forked from thinkst/canarytokens
-
Notifications
You must be signed in to change notification settings - Fork 0
/
msreg.py
22 lines (17 loc) · 1.14 KB
/
msreg.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
from cStringIO import StringIO
REG_TEMPLATE = '''Windows Registry Editor Version 5.00
; Sensitive command token generated by Thinkst Canary
; Run with admin privs on Windows machine as: reg import FILENAME
; command that will be watched for
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{PROCESS}]
"GlobalFlag"=dword:00000200
; magic unique canarytoken that will be fired when this command is executed
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\{PROCESS}]
"ReportingMode"=dword:00000001
"MonitorProcess"="cmd.exe /c start /min powershell.exe -windowstyle hidden -command \\\"$($u=$(\\\\\\\"u$env:username\\\\\\\" -replace('[^\\\\x00-\\\\x7f]|\\\\s', ''))[0..63] -join '';$c=$(\\\\\\\"c$env:computername\\\\\\\" -replace('[^\\\\x00-\\\\x7f]|\\\\s', ''));Resolve-DnsName -Name \\\\\\\"$c.UN.$u.CMD.{TOKEN_DNS}\\\\\\\")\\\""
'''
def make_canary_msreg(url=None, process_name='klist.exe'):
if process_name.find('.exe') == -1:
process_name += '.exe'
output_buf = StringIO(REG_TEMPLATE.format(TOKEN_DNS=url, PROCESS=process_name))
return output_buf.getvalue()