swisskyrepo
/
NetExec
mirror of https://github.com/swisskyrepo/NetExec.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix indentation and formating

main
Alexander Neff 2023-10-08 16:20:30 -04:00
parent e40d4f2a3d
commit 2ef51d642a
1 changed files with 173 additions and 174 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

347
nxc/modules/enum_av.py
View File

@ -10,13 +10,13 @@ from impacket.dcerpc.v5 import lsat, lsad, transport
from impacket.dcerpc.v5.dtypes import NULL, MAXIMUM_ALLOWED, RPC_UNICODE_STRING
import pathlib
class NXCModule:
"""
Uses LsarLookupNames and NamedPipes to gather information on all endpoint protection solutions installed on the the remote host(s)
Module by @mpgn_x64
"""
name = "enum_av"
description = "Gathers information on all endpoint protection solutions installed on the the remote host(s) via LsarLookupNames (no privilege needed)"
supported_protocols = ["smb"]
@ -26,7 +26,7 @@ class NXCModule:
def __init__(self, context=None, module_options=None):
self.context = context
self.module_options = module_options
def options(self, context, module_options):
"""
"""
@ -92,22 +92,21 @@ class NXCModule:
context.log.debug(str(e))
def dump_results(self, results, remoteName, context):
if not results:
if not results:
context.log.highlight(f"Found NOTHING!")
return
for item, data in results.items():
message = f"Found {item}"
if "services" in data:
message += " INSTALLED"
if "pipes" in data:
message += " and RUNNING"
message += " INSTALLED"
if "pipes" in data:
message += " and RUNNING"
elif "pipes" in data:
message += " RUNNING"
context.log.highlight(message)
class LsaLookupNames:
timeout = None
authn_level = None
@ -210,171 +209,171 @@ class LsaLookupNames:
conf = {
"products": [
{
"name": "Acronis Cyber Protect Active Protection",
"services": [{"name": "AcronisActiveProtectionService", "description": "Acronis Active Protection Service"}],
"pipes": []
},
{
"name": "Bitdefender",
"services": [
{"name": "bdredline_agent", "description": "Bitdefender Agent RedLine Service"},
{"name": "BDAuxSrv", "description": "Bitdefender Auxiliary Service"},
{"name": "UPDATESRV", "description": "Bitdefender Desktop Update Service"},
{"name": "VSSERV", "description": "Bitdefender Virus Shield"},
{"name": "bdredline", "description": "Bitdefender RedLine Service"},
{"name": "EPRedline", "description": "Bitdefender Endpoint Redline Service"},
{"name": "EPUpdateService", "description": "Bitdefender Endpoint Update Service"},
{"name": "EPSecurityService", "description": "Bitdefender Endpoint Security Service"},
{"name": "EPProtectedService", "description": "Bitdefender Endpoint Protected Service"},
{"name": "EPIntegrationService", "description": "Bitdefender Endpoint Integration Service"}
],
"pipes": [
{"name": "\\bdConnector\\ServiceControl\\EPSecurityService.exe", "processes": ["EPConsole.exe"]},
{"name": "etw_sensor_pipe_ppl", "processes": ["EPProtectedService.exe"]},
{"name": "local\\msgbus\\antitracker.low\\*", "processes": ["bdagent.exe"]},
{"name": "local\\msgbus\\aspam.actions.low\\*", "processes": ["bdagent.exe"]},
{"name": "local\\msgbus\\bd.process.broker.pipe", "processes": ["bdagent.exe", "bdservicehost.exe", "updatesrv.exe"]},
{"name": "local\\msgbus\\bdagent*", "processes": ["bdagent.exe"]},
{"name": "local\\msgbus\\bdauxsrv", "processes": ["bdagent.exe", "bdntwrk.exe"]}
]
},
{
"name": "Carbon Black App Control",
"services": [{"name": "Parity", "description": "Carbon Black App Control Agent"}],
"pipes": []
},
{
"name": "CrowdStrike",
"services": [{"name": "CSFalconService", "description": "CrowdStrike Falcon Sensor Service"}],
"pipes": [{"name": "CrowdStrike\\{*", "processes": ["CSFalconContainer.exe", "CSFalconService.exe"]}]
},
{
"name": "Cybereason",
"services": [
{"name": "CybereasonActiveProbe", "description": "Cybereason Active Probe"},
{"name": "CybereasonCRS", "description": "Cybereason Anti-Ransomware"},
{"name": "CybereasonBlocki", "description": "Cybereason Execution Prevention"}
],
"pipes": [
{"name": "CybereasonAPConsoleMinionHostIpc_*", "processes": ["minionhost.exe"]},
{"name": "CybereasonAPServerProxyIpc_*", "processes": ["minionhost.exe"]}
]
},
{
"name": "ESET",
"services": [
{"name": "ekm", "description": "ESET"},
{"name": "epfw", "description": "ESET"},
{"name": "epfwlwf", "description": "ESET"},
{"name": "epfwwfp", "description": "ESET"},
{"name": "EraAgentSvc", "description": "ESET"},
],
"pipes": [{"name": "nod_scriptmon_pipe", "processes": [""]}],
},
{
"name": "G DATA Security Client",
"services": [
{"name": "AVKWCtl", "description": "Anti-virus Kit Window Control"},
{"name": "AVKProxy", "description": "G Data AntiVirus Proxy Service"},
{"name": "GDScan", "description": "GDSG Data AntiVirus Scan Service"}
],
"pipes": [
{"name": "exploitProtectionIPC", "processes": ["AVKWCtlx64.exe"]}
]
},
{
"name": "Kaspersky Security for Windows Server",
"services": [
{"name": "kavfsslp", "description": "Kaspersky Security Exploit Prevention Service"},
{"name": "KAVFS", "description": "Kaspersky Security Service"},
{"name": "KAVFSGT", "description": "Kaspersky Security Management Service"},
{"name": "klnagent", "description": "Kaspersky Security Center"}
],
"pipes": [
{"name": "Exploit_Blocker", "processes": ["kavfswh.exe"]}
]
},
{
"name": "Panda Adaptive Defense 360",
"services": [
{"name": "PandaAetherAgent", "description": "Panda Endpoint Agent"},
{"name": "PSUAService", "description": "Panda Product Service"},
{"name": "NanoServiceMain", "description": "Panda Cloud Antivirus Service"}
],
"pipes": [
{"name": "NNS_API_IPC_SRV_ENDPOINT", "processes": ["PSANHost.exe"]},
{"name": "PSANMSrvcPpal", "processes": ["PSUAService.exe"]}
]
},
{
"name": "SentinelOne",
"services": [
{"name": "SentinelAgent", "description": "SentinelOne Endpoint Protection Agent"},
{"name": "SentinelStaticEngine", "description": "Manage static engines for SentinelOne Endpoint Protection"},
{"name": "LogProcessorService", "description": "Manage logs for SentinelOne Endpoint Protection"}
],
"pipes": [
{"name": "SentinelAgentWorkerCert.*", "processes": [""]},
{"name": "DFIScanner.Etw.*", "processes": ["SentinelStaticEngine.exe"]},
{"name": "DFIScanner.Inline.*", "processes": ["SentinelAgent.exe"]}
]
},
{
"name": "Symantec Endpoint Protection",
"services": [
{"name": "SepMasterService", "description": "Symantec Endpoint Protection"},
{"name": "SepScanService", "description": "Symantec Endpoint Protection Scan Services"},
{"name": "SNAC", "description": "Symantec Network Access Control"}
],
"pipes": []
},
{
"name": "Sophos Intercept X",
"services": [
{"name": "SntpService", "description": "Sophos Network Threat Protection"},
{"name": "Sophos Endpoint Defense Service", "description": "Sophos Endpoint Defense Service"},
{"name": "Sophos File Scanner Service", "description": "Sophos File Scanner Service"},
{"name": "Sophos Health Service", "description": "Sophos Health Service"},
{"name": "Sophos Live Query", "description": "Sophos Live Query"},
{"name": "Sophos Managed Threat Response", "description": "Sophos Managed Threat Response"},
{"name": "Sophos MCS Agent", "description": "Sophos MCS Agent"},
{"name": "Sophos MCS Client", "description": "Sophos MCS Client"},
{"name": "Sophos System Protection Service", "description": "Sophos System Protection Service"}
],
"pipes": [
{"name": "SophosUI", "processes": [""]},
{"name": "SophosEventStore", "processes": [""]},
{"name": "sophos_deviceencryption", "processes": [""]},
{"name": "sophoslivequery_*", "processes": [""]}
]
},
{
"name": "Trend Micro Endpoint Security",
"services": [
{"name": "Trend Micro Endpoint Basecamp", "description": "Trend Micro Endpoint Basecamp"},
{"name": "TMBMServer", "description": "Trend Micro Unauthorized Change Prevention Service"},
{"name": "Trend Micro Web Service Communicator", "description": "Trend Micro Web Service Communicator"},
{"name": "TMiACAgentSvc", "description": "Trend Micro Application Control Service (Agent)"},
{"name": "CETASvc", "description": "Trend Micro Cloud Endpoint Telemetry Service"},
{"name": "iVPAgent", "description": "Trend Micro Vulnerability Protection Service (Agent)"}
],
"pipes": [
{"name": "IPC_XBC_XBC_AGENT_PIPE_*", "processes": ["EndpointBasecamp.exe"]},
{"name": "iacagent_*", "processes": ["TMiACAgentSvc.exe"]},
{"name": "OIPC_LWCS_PIPE_*", "processes": ["TmListen.exe"]},
{"name": "Log_ServerNamePipe", "processes": ["LogServer.exe"]},
{"name": "OIPC_NTRTSCAN_PIPE_*", "processes": ["Ntrtscan.exe"]}
]
},
{
"name": "Windows Defender",
"services": [
{"name": "WinDefend", "description": "Windows Defender Antivirus Service"},
{"name": "Sense", "description": "Windows Defender Advanced Threat Protection Service"},
{"name": "WdNisSvc", "description": "Windows Defender Antivirus Network Inspection Service"}
],
"pipes": []
}
{
"name": "Acronis Cyber Protect Active Protection",
"services": [{"name": "AcronisActiveProtectionService", "description": "Acronis Active Protection Service"}],
"pipes": []
},
{
"name": "Bitdefender",
"services": [
{"name": "bdredline_agent", "description": "Bitdefender Agent RedLine Service"},
{"name": "BDAuxSrv", "description": "Bitdefender Auxiliary Service"},
{"name": "UPDATESRV", "description": "Bitdefender Desktop Update Service"},
{"name": "VSSERV", "description": "Bitdefender Virus Shield"},
{"name": "bdredline", "description": "Bitdefender RedLine Service"},
{"name": "EPRedline", "description": "Bitdefender Endpoint Redline Service"},
{"name": "EPUpdateService", "description": "Bitdefender Endpoint Update Service"},
{"name": "EPSecurityService", "description": "Bitdefender Endpoint Security Service"},
{"name": "EPProtectedService", "description": "Bitdefender Endpoint Protected Service"},
{"name": "EPIntegrationService", "description": "Bitdefender Endpoint Integration Service"}
],
"pipes": [
{"name": "\\bdConnector\\ServiceControl\\EPSecurityService.exe", "processes": ["EPConsole.exe"]},
{"name": "etw_sensor_pipe_ppl", "processes": ["EPProtectedService.exe"]},
{"name": "local\\msgbus\\antitracker.low\\*", "processes": ["bdagent.exe"]},
{"name": "local\\msgbus\\aspam.actions.low\\*", "processes": ["bdagent.exe"]},
{"name": "local\\msgbus\\bd.process.broker.pipe", "processes": ["bdagent.exe", "bdservicehost.exe", "updatesrv.exe"]},
{"name": "local\\msgbus\\bdagent*", "processes": ["bdagent.exe"]},
{"name": "local\\msgbus\\bdauxsrv", "processes": ["bdagent.exe", "bdntwrk.exe"]}
]
},
{
"name": "Carbon Black App Control",
"services": [{"name": "Parity", "description": "Carbon Black App Control Agent"}],
"pipes": []
},
{
"name": "CrowdStrike",
"services": [{"name": "CSFalconService", "description": "CrowdStrike Falcon Sensor Service"}],
"pipes": [{"name": "CrowdStrike\\{*", "processes": ["CSFalconContainer.exe", "CSFalconService.exe"]}]
},
{
"name": "Cybereason",
"services": [
{"name": "CybereasonActiveProbe", "description": "Cybereason Active Probe"},
{"name": "CybereasonCRS", "description": "Cybereason Anti-Ransomware"},
{"name": "CybereasonBlocki", "description": "Cybereason Execution Prevention"}
],
"pipes": [
{"name": "CybereasonAPConsoleMinionHostIpc_*", "processes": ["minionhost.exe"]},
{"name": "CybereasonAPServerProxyIpc_*", "processes": ["minionhost.exe"]}
]
},
{
"name": "ESET",
"services": [
{"name": "ekm", "description": "ESET"},
{"name": "epfw", "description": "ESET"},
{"name": "epfwlwf", "description": "ESET"},
{"name": "epfwwfp", "description": "ESET"},
{"name": "EraAgentSvc", "description": "ESET"},
],
"pipes": [{"name": "nod_scriptmon_pipe", "processes": [""]}],
},
{
"name": "G DATA Security Client",
"services": [
{"name": "AVKWCtl", "description": "Anti-virus Kit Window Control"},
{"name": "AVKProxy", "description": "G Data AntiVirus Proxy Service"},
{"name": "GDScan", "description": "GDSG Data AntiVirus Scan Service"}
],
"pipes": [
{"name": "exploitProtectionIPC", "processes": ["AVKWCtlx64.exe"]}
]
},
{
"name": "Kaspersky Security for Windows Server",
"services": [
{"name": "kavfsslp", "description": "Kaspersky Security Exploit Prevention Service"},
{"name": "KAVFS", "description": "Kaspersky Security Service"},
{"name": "KAVFSGT", "description": "Kaspersky Security Management Service"},
{"name": "klnagent", "description": "Kaspersky Security Center"}
],
"pipes": [
{"name": "Exploit_Blocker", "processes": ["kavfswh.exe"]}
]
},
{
"name": "Panda Adaptive Defense 360",
"services": [
{"name": "PandaAetherAgent", "description": "Panda Endpoint Agent"},
{"name": "PSUAService", "description": "Panda Product Service"},
{"name": "NanoServiceMain", "description": "Panda Cloud Antivirus Service"}
],
"pipes": [
{"name": "NNS_API_IPC_SRV_ENDPOINT", "processes": ["PSANHost.exe"]},
{"name": "PSANMSrvcPpal", "processes": ["PSUAService.exe"]}
]
},
{
"name": "SentinelOne",
"services": [
{"name": "SentinelAgent", "description": "SentinelOne Endpoint Protection Agent"},
{"name": "SentinelStaticEngine", "description": "Manage static engines for SentinelOne Endpoint Protection"},
{"name": "LogProcessorService", "description": "Manage logs for SentinelOne Endpoint Protection"}
],
"pipes": [
{"name": "SentinelAgentWorkerCert.*", "processes": [""]},
{"name": "DFIScanner.Etw.*", "processes": ["SentinelStaticEngine.exe"]},
{"name": "DFIScanner.Inline.*", "processes": ["SentinelAgent.exe"]}
]
},
{
"name": "Symantec Endpoint Protection",
"services": [
{"name": "SepMasterService", "description": "Symantec Endpoint Protection"},
{"name": "SepScanService", "description": "Symantec Endpoint Protection Scan Services"},
{"name": "SNAC", "description": "Symantec Network Access Control"}
],
"pipes": []
},
{
"name": "Sophos Intercept X",
"services": [
{"name": "SntpService", "description": "Sophos Network Threat Protection"},
{"name": "Sophos Endpoint Defense Service", "description": "Sophos Endpoint Defense Service"},
{"name": "Sophos File Scanner Service", "description": "Sophos File Scanner Service"},
{"name": "Sophos Health Service", "description": "Sophos Health Service"},
{"name": "Sophos Live Query", "description": "Sophos Live Query"},
{"name": "Sophos Managed Threat Response", "description": "Sophos Managed Threat Response"},
{"name": "Sophos MCS Agent", "description": "Sophos MCS Agent"},
{"name": "Sophos MCS Client", "description": "Sophos MCS Client"},
{"name": "Sophos System Protection Service", "description": "Sophos System Protection Service"}
],
"pipes": [
{"name": "SophosUI", "processes": [""]},
{"name": "SophosEventStore", "processes": [""]},
{"name": "sophos_deviceencryption", "processes": [""]},
{"name": "sophoslivequery_*", "processes": [""]}
]
},
{
"name": "Trend Micro Endpoint Security",
"services": [
{"name": "Trend Micro Endpoint Basecamp", "description": "Trend Micro Endpoint Basecamp"},
{"name": "TMBMServer", "description": "Trend Micro Unauthorized Change Prevention Service"},
{"name": "Trend Micro Web Service Communicator", "description": "Trend Micro Web Service Communicator"},
{"name": "TMiACAgentSvc", "description": "Trend Micro Application Control Service (Agent)"},
{"name": "CETASvc", "description": "Trend Micro Cloud Endpoint Telemetry Service"},
{"name": "iVPAgent", "description": "Trend Micro Vulnerability Protection Service (Agent)"}
],
"pipes": [
{"name": "IPC_XBC_XBC_AGENT_PIPE_*", "processes": ["EndpointBasecamp.exe"]},
{"name": "iacagent_*", "processes": ["TMiACAgentSvc.exe"]},
{"name": "OIPC_LWCS_PIPE_*", "processes": ["TmListen.exe"]},
{"name": "Log_ServerNamePipe", "processes": ["LogServer.exe"]},
{"name": "OIPC_NTRTSCAN_PIPE_*", "processes": ["Ntrtscan.exe"]}
]
},
{
"name": "Windows Defender",
"services": [
{"name": "WinDefend", "description": "Windows Defender Antivirus Service"},
{"name": "Sense", "description": "Windows Defender Advanced Threat Protection Service"},
{"name": "WdNisSvc", "description": "Windows Defender Antivirus Network Inspection Service"}
],
"pipes": []
}
]
}