Skip to content

Instantly share code, notes, and snippets.

@mgreen27

mgreen27/Get-BinaryRename.ps1

Created June 1, 2019 08:08
Show Gist options
  • Save mgreen27/036c2b33f928d188ddc60f26b4c9a097 to your computer and use it in GitHub Desktop.
Save mgreen27/036c2b33f928d188ddc60f26b4c9a097 to your computer and use it in GitHub Desktop.
Download ZIP
Binary Rename static detection
Raw
Get-BinaryRename.ps1
<#
.SYNOPSIS
Find BinaryRename of commonly abused Living off the Land Binaries
Name: Get-BinaryRename.ps1
Date: 2019-05-31
Version: 0.2
Author: Matt Green (@mgreen27)
Requirements:
Get-FileHash Powershell 4.0+
Rest Powershell 2+
.DESCRIPTION
The script leverages Powershell VersionInfo method.
It checks all exe files and compares OriginalName to FileName and special cases.
The script will also generate a hash and add to the output for identification.
Time for run is included in the script and can easily be commented out.
.EXAMPLE
Get-BinaryRename.ps1
.NOTES
Add additional OriginalNames to the OriginalNames hashtable to expand detection.
.LINK
https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html
#>
# Set CPU prioirty
$Process = Get-Process -Id $Pid
$Process.PriorityClass = 'IDLE'
$StopWatch = [System.diagnostics.stopwatch]::StartNew()
# OriginalName lowercase
$originalNames = @{
'cmd.exe' = $TRUE
'powershell.exe' = $TRUE
'psexec.c' = $TRUE
'cscript.exe' = $TRUE
'wscript.exe' = $TRUE
'mshta.exe' = $TRUE
'regsvr32.exe' = $TRUE
'wmic.exe' = $TRUE
'certutil.exe' = $TRUE
'rundll32.exe' = $TRUE
'cmstp.exe' = $TRUE
'msiexec.exe' = $TRUE
'7z.exe' = $TRUE
'WinRAR.exe' = $TRUE
}
Get-ChildItem -force -Recurse -File -filter "*.exe" \ -ErrorAction SilentlyContinue |
ForEach-Object {
Try {
$fileName = $_.Name.ToString()
$origName = [System.Diagnostics.FileVersionInfo]::GetVersionInfo($_.FullName).OriginalFileName
If ($origName) {
$origName = $origName.ToString().ToLower().TrimEnd(".mui")
if ( $origName -ne $fileName.toLower() -and $fileName.ToLower().SubString(0,6) -ne 'psexec' ) {
if ( $originalNames[$origName] ) {
$fileHash = Get-FileHash $_.FullName -Algorithm SHA1 -ErrorAction SilentlyContinue
$result = [System.Diagnostics.FileVersionInfo]::GetVersionInfo($_.FullName) | select *
$result | Add-Member -NotePropertyName Sha1Hash -NotePropertyValue $fileHash.hash
$result
}
}
}
}
Catch { Write-host $_ }
}
"TotalSeconds = " + $StopWatch.elapsed.TotalSeconds
$StopWatch.Stop()
Raw
inverseYara.ps1
<#
.SYNOPSIS
YARA loader script to pass filename as an external variable to a yara scan for binary rename use case.
.DESCRIPTION
YARA loader script to pass filename as an external variable to a yara scan for binary rename use case.
Add yara binaries and rename.yar to same folder as inverseYara.ps1.
Target of "\" can be changed as required.
Variable passed to Yara can be changed as required.
Measured time of script to run also output.
.EXAMPLE
powershell -ExecutionPolicy ByPass -f inverseYara.ps1
.LINK
https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html
#>
# Set CPU prioirty
$Process = Get-Process -Id $Pid
$Process.PriorityClass = 'IDLE'
$StopWatch = [System.diagnostics.stopwatch]::StartNew()
If ([System.Environment]::Is64BitOperatingSystem) {
Get-ChildItem -Recurse -filter *.exe \ -ErrorAction SilentlyContinue |
ForEach-Object {
.\yara64.exe -d filename=$(($_.Name).ToLower()) rename.yar $_.FullName 2> $null
}
}
Else {
Get-ChildItem -Recurse -filter *.exe \ -ErrorAction SilentlyContinue |
ForEach-Object {
.\yara32.exe -d filename=$(($_.Name).ToLower()) rename.yar $_.FullName 2> $null
}
}
"TotalSeconds = " + $StopWatch.elapsed.TotalSeconds
$StopWatch.Stop()
Raw
rename.yar
/*
Binary Rename Detection POC
This ruleset was used to test performance of yara PE module vs Powershell VersionInfo
Author: @mgreen27
Reference: https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html
*/
import "pe"
rule renamedCMD
{
condition:
pe.version_info["InternalName"] == "cmd" and
not filename == "cmd.exe"
}
rule renamedPowershell
{
condition:
pe.version_info["InternalName"] == "POWERSHELL" and
not filename == "powershell.exe"
}
rule renamedPsExec
{
condition:
pe.version_info["InternalName"] == "PsExec" and
not filename == "psexec.exe" and
not filename == "psexec64.exe" and
not filename == "psexesvc.exe"
}
rule renamedCscript
{
condition:
pe.version_info["InternalName"] == "cscript.exe" and
not filename == "cscript.exe"
}
rule renamedWscript
{
condition:
pe.version_info["InternalName"] == "wscript.exe" and
not filename == "wscript.exe"
}
rule renamedCertutil
{
condition:
pe.version_info["InternalName"] == "CertUtil.exe" and
not filename == "certutil.exe"
}
rule renamedWmic
{
condition:
pe.version_info["InternalName"] == "wmic.exe" and
not filename == "wmic.exe"
}
rule renamedMshta
{
condition:
pe.version_info["InternalName"] == "MSHTA.EXE" and
not filename == "mshta.exe"
}
rule renamedRegsvr32
{
condition:
pe.version_info["InternalName"] == "REGSVR32" and
not filename == "regsvr32.exe"
}
rule renamedRundll32
{
condition:
pe.version_info["InternalName"] == "rundll" and
not filename == "rundll32.exe"
}
rule renamedCmstp
{
condition:
pe.version_info["InternalName"] == "CMSTP" and
not filename == "cmstp.exe"
}
rule renamedMsiexec
{
condition:
pe.version_info["InternalName"] == "msiexec" and
not filename == "msiexec.exe"
}
rule renamed7zip
{
condition:
pe.version_info["InternalName"] == "7z" and
not filename == "7z.exe"
}
rule renamedWinRar
{
condition:
pe.version_info["InternalName"] == "WinRAR" and
not filename == "winrar.exe"
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment