Hiding command prompt in a cuckoo report screenshots - security

I am analyzing malware using cuckoo. But in the reports generated, the content on screen is hidden due to the command prompt running on the host machine. Is there a way to hide this command prompt? I tired:
cuckoo submit -o arguments="- windows minimized" /path/to/binary
and
cuckoo submit -o arguments="/min" /path/to/binary
But still in the final screenshots of the host machine, I can see the command prompt and it is hiding stuff behind it that I need to see.

It may be that you need to keep your VM up-to-date and ready for analysis(open separately, run or cancel(depending on your approach) updates etc.) and save that state to the pristine state you will be using for analysis.
It also means that regular issues with workstations might apply:
Without knowing much details about your analysis box, you can try guides like this

Related

Start Windows 10 sandbox in predefined state with additional software

Windows 10 has a new sandbox which is based on a very small and fast Hyper-V VM. With every start of the sandbox you get a "fresh" Windows and on every sandbox termination, all changes are discarded.
My question is: Is it possible to define in which state the sandbox starts? E.g. is it possible to start the VM with pre-installed reversing tools or a script that is automatically run, as soon as the system is booted?
Use case: Due to it's fast start-up time and "throw away" characteristics, the Windows 10 sandbox would be a dream for automated malware analysis.
You can somehow change the behavior of the sandbox. For example run a script at start up or disable network. See here for a how to: https://medium.com/#maarten.goet/how-windows-1903-makes-malware-analysis-easier-introducing-windows-sandbox-3ec791c8367
In general, sandbox startup can be controlled by a startup configuration file:
Windows Sandbox supports simple configuration files, which provide a
minimal set of customization parameters for Sandbox. ... Windows Sandbox
configuration files are formatted as XML and are associated with
Sandbox via the .wsb file extension.
The specific ability to execute a script upon sandbox startup is documented here: https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file#logon-command
It says:
Logon command
Specifies a single command that will be invoked automatically after
the sandbox logs on. Apps in the sandbox are run under the container
user account. The container user account should be an administrator
account.
XML
<LogonCommand>
<Command>command to be invoked</Command>
</LogonCommand>
Command: A path to an executable or script inside the container that
will be executed after signing in.
Note
Although very simple commands will work (such as launching an
executable or script), more complicated scenarios involving multiple
steps should be placed into a script file. This script file may be
mapped into the container via a shared folder, and then executed via
the LogonCommand directive.

Arch Linux Pacman monitor

Reminder: Arch Linux uses pacman not apt-get
So I had an idea that I wanted to be able to leave my room and still see the progress of a download from my phone. I have looked for preexisting programs but have found none, so I decided to write a program myself.
the first step I took was reading the pacman documentation, to see if a function that could get the current download status was. I know there is a file I can check to see if exists
/var/lib/pacman/db.lck
which would tell me if there is a download
however I wanted to know more specifics on the download - progress and time remaining, name of download.
I have also found some GUI programs that use pacman and I was thinking of getting the source code to see if I could use some of that, but haven't found anything useful.
is there a way to find out the specifics about a current download, other than looking at the terminal that the command is running on?
Why overcomplicate things? Just install "screen" via pacman, and start the pacman update inside a screen.. And from your smartphone, use a SSH client to connect to your local machine and access that screen.
You could setup an ssh server on your host machine and connect to it using a terminal emulator on your phone (termux for example) and run whatever commands you like from there. This way you'll be able to view all terminal output from your phone quite seamlessly.

Bamboo 5.5.0 - How to delete a remote agent's capability via the bamboo-capabilities.properties file?

I am currently trying to automate the process of bamboo remote agent installation and uninstallation. I have run into a problem in regards to adding and removing capabilities.
What I am trying to automate:
(The following is what I do on the bamboo server via the GUI, I want to do this on the remote agent machine via bash script.)
I install the remote agent on a VM machine, then start it up. I go to the bamboo interface and click on the newly created agent's name.
I add a custom capability type, for the key I put 'buildserver' and for the value I put the name of the agent.
I add an 'Executable' capability of type 'Command' with Executable label 'cygwin' and path 'C:\cygwin64\bin\bash'
I navigate to the git executable, and remove it by clicking 'delete.' <--- (the problem step)
what I've done.
I have looked here and found a way to automate steps 1-3 using the following "bamboo-capabilities.properties" file:
buildserver="AGENTNAME"
system.builder.command.cygwin="C:\cygwin64\bin\bash"
However I am stuck on how I would remove the git capability (step 4.) I've tried something appending something like this to the file:
system.git.executable=""
but it does not seem to do anything. Does anyone know how I would do this? There seems to be very little documentation about this online.
Thanks very much.
I never found a way to get around this, but I found a workaround. I later learned the point of removing git in my situation was to allow a shared capability that was also called git to take precedence. My workaround was to set the non-shared capability to the value of the shared capability. I am not 100% sure that this does the same thing, and I am not in a position to test it yet, but as a capability seems to be only a key-value pair I don't see why it wouldn't.... will update if anything breaks.

Launching a web page in a different process

I want to launch the browser in a different process when a particular link is clicked on the page. When I checked the net I found the following tip: http://www.dslreports.com/faq/3849 . But there we have to change the registry. Is there any simple way of doing this without touching the registry?
If you use the Google Chrome browser, each new window or tab runs in a separate process. Internet Explorer version 8 will do the same (it's currently in the second beta round).
Earlier versions of IE will run a new window in a separate process if it is launched from, say, the Start menu or the command line, or a link in an email (but not by clicking a link within IE). I imagine you could create a proxy that the client would run through, which would intercept the links you care about and launch them by running a command line request. That seems like more trouble than mucking with the registry though (assuming that registry change still works -- looks like your link is from 2002).
I don't believe this is possible unless you change the client computer setup or software it's running.
Why do you want to do this?

ssh and window ids

I have a project to do in school which is baffeling me... I am SSHing into a Solaris computer in the computer lab from my own Debian box via
ssh -Y name#***.cs.<school>
I can get in just fine, and the X11 seems to be working also. However, this peticular project requires us to find the window id of a netscape window via xwininfo and use this information in the following command
netscape -id 0xa00029 -remote 'openFile(/path/to/html/file)'
Now, if this netscape is the only window I have open (other than xterm), the preceding command works just fine. However, if I have any other iceweasel windows open (regardless of the order in which I opened netscape/iceweasel) the command will forward to my iceweasel despite the facts that I'm running the command in my SSH session and the two windows have very different window ids.
All of this eventually has to go into a C program, but I can't even get it to work reliably manually!
Any ideas?
P.S. I just saw this that may help. When I SSHed via Cygwin/X using the same command, I get this error
Warning: No xauth data; using fake authentication data for X11 forwarding.
Not sure if this is important as I can still use X11 (aparently) perfectly.
Thanks.
P.P.S the -id switch is documented in the netscape man pages:
-id window-id
Identifies an X window to receive -remote commands. If
you do not specify a window, the first window found is
used.
When you use ssh -Y, you're requesting that remote clients be forwarded to your local X server, with full permissions. The Netscape/Mozilla/Firefox/Iceweasel/Etc. remote protocol runs through the X server, so it'll be forwarded too.
http://www.mozilla.org/unix/remote.html documents the protocol, and mentions nothing about -id. Nor does a very quick look at the source (e.g., http://mxr.mozilla.org/seamonkey/source/widget/src/xremoteclient/XRemoteClient.cpp#202) look promising for there being an -id option.
I sat down to an actual machine to perform the same tests, and they all fail there too... I would open 2 netscape windows and try to direct the command to one at a time. The most recently opened one would work properly, but any command directed to the other one would be forwarded to the same window, so at this point I am convinced that the problem lies in the command being not properly implemented and/or everything on that system being really, really old.
if I have any other iceweasel windows
open (regardless of the order in which
I opened netscape/iceweasel) the
command will forward to my iceweasel
despite the facts that I'm running the
command in my SSH session and the two
windows have very different window ids
Iceweasel is coded that way. It tries to have only a single process run for all open windows for that user.
Use the -no-remote command line option to avoid it. See http://kb.mozillazine.org/Command_line_arguments

Resources