Skip to content

joeavanzato/QuickScan

BranchesTags

Repository files navigation

QuickScan

Hunting for Abnormalities

Uses some awesome existing repositories:

Scheduled Tasks

  • Abnormally Short-Named Binaries [DONE]
  • Potentially Dangerous Extension [DONE]
  • Binaries in User Locations
  • Recently Added

Services

  • Abnormally Short-Named Binaries [DONE]
  • Starting from User Directory [DONE]

Registry

  • RunOnce/RunServices/Run etc
  • Extension Hijacking
  • Debug
  • ShimDB
  • Program Associations

Suspicious Files Names

  • Checking certain paths for known-dangerous redteam/malware file names [DONE]

Suspicious Extensions

  • Checking certain paths for known-dangerous extensions [DONE]

AmCache

False Extensions

  • Recursively check certain paths for file names with a trailing space which may be an obfuscation technique [DONE]
  • Check certain files and compare current extension with known magic byte identifier

Prefetch

  • Checking for known-dangerous redteam/malware names file Names [DONE]

Network Connections

  • Checking Active TCP Connections for suspicious properties (SMB, RDP, TelNet, SSH, WinRM) [DONE]
  • Checking qwinsta/quser/qprocess for Suspicious Active Connections

NTUSER.DAT Analysis

  • Suspicious Recently Opened Files
  • Suspicious File Execution Artifacts
  • Files Executed with 'Run'
  • Internet Access to Suspicious TLDs
  • Suspicious Typed Paths for Windows
  • Recently Opened Office Documents with Suspicious Extension

Internet History

  • Check for suspicious TLDs
  • Check for recently downloaded suspicious file-types

Yara Scan

  • YARA Scan suspicious file extensions
  • YARA Scan suspicious / active processes

Known Malicious Hashes

  • Scanning dangerous extension types across certain paths for known malicious hashes [LOGIC DONE]
    • Done using Loki Signature Base currently, updated at runtime.
  • TODO: Find additional high-fidelity datasets for integration.

Known Suspicious IP Addresses

  • Check active network connections for known C2/Evil

PowerShell History

  • Checking for dangerous commands/modules in history files [LOGIC DONE]

PowerShell Event Log

  • Checking for dangerous commands/module presence

Security Event Log

  • Checking for Users Added to the System
  • Checking for localgroup Modifications, Administrator Adds, etc
  • Checking for brute-force style activity
  • Checking for historical network logons
  • Checking for dangerous command-line usage [LOGIC DONE]

Active Processes

  • YARA scan active processes with relevant rules
  • Check command-line for potential evil
  • Check process path and other statistics for known bad patterns

CIM Providers

  • Check existing CIM providers for any potential tampering

About

Hunting for Abnormalities

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

3 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages