Tech News - HakTechs

SitRep – Extensible, Configurable Host Triage

SitRep - Extensible, Configurable Host Triage

[*]

SitRep is meant to provide a light-weight, extensible host triage alternate. Checks are loaded dynamically at runtime from stand-alone files. This allows operators to immediately modify present checks, or add new checks as demanded.

Checks are grouped by group and can be marked as OpSec risk-free/unsafe. unsafe checks are only loaded if the /AllowUnsafe flag is provided.

Appealing final results are highlighted with a “[*]”

Checks

Checks are separated into categories. This enables them to be shown in proper groups. The adhering to checks are currently out there:

Natural environment

  • CurrentUser.cs – the latest person
  • DomainName.cs – the area name
  • HostName.cs – the hostname
  • LoggedOnUsers.cs – Record all logged on users
  • OSVersion.cs – OS edition details
  • VirtualEnvironment.cs – Checks if we are working in a virtualised setting
  • userEnvironmentVariables.cs – Grabs the ecosystem variables applied to the recent procedure
  • SystemEnvironmentVariables.cs – Grabs process setting variables from the registry (HKLM)
  • NameServers.cs – Receives the DNS servers for each individual community interface

Defences

  • AVProcesses.cs – Checks if any known AV procedures are working

Permissions

  • Integrity.cs – Get the integrity amount of the present-day process
  • LocalAdmin.cs – Check out if we are a community admin
  • Privileges.cs – Listing our present-day privileges.
  • UACLevel.cs – Get the UAC level
  • UserDomainGroups.cs – Will get the users domain group memberships
  • ComputerDomainGroups.cs – Receives the area groups the computer system is a member of

Computer software

  • InstalledBrowsers.cs – Lists the browsers mounted on the endpoint

Qualifications

The following checks are now marked as becoming not OpSec protected:

  • CredentialManager.cs
  • ComputerDomainGroups.cs
  • UserDomainGroups.cs

You really should overview this configuration and update the OpSec tags as expected.

Disabling Checks

All checks are enabled by default. Even so, as checks are loaded dynamically, it is feasible to disable them.

Disabling a look at

CheckBase features a boolean “Enabled” assets, which defaults to correct. This can be established in the derived course by introducing a constructor. The example under disables the CurrentUser check (CurrentUser.cs):

general public CurrentUser()

    foundation.Enabled = phony

Excluding checks from the construct

As checks are loaded dynamically, it is probable to exclude a check from the build with out other modifications. The least difficult way to do this is to right-click on the verify course in Visual Studio and choose “exclude from undertaking”. The check out can be re-added by picking “incorporate in task” from the very same context menu.

This approach has the gain of eradicating the code from the compiled artifact.

Illustration Usage

Operate all checks

SitRep.exe /AllowUnsafe

Operate only OpSec risk-free checks (default)

SitRep.exe

SitRep is created to be executed via execute-assembly (or equal)

Incorporating Checks

Checks inherit from CheckBase and put into practice the ICheck interface. This enforces the patterns desired for the dynamic test loading. Other approaches and lessons can be additional as expected.

The ICheck interface exposes the following homes and strategies:

  • IsOpsecSafe (bool) – Indicates if the check out is regarded as OpSec secure or not
  • DisplayOrder (int) – The order in which to show the result of this check out inside of its exhibit group
  • Examine() – The method known as to operate the precise look at

Derived lessons should override the “ToString()” system defined in CheckBase. This method is named when displaying the output of each individual verify.

Entry to indigenous techniques is presented by means of lessons in the “NativeMethods” folder. Each and every course is named right after the dll it interacts with.

Checks are accountable for giving their have mistake managing. Recent checks wrap the complete “examine” method in a try-capture block, the use of this sample is encouraged.

An example, empty test is shown underneath

working with SitRep.Interfaces
utilizing Process

namespace SitRep.Checks.Software package
{
    course ExampleCheck : CheckBase, ICheck
    
        community bool IsOpsecSafe => true

        community int DisplayOrder => 1

        community Enums.Enums.CheckType CheckType => Enums.Enums.CheckType.Credential

        public void Check()
        
            try out
            
                throw new NotImplementedException()
            
            catch
            
                Information = "Check unsuccessful [*]"
            
        

        general public override string ToString()
        
            toss new NotImplementedException()
        
    
}

Contributing

PRs welcome. Be sure to be certain checks are stand-alone (i.e. not dependent on the output of other checks). As significantly as probable, checks really should be self-contained, with all solitary-use code present in just the look at class.

Why no unit exams?

Have you ever tried out mocking a area-joined Windows endpoint? Which is why.

Thanks

SitRep will make use of code from Seatbelt, SharpUp and random StackOverflow posts. Credits have been extra where by correct.

[*]Image and Write-up Source website link

[*]Study Additional on Pentesting Tools

Tags:

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *