Trawler: help Incident Responders discover adversary persistence mechanisms

Incident Responders discover

Trawler

Trawler is a PowerShell script designed to help Incident Responders discover potential indicators of compromise on Windows hosts, primarily focused on persistence mechanisms including Scheduled Tasks, Services, Registry Modifications, Startup Items, Binary Modifications, and more.

Currently, trawler can detect most of the persistence techniques specifically called out by MITRE and Atomic Red Team with more detections being added on a regular basis.

Main Features

  • Scanning Windows OS for a variety of persistence techniques (Listed below)
  • CSV Output with MITRE Technique and Investigation Jumpstart Metadata
  • Analysis and Remediation Guidance Documentation (https://github.com/joeavanzato/Trawler/wiki/Analysis-and-Remediation-Guidance)
  • Dynamic Risk Assignment for each detection
  • Built-in Allow Lists for common Windows configurations spanning Windows 10/Server 2012|2016|2019|2022 to reduce noise
  • Capture persistence metadata from the ‘golden’ enterprise image for use as a dynamic allow-list at runtime
  • Analyze mounted disk images via drive re-targeting

What is inspected?

  • Scheduled Tasks
  • Users
  • Services
  • Running Processes
  • Network Connections
  • WMI Event Consumers (CommandLine/Script)
  • Startup Item Discovery
  • BITS Jobs Discovery
  • Windows Accessibility Feature Modifications
  • PowerShell Profile Existence
  • Office Addins from Trusted Locations
  • SilentProcessExit Monitoring
  • Winlogon Helper DLL Hijacking
  • Image File Execution Option Hijacking
  • RDP Shadowing
  • UAC Setting for Remote Sessions
  • Print Monitor DLLs
  • LSA Security and Authentication Package Hijacking
  • Time Provider DLLs
  • Print Processor DLLs
  • Boot/Logon Active Setup
  • User Initialization Logon Script Hijacking
  • ScreenSaver Executable Hijacking
  • Netsh DLLs
  • AppCert DLLs
  • AppInit DLLs
  • Application Shimming
  • COM Object Hijacking
  • LSA Notification Hijacking
  • ‘Office test’ Usage
  • Office GlobalDotName Usage
  • Terminal Services DLL Hijacking
  • Autodial DLL Hijacking
  • Command AutoRun Processor Abuse
  • Outlook OTM Hijacking
  • Trust Provider Hijacking
  • LNK Target Scanning (Suspicious Terms, Multiple Extensions, Multiple EXEs)
  • ‘Phantom’ Windows DLL Names loaded into running process (eg. un-signed WptsExtensions.dll)
  • Scanning Critical OS Directories for Unsigned EXEs/DLLs
  • Un-Quoted Service Path Hijacking
  • PATH Binary Hijacking
  • Common File Association Hijacks and Suspicious Keywords
  • Suspicious Certificate Hunting
  • GPO Script Discovery/Scanning
  • NLP Development Platform DLL Overrides
  • AeDebug/.NET/Script/Process/WER Debug Replacements
  • Explorer ‘Load’
  • Windows Terminal startOnUserLogin Hijacks
  • App Path Mismatches
  • Service DLL/ImagePath Mismatches
  • GPO Extension DLLs
  • Potential COM Hijacks
  • Non-Standard LSA Extensions
  • DNSServerLevelPluginDll Presence
  • Explorer\MyComputer Utility Hijack
  • Terminal Services InitialProgram Check
  • RDP Startup Programs
  • Microsoft Telemetry Commands
  • Non-Standard AMSI Providers
  • Internet Settings LUI Error DLL
  • PeerDist\Extension DLL
  • ErrorHandler.CMD Checks
  • Built-In Diagnostics DLL
  • MiniDumpAuxiliary DLLs
  • KnownManagedDebugger DLLs
  • WOW64 Compatibility Layer DLLs
  • EventViewer MSC Hijack
  • Uninstall Strings Scan
  • PolicyManager DLLs
  • SEMgr Wallet DLL
  • WER Runtime Exception Handlers
  • HTML Help (.CHM)
  • Remote Access Tool Artifacts (Files, Directories, Registry Keys)
  • ContextMenuHandler DLL Checks
  • Office AI.exe Presence
  • Notepad++ Plugins
  • MSDTC Registry Hijacks
  • Narrator DLL Hijack (MSTTSLocEnUS.DLL)
  • Suspicious File Location Checks

Install & Use

Copyright (c) 2023 panscan