معرفی شرکت ها

RotL-0.0.5

Card image cap
تبلیغات ما

مشتریان به طور فزاینده ای آنلاین هستند. تبلیغات می تواند به آنها کمک کند تا کسب و کار شما را پیدا کنند.

مشاهده بیشتر
Card image cap
تبلیغات ما

مشتریان به طور فزاینده ای آنلاین هستند. تبلیغات می تواند به آنها کمک کند تا کسب و کار شما را پیدا کنند.

مشاهده بیشتر
Card image cap
تبلیغات ما

مشتریان به طور فزاینده ای آنلاین هستند. تبلیغات می تواند به آنها کمک کند تا کسب و کار شما را پیدا کنند.

مشاهده بیشتر
Card image cap
تبلیغات ما

مشتریان به طور فزاینده ای آنلاین هستند. تبلیغات می تواند به آنها کمک کند تا کسب و کار شما را پیدا کنند.

مشاهده بیشتر
Card image cap
تبلیغات ما

مشتریان به طور فزاینده ای آنلاین هستند. تبلیغات می تواند به آنها کمک کند تا کسب و کار شما را پیدا کنند.

مشاهده بیشتر
0.0.5
0.0.4
0.0.3
0.0.2
0.0.5
0.0.4
0.0.3
0.0.2

توضیحات

A simple utility for converting files that describe malware infections into remediation scripts that can clean up infections using native OS tools.
ویژگی مقدار
سیستم عامل OS Independent
نام فایل RotL-0.0.5
نام RotL
نسخه کتابخانه 0.0.5
نگهدارنده []
ایمیل نگهدارنده []
نویسنده Sean McFeely
ایمیل نویسنده zsmcfeely@gmail.com
آدرس صفحه اصلی https://github.com/IntegralDefense/RotL
آدرس اینترنتی https://pypi.org/project/RotL/
مجوز Apache-2.0
# Remediation off the Land. Remediationn off the Land (RotL) is a simple tool that converts a list of artifacts from a malware infection into commands that can be executed on the system to delete/remove those artifacts. ## Installation ``pip3 install rotl`` ## The RotL script When installed, a commannd line script named 'rotl' is supplied that can be used to convert the remediation scripts into remediation files. Currently only windows remediations are supported. ``` $ RotL -h usage: RotL [-h] [-w {win}] [-f REMEDIATION] [-t {win}] [-o OUTFILE] Remediation off the Land: Write remediation files to execute optional arguments: -h, --help show this help message and exit -w {win}, --write-template {win} write a remediation template file to local dir. -f REMEDIATION, --remediation REMEDIATION the remediation file describing the infection -t {win}, --os-type {win} remediation type (operating system) -o OUTFILE, --outfile OUTFILE name of output file to write. ``` ## The Remediation File You can use the rotl script to print a copy of the remediation template file that can be used to describe a malicious infection. ``` $ RotL -w win + Wrote remediate.ini ``` Now, you can edit the remediate.ini file to reflect the infection. ``` $ cat remediate.ini ## Example remediate routine file. ## All keys are commented out under their respective sections by default. # Specify full paths to files that you want to delete. # ex: file1=c:\programdata\lemontrack installer\winserv.exe [files] ;file1= ;file2= ;file3= # Specify processes that you want to kill by name. All processes matching the name will be killed # ex: proc1=winserv.exe [process_names] ;proc1= ;proc2= ;proc3= # Delete a scheduled task # ex: task1=DHCP Monitor Task [scheduled_tasks] ;task1= ;task2= # SC delete services by their name [services] ;service1= ;service2= # Delete entire directories # ex: directory1=C:\ProgramData\LemonTrack Installer [directories] ;directory1= ;directory2= # Delete processes by their ID # ex: pid1=2664 [pids] ;pid1= ;pid2= # delete individual registry key-values # ex: reg1=HKU\S-1-5-21-1660022851-2357930215-3100199371-1001\Software\Microsoft\Windows\CurrentVersion\Run\LemonTrack # This translates to: REG DELETE "HKU\S-1-5-21-1660022851-2357930215-3100199371-1001\Software\Microsoft\Windows\CurrentVersion\Run" /v LemonTrack /f [registry_values] ;reg1= ;reg2= # delete all values behing a key # ex: reg1=HKLM\Software\Microsoft\Windows\CurrentVersion\Run # REG DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /f [registry_keys] ;reg1= ;reg2= ``` ### Example Example remediate file describing a Qbot infection: ``` $ cat remediate.ini [files] file1=C:\WINDOWS\TEMP\iajzq.mkt file2=C:\Documents and Settings\Administrator\Application Data\Microsoft\Iajzq\iajzq.exe [process_names] proc1=cscript.exe proc2=iajzq.exe proc3=wscntfy.exe [scheduled_tasks] task1=mxsiajzqupd [services] service1=fehjgnzjh [directories] directory1=C:\documents and settings\administrator\application data\microsoft\iajzq [pids] [registry_values] reg1=HKU\S-1-5-21-1549631456-1210741653-3294372961-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lcmkfq [registry_keys] ``` Create the batch file: ``` $ RotL -f remediate.ini + Wrote 'remediation.bat' ``` Now you this file was executed with admin rights on the infected system to remove the infection. ``` $ cat remediation.bat taskkill /IM "cscript.exe" /F taskkill /IM "iajzq.exe" /F taskkill /IM "wscntfy.exe" /F REG DELETE "HKU\S-1-5-21-1549631456-1210741653-3294372961-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "lcmkfq" /f del "C:\WINDOWS\TEMP\iajzq.mkt" del "C:\Documents and Settings\Administrator\Application Data\Microsoft\Iajzq\iajzq.exe" cd "C:\documents and settings\administrator\application data\microsoft\iajzq" && DEL /F /Q /S * > NUL && cd .. && RMDIR /Q /S "C:\documents and settings\administrator\application data\microsoft\iajzq" schtasks /Delete /TN "mxsiajzqupd" /F net stop "fehjgnzjh" && SC DELETE "fehjgnzjh" ```


نحوه نصب


نصب پکیج whl RotL-0.0.5:

    pip install RotL-0.0.5.whl


نصب پکیج tar.gz RotL-0.0.5:

    pip install RotL-0.0.5.tar.gz