Skip to main content

A simple utility for converting files that describe malware infections into remediation scripts that can clean up infections using native OS tools.

Project description

Remediation off the Land.

Remediationn off the Land (RotL) is a simple tool that converts a list of artifacts from a malware infection into commands that can be executed on the system to delete/remove those artifacts.

Installation

pip3 install rotl

The rotl.py script

When installed, a commannd line script named 'rotl' is supplied that can be used to convert the remediation scripts into remediation files. Currently only windows remediations are supported.

$ rotl.py -h
usage: rotl.py [-h] [-w {win}] [-f REMEDIATION] [-t {win}] [-o OUTFILE]

Remediation off the Land: Write remediation files to execute

optional arguments:
  -h, --help            show this help message and exit
  -w {win}, --write-template {win}
                        write a remediation template file to local dir.
  -f REMEDIATION, --remediation REMEDIATION
                        the remediation file describing the infection
  -t {win}, --os-type {win}
                        remediation type (operating system)
  -o OUTFILE, --outfile OUTFILE
                        name of output file to write.

The Remediation File

You can use the rotl script to print a copy of the remediation template file that can be used to describe a malicious infection.

$ rotl.py -w win
+ Wrote remediate.ini

Now, you can edit the remediate.ini file to reflect the infection.


$ cat remediate.ini 
## Example remediate routine file.
##  All keys are commented out under their respective sections by default.

# Specify full paths to files that you want to delete.
#  ex: file1=c:\programdata\lemontrack installer\winserv.exe
[files]
;file1=
;file2=
;file3=

# Specify processes that you want to kill by name. All processes matching the name will be killed
#  ex: proc1=winserv.exe
[process_names]
;proc1=
;proc2=
;proc3=

# Delete a scheduled task
#  ex: task1=DHCP Monitor Task
[scheduled_tasks]
;task1=
;task2=

# SC delete services by their name
[services]
;service1=
;service2=

# Delete entire directories
#  ex: directory1=C:\ProgramData\LemonTrack Installer
[directories]
;directory1=
;directory2=

# Delete processes by their ID
#  ex: pid1=2664
[pids]
;pid1=
;pid2=

# delete individual registry key-values
#  ex: reg1=HKU\S-1-5-21-1660022851-2357930215-3100199371-1001\Software\Microsoft\Windows\CurrentVersion\Run\LemonTrack
#  This translates to: REG DELETE "HKU\S-1-5-21-1660022851-2357930215-3100199371-1001\Software\Microsoft\Windows\CurrentVersion\Run" /v LemonTrack /f
[registry_values]
;reg1=
;reg2=

# delete all values behing a key
#  ex: reg1=HKLM\Software\Microsoft\Windows\CurrentVersion\Run
#  REG DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /f
[registry_keys]
;reg1=
;reg2=

Example

Example remediate file describing a Qbot infection:

$ cat remediate.ini 
[files]
file1=C:\WINDOWS\TEMP\iajzq.mkt
file2=C:\Documents and Settings\Administrator\Application Data\Microsoft\Iajzq\iajzq.exe

[process_names]
proc1=cscript.exe
proc2=iajzq.exe
proc3=wscntfy.exe

[scheduled_tasks]
task1=mxsiajzqupd

[services]
service1=fehjgnzjh

[directories]
directory1=C:\documents and settings\administrator\application data\microsoft\iajzq

[pids]

[registry_values]
reg1=HKU\S-1-5-21-1549631456-1210741653-3294372961-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lcmkfq

[registry_keys]

Create the batch file:

$ rotl.py -f remediate.ini 
+ Wrote 'remediation.bat'

Now you this file was executed with admin rights on the infected system to remove the infection.

$ cat remediation.bat 
taskkill /IM "cscript.exe" /F
taskkill /IM "iajzq.exe" /F
taskkill /IM "wscntfy.exe" /F
REG DELETE "HKU\S-1-5-21-1549631456-1210741653-3294372961-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "lcmkfq" /f
del "C:\WINDOWS\TEMP\iajzq.mkt"
del "C:\Documents and Settings\Administrator\Application Data\Microsoft\Iajzq\iajzq.exe"
cd "C:\documents and settings\administrator\application data\microsoft\iajzq" && DEL /F /Q /S * > NUL && cd .. && RMDIR /Q /S "C:\documents and settings\administrator\application data\microsoft\iajzq"
schtasks /Delete /TN "mxsiajzqupd" /F
net stop "fehjgnzjh" && SC DELETE "fehjgnzjh"

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

RotL-0.0.1.tar.gz (6.3 kB view details)

Uploaded Source

Built Distribution

RotL-0.0.1-py3-none-any.whl (10.3 kB view details)

Uploaded Python 3

File details

Details for the file RotL-0.0.1.tar.gz.

File metadata

  • Download URL: RotL-0.0.1.tar.gz
  • Upload date:
  • Size: 6.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/1.13.0 pkginfo/1.5.0.1 requests/2.22.0 setuptools/41.0.1 requests-toolbelt/0.9.1 tqdm/4.32.1 CPython/3.6.7

File hashes

Hashes for RotL-0.0.1.tar.gz
Algorithm Hash digest
SHA256 38da17783c95085f767903f9b143c5a410f7915f72ef35bb4bd880df2973a2af
MD5 599050a65a41f8f493426e67402906f3
BLAKE2b-256 2bfc9bade733a1d1599019ad3683f9fa1408e8c7e9d6b831494545f6b38c0cf6

See more details on using hashes here.

File details

Details for the file RotL-0.0.1-py3-none-any.whl.

File metadata

  • Download URL: RotL-0.0.1-py3-none-any.whl
  • Upload date:
  • Size: 10.3 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/1.13.0 pkginfo/1.5.0.1 requests/2.22.0 setuptools/41.0.1 requests-toolbelt/0.9.1 tqdm/4.32.1 CPython/3.6.7

File hashes

Hashes for RotL-0.0.1-py3-none-any.whl
Algorithm Hash digest
SHA256 bb9ffa78e66f5a481e2c3d8374dc7d374985cc0e4c3e2faf0abc6fd6311afc20
MD5 7ecaaadfeefa58fa32fb92f45db085de
BLAKE2b-256 442c684089eab783a339697792389aa920d0020bb0ca9bb303967313134e0c48

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page