#----------------------------------------------------------------------------- # File: kasstatus.eps # Description: Checks for presence of Kaspersky process and queries registry # for Kaspersky behavior settings. # # Note: Values of regqueries must be supplied "in order" that they appear # in the actual registry. # # Currently no FW (Anti_Hacker) queries # # Versions of Kaspersky checked for: # 6.0 # 7.0 # 8.0 - very limited, only versioning. no settings queried # # 2008-01-29 - First Release - handles v6, v7. v8 only versioning and logging dirs # 2008-02-21 - Recursive registry-dump for unknown Kaspersky versions #----------------------------------------------------------------------------- @include "_ProcessList.epm"; @include "PSPHelpers.epm"; # The struct is defined in PSPHelpers.epm metaData @metaData; string %envs; #initialize the struct init(@metaData, %envs); string $data = ""; @echo off; @record on; string $kasp; $kasp[0] = "avp.exe"; $kasp[1] = "avpcc.exe"; $kasp[2] = "avpncc.exe"; $kasp[3] = "avpm.exe"; $kasp[4] = "avps.exe"; $kasp[5] = "kav.exe"; $kasp[6] = "kavisarv.exe"; $kasp[7] = "kavmm.exe"; $kasp[8] = "kavss.exe"; $kasp[9] = "kavsvc.exe"; $kasp[10] = "kis.exe"; $kasp[11] = "klnagent.exe"; $kasp[12] = "kwsprod.exe"; string $auditing = GetEnv("AUDITOFF"); if ($auditing == "TRUE"){ echo "Verified auditing was off/has been dorked. Moving on"; }else{ echo "auditing still on!"; } # Process IDs int $ids; # Process Names string $names; string $name; int $i = 0; # Is logging on or off bool $logging = false; # Dataroot Directory (e.g., installation directory) string $dataroot = ""; # Report Directory where log files are stored string $report = ""; # Quarantine Directory string $quarantine = ""; int $version = 6; # Registry query value string $value; # registry query (sub)key string $key; # registry query base (used in conjuction with $key) string $reg_base = ""; # return value string $ret; _GetProcessList($ids, $names); bool $found_kas_process = false; echo ""; foreach $name ($names) { string $k; foreach $k ($kasp) { if($k == $name) { echo "Kaspersky process:$ids[$i]:$name"; $found_kas_process = true; } } $i++; } echo ""; # Check for Kaspersky processes and Version ifnot($found_kas_process) { if(prompt "No Kaspersky Process found. Exit?") { @metaData.$information = $data; writeData(@metaData, %envs); return false; } } @metaData.$vendor = "Kaspersky"; if(`regquery -hive L -subkey "software\\kasperskylab\\AVP6"`) { echo "Found registry keys for Kaspersky 6.0."; $version = 6; $reg_base = "software\\kasperskylab\\AVP6"; @metaData.$product = "Kaspersky 6.0"; @metaData.$version = "6"; } else if(`regquery -hive L -subkey "software\\kasperskylab\\protected\\AVP7"`) { echo "Found registry keys for Kaspersky 7.0."; $version = 7; $reg_base = "software\\kasperskylab\\protected\\AVP7"; @metaData.$product = "Kaspersky 7.0"; @metaData.$version = "7"; @record on; `getnetaddr`; @record off; int $remote_peer_port = GetCmdData("remote_peer_port"); int $remote_port = GetCmdData("remote_port"); echo ""; echo "NOTE: Kaspersky 7 *can* create popups for traffic over \"encrypted\" ports."; echo "If you're using one of these ports (including 443)..."; echo "you may already be in trouble."; echo " Remote peer port: $remote_peer_port"; echo "Current implant port: $remote_port"; } else if(`regquery -hive L -subkey "software\\kasperskylab\\protected\\AVP8"`) { echo "Found registry keys for Kaspersky 8.0."; $version = 8; $reg_base = "software\\kasperskylab\\protected\\AVP8"; @metaData.$product = "Kaspersky 8.0"; @metaData.$version = "8"; undef($ret); undef($value); $key = "$reg_base\\environment"; $value[0] = "DataRoot"; $value[1] = "ProductName"; $value[2] = "ProductType"; $value[3] = "ProductVersion"; $value[4] = "Report"; $value[5] = "Quarantine"; if(reg_query($key, $value, $ret, true)) { echo ""; echo "$ret[1] (version $ret[3])"; echo ""; $dataroot = $ret[0]; $report = $ret[4]; $quarantine = $ret[5]; string $r = split("\%\\", $report); $report = "$dataroot\\$r[1]"; $r = split("\%\\", $quarantine); $quarantine = "$dataroot\\$r[1]"; echo "Potential Logging Directory:"; echo "$report"; echo "Potential Quarantine Directory"; echo "$quarantine"; @echo on; `log dir * -path "$report" -max 0 -age 3`; @echo off; } echo ""; echo "No additional queries yet. Q&D"; # `script kas8.eps`; @metaData.$information = $data; writeData(@metaData, %envs); return true; } else { echo "Did not find a known Kaspersky installation."; echo ""; if(prompt "Do you want to recursively dump HKLM\\Software\\KasperskyLab? (NOTE: this can produce a large result set)") { @echo on; `background log regquery -recursive -hive L -subkey "software\\kasperskylab"`; @echo off; } @metaData.$information = $data; writeData(@metaData, %envs); return false; } # REGISTRY GUARD echo ""; echo "+++++++++++++++++++"; echo "Registry Guard"; echo "+++++++++++++++++++"; $key = "$reg_base\\profiles\\behavior_blocking\\profiles\\pdm\\settings"; undef($ret); undef($value); $value[0] = "bRegMonitoring_Enabled"; echo "Querying the Registry Guard subkey, this *may* take a while ..."; if(reg_query($key, $value, $ret, true)) { int $rg = $ret[0]; if($rg == 1) { echo "$ret:$value (Registry Guard: ON) !!!"; $data = "$data|RegistryGuard:ON"; %envs{'noRegistry'} = "TRUE"; ifnot(prompt "\nRegistry Monitoring Enabled. (This is default behavior)\nActivity *may* have been been detected, depending on which registry keys are being monitored (see Kaspersky documentation for more details). \nContinuing *may* also be detected, depending on this status.\n\nContinue?") { @metaData.$information = $data; writeData(@metaData, %envs); return false; } } else { echo "$ret:$value (Registry Guard: OFF)"; $data = "$data|RegistryGuard:OFF"; %envs{'noRegistry'} = "FALSE"; } } # Version undef($ret); undef($value); $key = "$reg_base\\environment"; $value[0] = "DataRoot"; $value[1] = "ProductName"; $value[2] = "ProductType"; $value[3] = "ProductVersion"; $value[4] = "Quarantine"; $value[5] = "Report"; if(reg_query($key, $value, $ret, true)) { echo ""; echo "$ret[1] (version $ret[3])"; echo ""; $dataroot = $ret[0]; $report = $ret[5]; string $r = split("\%\\", $report); $report = "$dataroot\\$r[1]"; $quarantine= $ret[4]; $r = split("\%\\", $quarantine); $quarantine = "$dataroot\\$r[1]"; @metaData.$product = "$ret[1] ($ret[2])"; @metaData.$version = "$ret[3]"; @metaData.$logFile = "$report"; @metaData.$quarantine = "$quarantine"; $data = "$data|$ret[2]"; } # KASPERSKY undef($ret); undef($value); $key = "$reg_base"; $value[0] = "enabled"; if(reg_query($key, $value, $ret, true)) { if($ret == "00000000") { echo "$ret:$value (Kaspersky Monitoring: OFF)"; if($ret == "00000000") { if(prompt "Kaspersky Monitoring is turned off.\nExit?") { @metaData.$information = $data; writeData(@metaData, %envs); return true; } } } if($ret == "00000001") { echo "$ret:$value (Kaspersky Monitoring: ON)"; } } # BEHAVIOR BLOCKING undef($ret); undef($value); echo ""; echo ""; echo "+++++++++++++++++++"; echo "Behavior Blocking"; echo "+++++++++++++++++++"; $key = "$reg_base\\profiles\\behavior_blocking"; $value[0] = "enabled"; if(reg_query($key, $value, $ret, true)) { if($ret == "00000000") { echo "$ret:$value (Behavior Blocking: OFF)"; echo "made in the shade"; echo "Behavior Blocking: OFF"; $data = "$data|BehaviorBlocking:OFF"; %envs{'noDriver'} = "FALSE"; %envs{'noHide'} = "FALSE"; %envs{'noInject'} = "FALSE"; %envs{'noKeyboard'} = "FALSE"; %envs{'noRegistry'} = "FALSE"; @metaData.$information = $data; writeData(@metaData, %envs); return true; } if($ret == "00000001") { echo "$ret:$value (Behavior Blocking: ON)"; $data = "$data|BehaviorBlocking:ON"; } } # APPLICATION ACTIVITY ANALYSIS undef($ret); undef($value); echo ""; echo ""; echo "+++++++++++++++++++"; echo "Application Activity Analysis"; echo "+++++++++++++++++++"; $key = "$reg_base\\profiles\\behavior_blocking\\profiles\\pdm\\settings"; $value[0] = "bBehaviourEnabled"; if(reg_query($key, $value, $ret, true)) { if($ret[0] == "00000000") { echo "$ret[0]:$value[0] (Application Activity Analyzer: OFF)"; echo "Exiting ... "; $data = "$data|ApplicationActivityAnalyzer:OFF"; @metaData.$information = $data; writeData(@metaData, %envs); return true; } if($ret[0] == "00000001") { echo "$ret[0]:$value[0] (Application Activity Analyzer: ON)"; $data = "$data|ApplicationActivityAnalyzer:ON"; } } # PROCESS INJECTION undef($ret); undef($value); echo ""; echo ""; echo "+++++++++++++++++++"; echo "Process Injection"; echo "+++++++++++++++++++"; $ret = ""; $key = "$reg_base\\profiles\\behavior_blocking\\profiles\\pdm\\settings\\Set\\0002"; $value[0] = "bEnabled"; $value[1] = "action"; $value[2] = "bLog"; $value[3] = "bQuarantine"; if(reg_query($key, $value, $ret, true)) { if($ret[0] == "00000000") { echo "$ret[0]:$value[0] (Process Injection Detection: OFF)"; $data = "$data|ProcessInjection:OFF"; %envs{'noInject'} = "FALSE"; } else { $data = "$data|ProcessInjection:ON"; %envs{'noInject'} = "TRUE"; echo "$ret[0]:$value[0] (Process Injection Detection: ON)"; echo ""; echo "!!! PROCESS INJECTION MAY BE DETECTED !!!"; echo "!!! DON'T RUN PWDUMP/LSADUMP !!!"; echo "!!! Check the action key below for behavior !!!"; echo ""; pause; if($ret[1] == "00000000") { echo "$ret[1]:$value[1] (Process Injection Action: ALLOWED)"; } if($ret[1] == "00000001") { echo "$ret[1]:$value[1] (Process Injection Action: ASK USER)"; } if($ret[1] == "00000002") { echo "$ret[1]:$value[1] (Process Injection Action: AUTO-BLOCK)"; } if($ret[2] == "00000000") { echo "$ret[2]:$value[2] (Injected Process Logging: OFF)"; } if($ret[2] == "00000001") { echo "$ret[2]:$value[2] (Injected Process Logging: ON)"; $logging = true; } if($ret[3] == "00000000") { echo "$ret[3]:$value[3] (Quarantine Injected Process: OFF)"; } if($ret[3] == "00000001") { echo "$ret[3]:$value[3] (Quarantine Injected Process: ON)"; } $data = "$data|ProcessInjectionAction:$ret[1]"; $data = "$data|ProcessInjectionLogging:$ret[2]"; $data = "$data|ProcessInjectionQuarantine:$ret[3]"; } } # PROCESS HIDING undef($ret); undef($value); echo ""; echo ""; echo "+++++++++++++++++++"; echo "Process Hiding"; echo "+++++++++++++++++++"; $key = "$reg_base\\profiles\\behavior_blocking\\profiles\\pdm\\settings\\Set\\0003"; $value[0] = "bEnabled"; $value[1] = "action"; $value[2] = "bLog"; $value[3] = "Timeout"; #$value[4] = ""; if(reg_query($key, $value, $ret, true)) { if($ret[0] == "00000000") { echo "$ret[0]:$value[0] (Process Hiding Detection: OFF)"; $data = "$data|ProcessHiding:OFF"; %envs{'noHide'} = "FALSE"; } else { echo "$ret[0]:$value[0] (Process Hiding Detection: ON)"; echo ""; echo "!!! PROCESS HIDING MAY BE DETECTED !!!"; echo "!!! DON'T PROCESS HIDE !!!"; echo "!!! Check the action key below for behavior !!!"; echo ""; pause; if($ret[1] == "00000000") { echo "$ret[1]:$value[1] (Process Hiding Action: ALLOWED)"; } if($ret[1] == "00000001") { echo "$ret[1]:$value[1] (Process Hiding Action: ASK USER)"; } if($ret[1] == "00000003") { echo "$ret[1]:$value[1] (Process Hiding Action: TERMINATE PROCESS)"; } if($ret[2] == "00000000") { echo "$ret[2]:$value[2] (Process Hiding Logging: OFF)"; } if($ret[2] == "00000001") { echo "$ret[2]:$value[2] (Process Hiding Logging: ON)"; $logging = true; } echo "$ret[3]:$value[3] - Minutes (in hex) between scans for hidden processes"; $data = "$data|ProcessHidingAction:$ret[1]"; $data = "$data|ProcessHidingLogging:$ret[2]"; $data = "$data|ProcessHidingQuarantine:$ret[3]"; } } # TRUSTED APPLICATIONS undef($ret); undef($value); echo ""; echo ""; echo "+++++++++++++++++++"; echo "Trusted Applications"; echo "+++++++++++++++++++"; echo "Enabled Triggers ImagePath"; echo "-------- -------- ---------"; $value[0] = "bEnabled"; $value[1] = "sImagePath"; $value[2] = "nHost"; $value[3] = "nPort"; ifnot($version == 7) { $value[4] = "nTriggers"; } $i = 0; $key = "$reg_base\\profiles\\procmon\\settings\\def\\aitems\\"; zero_extend($i, $ret); int $trigger = 0x0; while(reg_query("$key$ret", $value, $ret, false)) { if($version == 7) { echo "$ret[0]:xxxxxxxx:$ret[1]"; } else { echo "$ret[0]:$ret[4]:$ret[1]"; @hex on; int $trigger2 = $ret[4]; $trigger = $trigger2; # currently, thinks nTriggers is decimal. luckily it doesn't make a difference. need to write hex->dec converter # 0x20 bool $trig_reg = false; # 0x10 bool $trig_app = false; # 0x02 bool $trig_net = false; # 0x01 bool $trig_file = false; if($trigger == 33) { $trig_reg=true; $trig_app=true; $trig_net=true; $trig_file=true; } if($trigger == 32) { $trig_reg=true; $trig_app=true; $trig_net=true; } if($trigger == 31) { $trig_reg=true; $trig_app=true; $trig_file=true; } if($trigger == 30) { $trig_reg=true; $trig_app=true; } if($trigger == 23) { $trig_reg=true; $trig_net=true; $trig_file=true; } if($trigger == 22) { $trig_reg=true; $trig_net=true; } if($trigger == 21) { $trig_reg=true; $trig_file=true; } if($trigger == 20) { $trig_reg=true; } if($trigger == 13) { $trig_app=true; $trig_net=true; $trig_file=true; } if($trigger == 12) { $trig_app=true; $trig_net=true; } if($trigger == 11) { $trig_app=true; $trig_file=true; } if($trigger == 10) { $trig_app=true; } if($trigger == 3) { $trig_net=true; $trig_file=true; } if($trigger == 2) { $trig_net=true; } if($trigger == 1) { $trig_file=true; } if($trig_reg) { echo "\tTrigger:0x20:Do not control registry access"; } if($trig_app) { echo "\tTrigger:0x10:Do not controll application activity !!!"; } if($trig_net) { echo "\tTrigger:0x02:Do not scan network traffic"; } if($trig_file) { echo "\tTrigger:0x01:Do not scan opened files"; } @hex off; #@hex off must come before zero_extend } $i++; zero_extend($i, $ret); } if($logging) { echo ""; echo ""; echo "+++++++++++++++++++"; echo "Logging"; echo "+++++++++++++++++++"; echo "Potential location of Kaspersky logging:"; # split to get the part after "%dataroot%\" #string $r = split("\%\\", $report); #$dataroot = "$dataroot\\$r[1]"; #echo "\"$dataroot\""; echo "\"$report\""; #echo ""; @echo on; #`dir * -path "$dataroot" -max 0 -age 3`; `dir * -path "$report" -max 0 -age 3`; @echo off; echo ""; echo ""; echo "+++++++++++++++++++"; echo "Quarantine"; echo "+++++++++++++++++++"; echo "Potential location of Kaspersky quarantine directory:"; # split to get the part after "%dataroot%\" #$r = split("\%\\", $quarantine); #$dataroot = "$dataroot\\$r[1]"; #echo "\"$dataroot\""; echo "\"$quarantine\""; echo ""; @echo on; #`dir * -path "$dataroot" -max 0 -age 3`; `dir * -path "$quarantine" -max 0 -age 3`; @echo off; } @metaData.$information = $data; writeData(@metaData, %envs); sub zero_extend(IN int $i, OUT string $ret) { if($i < 10) { $ret = "000$i"; } else { $ret = "00$i"; } } sub writeData(IN metaData @metaData, IN string %envs) { if(writeMetaData(@metaData, %envs)){ echo "Wrote meta data to disk"; }else{ echo "ERROR. could not write meta data to disk. ERROR"; } return true; }