Cyberdefense/DeepBlueCLI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Post-DerbyCon update

Browse Source
This commit is contained in:
Eric Conrad
2017-11-07 12:28:21 -05:00
committed by GitHub
parent 6a4766e25e
commit a98ef0e402
1 changed files with 16 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
DeepBlue.py
View File

@ -1,6 +1,6 @@
#!/usr/bin/python #!/usr/bin/python
# DeepBlue.py Alpha 0.1 (pre-DerbyCon release) # DeepBlue.py Alpha 0.12 (post-DerbyCon release)
# Eric Conrad # Eric Conrad
# Twitter: @eric_conrad # Twitter: @eric_conrad
# http://ericconrad.com # http://ericconrad.com
@ -26,25 +26,28 @@ def filter(str):
def CheckRegex(regexes,command): def CheckRegex(regexes,command):
string="" string=""
for regex in regexes: for regex in regexes:
if (regex[0] == "0"):
if re.search(regex[1],command,re.IGNORECASE): if re.search(regex[1],command,re.IGNORECASE):
string+=" - "+regex[2]+"\n" string+=" - "+regex[2]+"\n"
return(string) return(string)
def CheckObfu(cli,minpercent): def CheckObfu(cli,minpercent,minlength):
string="" string=""
noalphastring =re.sub("[A-Za-z0-9]","",cli) noalphastring=re.sub("[A-Za-z0-9]","",cli)
length1=float(len(cli)) length1=float(len(cli))
if (length1 > minlength):
length2=float(len(noalphastring)) length2=float(len(noalphastring))
if ((length1/100) < minpercent): if ((length1/150) < minpercent):
minpercent=length1/100 # Shorter strings get lower minpercent, based on the string length minpercent=length1/150 # Shorter strings get lower minpercent, based on the string length
percent =((length1-length2)/length1) percent =((length1-length2)/length1)
if (percent < minpercent): if (percent < minpercent):
percent=(round(percent,2)) percent=(round(percent,2))*100
string += " - Potential command obfuscation: "+str(percent)+"% alpha characters" string += " - Potential command obfuscation: "+str(int(percent))+"% alpha characters"
return(string) return(string)
def CheckCommand(time, log, eventid, cli): def CheckCommand(time, log, eventid, cli):
minpercent=.65 minpercent=.65
minlength=25 # Minimum CLI length to check for obfuscation
string="" string=""
decoded="" decoded=""
noalphastring="" noalphastring=""
@ -54,7 +57,7 @@ def CheckCommand(time, log, eventid, cli):
decoded=base64.b64decode(b64) decoded=base64.b64decode(b64)
decoded=str(filter(decoded)) # Convert base64 to ASCII decoded=str(filter(decoded)) # Convert base64 to ASCII
string+=CheckRegex(regexes,decoded) string+=CheckRegex(regexes,decoded)
string += CheckObfu(cli,minpercent) string += CheckObfu(cli,minpercent,minlength)
if(string): if(string):
print "Date: %s\nLog: %s\nEventID: %s" % (time,log,eventid) print "Date: %s\nLog: %s\nEventID: %s" % (time,log,eventid)
print "Results:\n%s\n" % (string.rstrip()) print "Results:\n%s\n" % (string.rstrip())