Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Duqu Check Forensics Module #3

Closed
wants to merge 1 commit into from
Closed

Duqu Check Forensics Module #3

wants to merge 1 commit into from

Conversation

threatagent
Copy link

This module performs registry checks related to Duqu malware based on Symantec report

Source: http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf

@hdm
Copy link
Contributor

hdm commented Nov 10, 2011

Instead of splitting the string based on commas, please just set this to an array.

  • query = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4"CFID",'
  • query += 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CFID,'
  • query += 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\JmiNET3,'
  • query += 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\JmiNET3\FILTER'
  •            match = 0

  •            print_status("Searching registry on #{sysinfo['Computer']} for Duqu attributes.")

  •            keys = query.split(/,/)

This should become:

queries = [
'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4"CFID"',
[ .. ]
]

and queries.each do |k| [ .. ]

@hdm hdm closed this Nov 10, 2011
@wchen-r7 wchen-r7 mentioned this pull request Oct 7, 2012
Merged
jlee-r7 pushed a commit that referenced this pull request Feb 20, 2013
@scriptjunkie
Merge pull request #3 from jlee-r7/scriptjunkie-migrator
75fe7e8 
Proposed changes for PrependMigrate
jlee-r7 pushed a commit that referenced this pull request Mar 5, 2013
@R3dy
Merge pull request #3 from jlee-r7/R3dy-psexec-mixin2
7f47542 
Changes that I think make the psexec mixin better
jvazquez-r7 pushed a commit that referenced this pull request Mar 14, 2013
@m-1-k-3
Merge pull request #3 from jvazquez-r7/openpli_work
b4554d2 
works very good
jvazquez-r7 pushed a commit that referenced this pull request Mar 30, 2013
Merge pull request #3 from jvazquez-r7/hp_system_mgmt_work
d8465a1 
cleanup for hp_system_management
schierlm pushed a commit to schierlm/metasploit-framework that referenced this pull request May 1, 2013
Merge pull request rapid7#3 from schierlm/android-deploy-profiles
f94c31a 
Call dx from Maven profile
jlee-r7 pushed a commit that referenced this pull request May 15, 2013
@mubix
Merge pull request #3 from jlee-r7/landing-1812-mailvelope-keys
5123b91 
Simplify and clean up some
jlee-r7 pushed a commit that referenced this pull request May 28, 2013
@timwr
Merge pull request #3 from schierlm/android-deploy-profiles
a2f8b3d 
Call dx from Maven profile
@danielemartini danielemartini mentioned this pull request Jun 23, 2013
Merged
todb-r7 pushed a commit that referenced this pull request Jul 29, 2013
Land #3 from @Meatballs1, more better description
9304bbe
jvazquez-r7 pushed a commit that referenced this pull request Aug 8, 2013
@CharlieEriksen
Merge pull request #3 from CharlieEriksen/squash-rce
a4722af 
Adding OSVDB reference ID
jvazquez-r7 referenced this pull request in jvazquez-r7/metasploit-framework Aug 24, 2013
@jvennix-r7
Merge pull request #3 from jvazquez-r7/work_osx
d44a33c 
Merge in juan's improvements to module
jlee-r7 pushed a commit that referenced this pull request Aug 29, 2013
Merge pull request #3 from Meatballs1/psh_fix
0a6ac04 
Really fix war
todb-r7 pushed a commit that referenced this pull request Sep 27, 2013
@firefart
Merge pull request #3 from todb-r7/pr-2421-more-descriptive-rspec
45f52b5 
PR #2421 More descriptive rspec
jvazquez-r7 pushed a commit that referenced this pull request Oct 22, 2013
@ddouhine
Merge pull request #3 from jvazquez-r7/pr_2536
4591d34 
Add the ARCH_CMD target
jvazquez-r7 pushed a commit that referenced this pull request Dec 11, 2013
@BorjaMerino
Merge pull request #3 from jvazquez-r7/clean_2719
3fd2626 
Clean ie_proxypac
jvazquez-r7 pushed a commit that referenced this pull request Jan 2, 2014
@morisson
Merge pull request #3 from jvazquez-r7/review_2791
03d552c 
Switch RHOSTS to TARGETS and add validation
wvu referenced this pull request in wvu/metasploit-framework Jan 9, 2014
@sho-luv
Merge pull request #3 from wvu-r7/pr/2848
8161663 
Fix even moar outstanding issues
@xistence xistence mentioned this pull request Jan 29, 2014
Merged
@darkoperator darkoperator mentioned this pull request Feb 18, 2014
Closed
bturner-r7 added a commit that referenced this pull request Feb 26, 2014
@bturner-r7
Merge pull request #3 from limhoff-r7/bug/metasploit-framework-module…
28e3d48 
…-cache-prefetch-time

MSP-8948 #land
Meatballs1 pushed a commit that referenced this pull request Apr 9, 2014
Merge pull request #3 from tabassassin/retab/pr/2107
b72f425 
Retab/pr/2107
OJ pushed a commit that referenced this pull request May 4, 2014
@kyuz0
Merge pull request #3 from Meatballs1/pr3090
faaf078 
Pr3090
wchen-r7 pushed a commit that referenced this pull request Sep 29, 2014
Merge pull request #3 from rapid7/master
ce8452a 
bla
jhart-r7 pushed a commit that referenced this pull request Oct 22, 2014
@martinvigo
Merge pull request #3 from jhart-r7/landing-4004-jhart
a7dc0b9 
Final cleanup of LastPass module -- track account, more *print_ cleaning
jhart-r7 pushed a commit that referenced this pull request Nov 4, 2014
@midnitesnake
Merge pull request #3 from jhart-r7/landing-3516-jhart
1a2b1db 
Numerous cleanups for snmp_enumusers
kernelsmith pushed a commit that referenced this pull request Nov 10, 2014
@TomSellers
Merge pull request #3 from kernelsmith/landing/4063-DRYer
ff6bc5c 
modernizes & DRYs session/job ranges from kernelsmith
wchen-r7 pushed a commit that referenced this pull request Jan 15, 2015
@sgabe
Merge pull request #3 from wchen-r7/pr4588_update
e3450d7 
Support configurable resource for getgodm_http_response_bof
jvazquez-r7 pushed a commit that referenced this pull request Mar 4, 2015
Merge pull request #3 from jvazquez-r7/review_3074_clean_server
402fa12 
Land the merge. Code looks good to me! :-) thanks @jvazquez-r7
wvu pushed a commit that referenced this pull request Mar 10, 2015
@nstarke
Merge pull request #3 from wvu-r7/pr/4902
9a974af 
Change print_status to print_error
@jhart-r7 jhart-r7 mentioned this pull request Nov 10, 2015
Merged
jhart-r7 pushed a commit that referenced this pull request Dec 8, 2015
@jakxx
Merge pull request #3 from jhart-r7/pr/fixup-6197
457ee42 
Additional cleanup of enum_av_excluded; support showing process and file extension exclusions
@brandonprry brandonprry mentioned this pull request Dec 15, 2015
Closed
jhart-r7 pushed a commit that referenced this pull request Dec 15, 2015
Merge pull request #3 from jhart-r7/pr/fixup-6319
dee23e4 
Cleanup redis unauth_file_upload, move redis stuff to mixin
wvu pushed a commit that referenced this pull request Jan 23, 2016
@joevennix
Merge pull request #3 from wvu-r7/pr/6421
d0c22a5 
Add targets to avoid ARCH_ALL payload confusion
wchen-r7 pushed a commit that referenced this pull request Jan 23, 2016
@KINGSABRI
Merge pull request #3 from wchen-r7/pr6226
bb4db6b 
Do a version check for wordpress_xmlrpc_login
zeroSteiner pushed a commit that referenced this pull request Mar 16, 2016
@bcoles
Merge pull request #3 from zeroSteiner/pr/6401
eec9508 
Add get_file method and parse the server response
bwatters-r7 pushed a commit that referenced this pull request Jun 7, 2016
@h00die
Merge pull request #3 from bwatters-r7/land-6924
c553353 
Suggested updates for style and clarity
egypt pushed a commit that referenced this pull request Jun 24, 2016
@sdavis-r7
Merge pull request #3 from todb-r7/return-of-multiarch
0fd83b5 
Return of multiarch: LGTM.  thank you! @wchen-r7 @egypt @todb-r7 !
h00die pushed a commit that referenced this pull request Mar 20, 2017
@flakey-biscuits
Merge pull request #3 from h00die/flakeydna
a767139 
dnalims
rwhitcroft pushed a commit to rwhitcroft/metasploit-framework that referenced this pull request Apr 10, 2017
@dmchell
Merge pull request rapid7#3 from FireFart/iis
46d977d 
Update IIS exploit
zeroSteiner pushed a commit that referenced this pull request Jun 6, 2017
@itsmeroy2012
Merge pull request #3 from rapid7/master
25eda12 
merging master
bwatters-r7 pushed a commit that referenced this pull request Jun 7, 2017
@alexmaloteaux
Merge pull request #3 from bwatters-r7/land-8434
e5e3be3 
Rubocop readability changes
todb-r7 pushed a commit that referenced this pull request Dec 18, 2017
@RootUp
Merge pull request #3 from todb-r7/pr-9180
88a21d1 
Thanks @todb-r7 works perfect !
busterb pushed a commit that referenced this pull request Mar 23, 2018
@jbarnett-r7
Merge pull request #3 from clee-r7/move-session-mdm-use
fe069e4 
Move session mdm use
jbarnett-r7 pushed a commit that referenced this pull request Oct 26, 2018
@Green-m
Merge pull request #3 from mkienow-r7/pr10862-enhance-session-report-…
4b49f5b 
…fix-2

Enhance session report fix 2
jrobles-r7 pushed a commit to jrobles-r7/metasploit-framework that referenced this pull request Feb 15, 2019
Merge pull request rapid7#3 from rapid7/master
8308ec1 
aaa
asoto-r7 pushed a commit that referenced this pull request May 24, 2019
Merge pull request #3 from jagotu/bluekeep
743abdd 
Bluekeep: RSA check
h00die pushed a commit that referenced this pull request Oct 11, 2019
@hkerma
Merge pull request #3 from h00die/land-12367
2bcf62c 
add links
bwatters-r7 pushed a commit that referenced this pull request Dec 12, 2019
@phra
Inject shellcode changes (#3)
e11f64f 
Inject shellcode changes
cdelafuente-r7 added a commit to cdelafuente-r7/metasploit-framework that referenced this pull request Oct 30, 2020
@cdelafuente-r7
Fix documentation rapid7#3
1b1c625
@jheysel-r7 jheysel-r7 mentioned this pull request Jun 14, 2021
Merged
smcintyre-r7 pushed a commit to smcintyre-r7/metasploit-framework that referenced this pull request Sep 13, 2022
@zeroSteiner
Merge pull request rapid7#3 from smcintyre-r7/pr/collab/16995
098c49f 
Bofloader Updates
@ElizabethHanson1999 ElizabethHanson1999 mentioned this pull request Oct 8, 2022
Merged
16 tasks
smcintyre-r7 pushed a commit that referenced this pull request Feb 8, 2023
@rbowes-r7
Merge pull request #3 from smcintyre-r7/pr/collab/17607
0c6ebed 
Pr/collab/17607
@hastalamuerte hastalamuerte mentioned this pull request May 1, 2023
Merged
11 tasks
@cdelafuente-r7 cdelafuente-r7 mentioned this pull request Nov 17, 2023
Merged
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@threatagent @hdm @marcuscarey