Skip to content

karttoon/curtain

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
1 branch 0 tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
README.md
 
 
curtain.ps1
 
 
curtain.sh
 
 
psorder.py
 
 
curtain This version of Curtain is no longer maintained. Please see the Curtain module for Cuckoo found HERE.

README.md

curtain

This version of Curtain is no longer maintained. Please see the Curtain module for Cuckoo found HERE.

Curtain is a small script to quickly grab PowerShell ScriptBlock log events for fast analysis of heavily obfuscated PowerShell.

Blog post - 09NOV2017 - PowerShell Deobfuscation with Curtain

Example output and generated page.

$ ./curtain.sh test.ps1
[+] Reverting to snapshot - curtain
[+] Starting headless VM
2017-11-09T10:51:39.463| ServiceImpl_Opener: PID 26072
[+] Copying curtain.ps1 to virtual Guest
[+] Sending target file to detonate
[+] Launching Curtain PS script for - test.ps1
[!] Sleeping for 10 seconds to let malware doing its thang...
[+] Transferring output from script
[+] Grabbing a screenshot of the desktop
[+] Killing virtual Guest
[+] Launching site...

The "psorder.py" takes a B64 encoded chunk of PowerShell and will attempt to manually deobfuscate it. It's handy to combine when it comes to token replacement, etc, that Curtain may reveal.

About

Curtain is a small script to quickly grab PowerShell ScriptBlock log events for fast analysis of heavily obfuscated PowerShell.

Resources

Readme
Activity

Stars

10 stars

Watchers

2 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages