Sandbox Feature Upgrader
It's so sad that big sandbox vendors do not provide the information that a blue teamer would like to see in the reports. For me it was always important to see Windows Eventlog events in these reports - especially to create Sigma rules. The sandboxes that I use do not provide this feature. So I decided to add that feature to the samples that I drop in form of a wrapper.
Exotron wraps the sample in a set of commands that run before and after the sample exeuction.
This is what happens in the current PoC like version:
- Activates all event types in the local audit policy of the Windows system
- Clears the current eventlog entries in Security, Applicaion, System
- Installs Sysmon (yeah!)
- Runs samples in a
.\samplessub directory (of the SFX) - Exports the Eventlog and Sysmon entries as CSV to files on disk (which can then be downloaded as "dropped files")
Any.run report on Thrip sample (named evil1.exe)
- The report will be a mess as it contains all processes that the exotron wrapper has caused in the session
- Filter some of the actions caused by ExoTron from the eventlogs during the export
- Only supports executable files as samples at the moment
- Download Sysmon from the Microsoft website and place it in the folder
.\Sysmon - Get the newest version of SwiftOnSecurity's sysmon configuration or create your own and place it in the
.\Sysmondirectory - Get Python3 if it is not already there
- Place samples in the
.\samplessub folder - Run
python3 exotron.py --debug - Drop the
exotron-package.exeinto a sandbox of your choice
- Sandbox should have UAC disabled
Experimental PoC - I made it for myself and thought that others may find it useful too. If people like the idea, maybe I'll put more effort in it.
