Shulou(Shulou.com)06/03 Report--

This article focuses on "how to use the powerful lightweight Extensible Host Detection Classification SitRep tool". Interested friends may wish to have a look. The method introduced in this paper is simple, fast and practical. Let the editor take you to learn how to use the powerful lightweight scalable host detection classification SitRep tool.

SitRep

SitRep aims to provide a lightweight and scalable alternative to host classification. This scheme can dynamically load the check mechanism through separate files at run time, which will allow researchers to quickly modify existing checks or add new ones as needed.

The checks here are grouped by category, can be marked as OpSec safe/unsafe, and unsafe checks occur only if the / AllowUnsafe parameter is provided.

Interesting results detected by the scheme will be marked with the "[*]" symbol.

Check the classification scheme

The inspection mechanism of SitRep can be divided into different categories, which can provide researchers with available information more effectively. The current SitRep provides the following check classification scheme.

Environment CurrentUser.cs-current user DomainName.cs-domain name HostName.cs-hostname LoggedOnUsers.cs-display all logged in users OSVersion.cs-operating system version information VirtualEnvironment.cs-check if we are running userEnvironmentVariables.cs in a virtualized environment-get the environment variable SystemEnvironmentVariables.cs applied to the current process-get the system environment variable NameServers.cs from the registry (HKLM)-get each DNS servers with network interfaces defend against AVProcesses.cs-check to see if any known AV processes are running permissions Integrity.cs-get the integrity level of the current process LocalAdmin.cs-check if we are local administrators Privileges.cs-list our current privileges UACLevel.cs-get UAC level UserDomainGroups.cs-get user domain group membership ComputerDomainGroups.cs-get computer office Domain group software InstalledBrowsers.cs-lists browser credentials installed on the terminal node CredentialManager.cs-retrieves the credentials of the current user stored in the Windows credential manager

The following tests are not currently marked as OpSec safe:

CredentialManager.csComputerDomainGroups.csUserDomainGroups.cs

If necessary, you can modify the relevant configuration and update the OpSec tag.

Disable a detection

By default, all detection of SitRep is automatically enabled. At that time, since all tests are loaded dynamically, we can disable some tests as needed.

CheckBase contains a Boolean option called "Enabled", which defaults to True. We can customize the settings in the derived class by adding a constructor. In the following example, we will disable detection (CurrentUser.cs) for the current user:

Public CurrentUser () {base.Enabled = false;} exclude a test

Because the detection is dynamically loaded, we can also exclude a detection. The easiest way is to right-click the target detection class in Visual Studio and select "exclude from project".

Use exampl

Run all tests:

SitRep.exe / AllowUnsafe

Only OpSec safe detection (default):

Sample SitRep.exeSitRep execution:

Add detection

All of SitRep's detection classes inherit from the CheckBase base class and implement the ICheck interface, which enforces the need for dynamic monitoring loading. Of course, we can also call other methods or add other classes as needed.

The ICheck interface exposes the following properties and methods: IsOpsecSafe (bool)-indicates whether the detection is OpSec safeDisplayOrder (int)-the order in which the check results are displayed in its display group Check ()-invokes the method that performs the actual detection

Derived classes must override the "ToString ()" method defined in CheckBase and call this method when the output of each check is displayed.

Local access methods are provided through classes in the "NativeMethods" directory, each named after the DLL they need to interact with.

Each check is responsible for handling its own errors, and the entire detection method is encapsulated in a block of try-catch statements.

The null detection method is as follows:

Using SitRep.Interfaces;using System; namespace SitRep.Checks.Software {class ExampleCheck: CheckBase, ICheck {public bool IsOpsecSafe = > true; public int DisplayOrder = > 1; public Enums.Enums.CheckType CheckType = > Enums.Enums.CheckType.Credential; public void Check () {try {throw new NotImplementedException () } catch {Message = "Check failed [*]";}} public override string ToString () {throw new NotImplementedException () At this point, I believe you have a better understanding of "how to use the powerful lightweight scalable host detection classification SitRep tool". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.