![]() ![]() ![]() The / HAS NOT BEEN./ regexps include a space at the start to avoid leaving a dangling space character on the output. That would make it easier to work with later. My recommendation would be to use a tab character \t as the field separator between IP Address and pathname instead of - (space,dash,space). Then strip everything from HAS NOT BEEN PATCHED to the end of the line, and print the modified line. The "IP Address" is defined as everything inside the square-brackets at the start of the line that isn't a close-square-bracket ( ]*). C:\PROGRAM FILES\MICROSOFT SQL SERVER\MSSQL12.ACT7\MSSQL\BINN\SQLSERVR.EXEįor every line that matches HAS NOT BEEN PATCHED, strip everything between the IP address and the first drive letter ( :). *if then echo "No file specified."Įlse cat $1 | tr -d "\n" | tr "\r" "\n" | awk -F '","' '' nessus.log So the end result should output the following from the above examples:ġ92.168.1.4 \PROGRAM FILES\MICROSOFT SQL SERVER\MSSQL12.ACT7\MSSQL\BINN\SQLSERVR.EXE 16859"ġ92.168.1.4 - C:\PROGRAM FILES\MICROSOFT SQL SERVER\MSSQL12.ACT7\MSSQL\BINN\SQLSERVR.EXE HAS NOT BEEN PATCHED. 16859"ġ92.168.1.2 THE REMOTE HOST IS MISSING ONE OF THE FOLLOWING ROLLUP KBS : - 4022719 - 4022722C:\WINDOWS\SYSTEM32\BCRYPT.DLL HAS NOT BEEN PATCHED. I've got the script to isolate the IP address and file path but I need to handle the text further and remove the "has not been patched remote version." 192.168.1.1 - C:\WINDOWS\SYSTEM32\GPPREF.DLL HAS NOT BEEN PATCHED. This does, however, benefit defenders as it is much more likely to get detected by AV/EDR tools if it has been seen previously before in the wild.Īlso, you may have missed it, but the Pastebin link contained a username and the number of how many times it was viewed.I need to extract the IP address and file path from a Nessus report using text handlers such as Grep / Awk / Sed / Tr etc. This could indicate that the threat actor behind these attacks has not altered the payload for other campaigns, but is changing the delivery technique. It turns out the first file (the second stage payload) has been seen before by VirusTotal several months ago and was previously called Stub.exe. ![]() According to VirusTotal, the file ASTRO-GREP.EXE was created on yet the document was created on . Although the other EXEs were not necessarily used in these attack, they are malicious and I would consider blocking them too.įurther investigation into the malware samples used in this campaign revealed some more interesting features. We now have a clearer picture of the scope of the campaign and additional IOCs to prevent any further attacks from this infrastructure. Using the VirusTotal relations tab I (admittedly with the help of who beat me to it ?) was able to locate the C
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |