt\hunts\HuntT1136.h" />
     <ClInclude Include="headers\hunt\hunts\HuntT1138.h" />
     <ClInclude Include="headers\hunt\hunts\HuntT1182.h" />
     <ClInclude Include="headers\hunt\hunts\HuntT1183.h" />
+    <ClInclude Include="headers\hunt\hunts\HuntT1198.h" />
+    <ClInclude Include="headers\hunt\hunts\HuntT1484.h" />
+    <ClInclude Include="headers\mitigation\mitigations\MitigateM1028-WFW.h" />
+    <ClInclude Include="headers\mitigation\mitigations\MitigateM1054-WSC.h" />
     <ClInclude Include="headers\mitigation\mitigations\MitigateV71769.h" />
+    <ClInclude Include="headers\mitigation\mitigations\MitigateV73511.h" />
+    <ClInclude Include="headers\monitor\EventListener.h" />
     <ClInclude Include="headers\reaction\CarveMemory.h" />
+    <ClInclude Include="headers\reaction\DeleteFile.h" />
+    <ClInclude Include="headers\reaction\QuarantineFile.h" />
     <ClInclude Include="headers\reaction\RemoveValue.h" />
     <ClInclude Include="headers\reaction\SuspendProcess.h" />
     <ClInclude Include="headers\hunt\RegistryHunt.h" />
@@ -103,6 +118,7 @@
     <ClInclude Include="headers\util\log\LogSink.h" />
     <ClInclude Include="headers\util\log\ServerSink.h" />
     <ClInclude Include="headers\util\log\XMLSink.h" />
+    <ClInclude Include="headers\util\permissions\permissions.h" />
     <ClInclude Include="headers\util\pe\Export_Section.h">
       <ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">true</ExcludedFromBuild>
       <ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">true</ExcludedFromBuild>
@@ -144,6 +160,9 @@
     <ClInclude Include="headers\reaction\Detections.h" />
     <ClInclude Include="headers\reaction\Log.h" />
     <ClInclude Include="headers\reaction\Reaction.h" />
+    <ClInclude Include="headers\util\processes\ParseCobalt.h" />
+    <ClInclude Include="headers\util\processes\CheckLolbin.h" />
+    <ClInclude Include="headers\util\processes\CommandParser.h" />
     <ClInclude Include="headers\util\processes\PERemover.h" />
     <ClInclude Include="headers\util\processes\ProcessChecker.h" />
     <ClInclude Include="headers\util\processes\ProcessUtils.h" />
@@ -153,24 +172,39 @@
     <ClCompile Include="src\hunt\Hunt.cpp" />
     <ClCompile Include="src\hunt\HuntRegister.cpp" />
     <ClCompile Include="src\hunt\hunts\HuntT1004.cpp" />
+    <ClCompile Include="src\hunt\hunts\HuntT1013.cpp" />
     <ClCompile Include="src\hunt\hunts\HuntT1015.cpp" />
+    <ClCompile Include="src\hunt\hunts\HuntT1031.cpp" />
     <ClCompile Include="src\hunt\hunts\HuntT1035.cpp" />
+    <ClCompile Include="src\hunt\hunts\HuntT1036.cpp" />
     <ClCompile Include="src\hunt\hunts\HuntT1037.cpp" />
     <ClCompile Include="src\hunt\hunts\HuntT1050.cpp" />
     <ClCompile Include="src\hunt\hunts\HuntT1053.cpp" />
     <ClCompile Include="src\hunt\hunts\HuntT1055.cpp" />
     <ClCompile Include="src\hunt\hunts\HuntT1060.cpp" />
+    <ClCompile Include="src\hunt\hunts\HuntT1068.cpp" />
+    <ClCompile Include="src\hunt\hunts\HuntT1089.cpp" />
     <ClCompile Include="src\hunt\hunts\HuntT1099.cpp" />
     <ClCompile Include="src\hunt\hunts\HuntT1100.cpp" />
     <ClCompile Include="src\hunt\hunts\HuntT1101.cpp" />
     <ClCompile Include="src\hunt\hunts\HuntT1103.cpp" />
+    <ClCompile Include="src\hunt\hunts\HuntT1122.cpp" />
+    <ClCompile Include="src\hunt\hunts\HuntT1128.cpp" />
     <ClCompile Include="src\hunt\hunts\HuntT1131.cpp" />
     <ClCompile Include="src\hunt\hunts\HuntT1136.cpp" />
     <ClCompile Include="src\hunt\hunts\HuntT1138.cpp" />
     <ClCompile Include="src\hunt\hunts\HuntT1182.cpp" />
     <ClCompile Include="src\hunt\hunts\HuntT1183.cpp" />
+    <ClCompile Include="src\hunt\hunts\HuntT1198.cpp" />
+    <ClCompile Include="src\hunt\hunts\HuntT1484.cpp" />
+    <ClCompile Include="src\mitigation\mitigations\MitigateM1028-WFW.cpp" />
+    <ClCompile Include="src\mitigation\mitigations\MitigateM1054-WSC.cpp" />
     <ClCompile Include="src\mitigation\mitigations\MitigateV71769.cpp" />
+    <ClCompile Include="src\mitigation\mitigations\MitigateV73511.cpp" />
+    <ClCompile Include="src\monitor\EventListener.cpp" />
     <ClCompile Include="src\reaction\CarveMemory.cpp" />
+    <ClCompile Include="src\reaction\DeleteFile.cpp" />
+    <ClCompile Include="src\reaction\QuarantineFile.cpp" />
     <ClCompile Include="src\reaction\RemoveValue.cpp" />
     <ClCompile Include="src\reaction\SuspendProcess.cpp" />
     <ClCompile Include="src\hunt\RegistryHunt.cpp" />
@@ -227,6 +261,7 @@
     <ClCompile Include="src\util\log\LogLevel.cpp" />
     <ClCompile Include="src\util\log\ServerSink.cpp" />
     <ClCompile Include="src\util\log\XMLSink.cpp" />
+    <ClCompile Include="src\util\permissions\permissions.cpp" />
     <ClCompile Include="src\util\pe\Export_Section.cpp">
       <ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">true</ExcludedFromBuild>
       <ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">true</ExcludedFromBuild>
@@ -267,6 +302,9 @@
     <ClCompile Include="src\util\processes\Analyzer.cpp" />
     <ClCompile Include="src\reaction\ReactLog.cpp" />
     <ClCompile Include="src\reaction\Reaction.cpp" />
+    <ClCompile Include="src\util\processes\ParseCobalt.cpp" />
+    <ClCompile Include="src\util\processes\CheckLolbin.cpp" />
+    <ClCompile Include="src\util\processes\CommandParser.cpp" />
     <ClCompile Include="src\util\processes\PERemover.cpp" />
     <ClCompile Include="src\util\processes\ProcessUtils.cpp" />
     <ClInclude Include="resources\resource.h" />
@@ -286,7 +324,18 @@
     <None Include="resources\indicators" />
     <None Include="resources\severe" />
     <None Include="resources\severe2" />
+    <None Include="resources\SIP" />
+    <None Include="resources\TrustProviders" />
   </ItemGroup>
+  <ItemGroup>
+    <Manifest Include="BLUESPAWN-client.exe.manifest" />
+  </ItemGroup>
+  <PropertyGroup>
+    <GenerateManifest>false</GenerateManifest>
+    <EmbedManifest>
+    </EmbedManifest>
+    <PostBuildEventUseInBuild>true</PostBuildEventUseInBuild>
+  </PropertyGroup>
   <ItemDefinitionGroup>
     <BuildLog>
       <Path>$(SolutionDir)build\$(PlatformTarget)\$(Configuration)\$(MSBuildProjectName).log</Path>
@@ -297,10 +346,20 @@
       <RuntimeLibrary Condition="'$(Configuration)|$(Platform)'=='Release|x64'">MultiThreaded</RuntimeLibrary>
       <RuntimeLibrary Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">MultiThreadedDebug</RuntimeLibrary>
       <RuntimeLibrary Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">MultiThreadedDebug</RuntimeLibrary>
+      <ExceptionHandling Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Async</ExceptionHandling>
+      <ExceptionHandling Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Async</ExceptionHandling>
+      <ExceptionHandling Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Async</ExceptionHandling>
+      <ExceptionHandling Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Async</ExceptionHandling>
     </ClCompile>
     <Link>
       <AdditionalDependencies>Secur32.lib;DbgHelp.lib;Wintrust.lib;ws2_32.lib;Crypt32.lib;Shlwapi.lib;%(AdditionalDependencies)</AdditionalDependencies>
     </Link>
+    <PostBuildEvent>
+      <Command>mt.exe -manifest "$(ProjectDir)$(TargetName).exe.manifest" -outputresource:"$(TargetDir)$(TargetName).exe;1"</Command>
+    </PostBuildEvent>
+    <PostBuildEvent>
+      <Message>Adding manifest to BLUESPAWN-client.exe</Message>
+    </PostBuildEvent>
   </ItemDefinitionGroup>
   <PropertyGroup Label="Globals">
     <ProjectGuid>{159B2E72-9553-4E17-9BEC-CB92FCA8D0B0}</ProjectGuid>

BLUESPAWN-client/headers/hunt/Hunt.h

@@ -15,8 +15,7 @@ class HuntRegister;
 #define GET_INFO() \
     HuntInfo{ this->name, __func__ == std::string{"ScanCursory"}  ? Aggressiveness::Cursory  :                             \
                           __func__ == std::string{"ScanNormal"} ? Aggressiveness::Normal : Aggressiveness::Intensive, \
-              this->dwTacticsUsed, this->dwCategoriesAffected, this->dwSourcesInvolved,                                    \
-              (long) std::chrono::duration_cast<std::chrono::milliseconds>(std::chrono::system_clock::now().time_since_epoch()).count() }
+              this->dwTacticsUsed, this->dwCategoriesAffected, this->dwSourcesInvolved }
 
 class Hunt {
 protected:

BLUESPAWN-client/headers/hunt/HuntInfo.h

@@ -51,6 +51,6 @@ struct HuntInfo {
 	DWORD HuntTactics;
 	DWORD HuntCategories;
 	DWORD HuntDatasources;
-	long HuntStartTime;
-	HuntInfo(const std::wstring& HuntName, Aggressiveness HuntAggressiveness, DWORD HuntTactics, DWORD HuntCategories, DWORD HuntDatasources, long HuntStartTime);
+	SYSTEMTIME HuntStartTime;
+	HuntInfo(const std::wstring& HuntName, Aggressiveness HuntAggressiveness, DWORD HuntTactics, DWORD HuntCategories, DWORD HuntDatasources);
 };

BLUESPAWN-client/headers/hunt/hunts/HuntT1013.h

@@ -0,0 +1,22 @@
+#pragma once
+#include "../Hunt.h"
+#include "reaction/Reaction.h"
+#include "reaction/Log.h"
+
+namespace Hunts {
+
+	/**
+	 * HuntT1013 examines the registry for bad port monitors
+	 * 
+	 * @scans Cursory checks for bad DLLs configured as port monitors
+	 * @scans Normal Scan not supported.
+	 * @scans Intensive Scan not supported.
+	 */
+	class HuntT1013 : public Hunt {
+	public:
+		HuntT1013();
+
+		virtual int ScanCursory(const Scope& scope, Reaction reaction) override;
+		virtual std::vector<std::shared_ptr<Event>> GetMonitoringEvents() override;
+	};
+}

BLUESPAWN-client/headers/hunt/hunts/HuntT1031.h

@@ -0,0 +1,23 @@
+#pragma once
+#include "../Hunt.h"
+#include "reaction/Reaction.h"
+#include "reaction/Log.h"
+
+namespace Hunts {
+
+	/**
+	 * HuntT1031 examines the registry for additions/changes to Services configured
+	 * in the registry such as an extra Dll it launches based on a specific value
+	 * 
+	 * @scans Cursory checks for a ServerLevelPluginDll to be configured on the DNS Service
+	 * @scans Normal Scan not supported.
+	 * @scans Intensive Scan not supported.
+	 */
+	class HuntT1031 : public Hunt {
+	public:
+		HuntT1031();
+
+		virtual int ScanCursory(const Scope& scope, Reaction reaction) override;
+		virtual std::vector<std::shared_ptr<Event>> GetMonitoringEvents() override;
+	};
+}

BLUESPAWN-client/headers/hunt/hunts/HuntT1035.h

@@ -18,8 +18,8 @@ namespace Hunts {
 	 */
 	class HuntT1035 : public Hunt {
 	private:
-		std::vector<std::wstring> vSuspicious = { L"cmd.exe", L"powershell.exe", L"cscript.exe", L"wscript.exe", L"net.exe", L"net1.exe" };
-		int EvaluateService(Registry::RegistryKey key, Reaction reaction);
+
+		int EvaluateService(Registry::RegistryKey key, Reaction& reaction);
 
 	public:
 		HuntT1035();

BLUESPAWN-client/headers/hunt/hunts/HuntT1036.h

@@ -0,0 +1,47 @@
+#pragma once
+#include "../Hunt.h"
+#include "reaction/Reaction.h"
+#include "reaction/Log.h"
+
+namespace Hunts {
+
+	/**
+	 * HuntT1036 examines the local file system for executables in user writable
+	 * locations in %WINDIR%
+	 * 
+	 * @scans Cursory checks all such writable folders for executable files
+	 * @scans Normal Scan not supported.
+	 * @scans Intensive Scan not supported.
+	 */
+	class HuntT1036 : public Hunt {
+	private:
+		std::vector<std::wstring> susExts = { L".bat", L".cmd", L".exe", L".dll", L".js", L".jse",
+					L".lnk", L".ps1", L".sct", L".vb", L".vbe", L".vbs", L".vbscript", L".hta" };
+
+		// Credit: https://twitter.com/mattifestation/status/1172520995472756737/photo/1
+		std::vector<std::wstring> writableFolders = {
+			L"%WINDIR%\\System32\\Microsoft\\crypto\\rsa\\machinekeys",
+			L"%WINDIR%\\System32\\tasks_migrated\\microsoft\\windows\\pla\\system",
+			L"%WINDIR%\\Syswow64\\tasks\\microsoft\\windows\\pla\\system",
+			L"%WINDIR%\\debug\\WIA",
+			L"%WINDIR%\\System32\\Tasks",
+			L"%WINDIR%\\Syswow64\\Tasks",
+			L"%WINDIR%\\Tasks",
+			L"%WINDIR%\\Registration\\crmlog",
+			L"%WINDIR%\\System32\\com\\dmp",
+			L"%WINDIR%\\System32\\fxstmp",
+			L"%WINDIR%\\System32\\spool\\drivers\\color",
+			L"%WINDIR%\\System32\\spool\\printers",
+			L"%WINDIR%\\System32\\spool\\servers",
+			L"%WINDIR%\\Syswow64\\com\\dmp",
+			L"%WINDIR%\\Syswow64\\fxstmp",
+			L"%WINDIR%\\Temp",
+			L"%WINDIR%\\tracing"
+		};
+	public:
+		HuntT1036();
+
+		virtual int ScanCursory(const Scope& scope, Reaction reaction) override;
+		virtual std::vector<std::shared_ptr<Event>> GetMonitoringEvents() override;
+	};
+}