exotron

Sandbox Feature Upgrader

What it does

It’s so sad that big sandbox vendors do not provide the information that a blue teamer would like to see in the reports. For me, it was always important to see Windows Eventlog events in these reports – especially to create Sigma rules. The sandboxes that I use do not provide this feature. So I decided to add that feature to the samples that I drop in form of a wrapper.

Exotron wraps the sample in a set of commands that run before and after the sample execution.

This is what happens in the current PoC like version:

1. Activates all event types in the local audit policy of the Windows system
2. Clears the current eventlog entries in Security, Application, System
3. Installs Sysmon (yeah!)
4. Runs samples in a .\samples subdirectory (of the SFX)
5. Exports the Eventlog and Sysmon entries as CSV to files on disk (which can then be downloaded as “dropped files”)

Install

Requirements
Sandbox should have UAC disabled

1. Download Sysmon from the Microsoft website and place it in the folder .\Sysmon
2. Get the newest version of SwiftOnSecurity’s sysmon configuration or create your own and place it in the .\Sysmon directory
3. Get Python3 if it is not already there (git clone https://github.com/Neo23x0/exotron.git)
4. Place samples in the .\samples subfolder
5. Run python3 exotron.py –debug
6. Drop the exotron-package.exe into a sandbox of your choice

Use

Copyright (c) 2018 Florian Roth

Source: https://github.com/Neo23x0/