Open Gaz494 opened 7 years ago
Gaz494
commented
7 years ago I should also say that I ran a PowerShell Pass the Hash from Kali Linux to the Win7 VM to gain access, then downloaded and executed Zeus. I ran the collector after the Pass the Hash and that loads fine, the only other change since then in Zeus being downloaded to the victim and executed.
biggiesmallsAG
commented
7 years ago Hey Gaz,
Can you zip up a copy of the audit and send it to me? There is definitely a bug (another user has experienced similar) and it may have to do with meta in the audit files. Id like to test so i can get to the bottom of it as i havent experienced this myself.
Dan
Gaz494
commented
7 years ago Dan,
Due to the file sizes I could not email them to you, but here are the links to the files on my Google Drive, you should be able to download them from there.
Gaz 20161111112505.zip https://drive.google.com/file/d/0B1EKjmt1HpmbSHJnejJhTXYtZU0/view?usp=drive_web 20161111113749.zip https://drive.google.com/file/d/0B1EKjmt1Hpmbb3BDVTdwVEFrVzg/view?usp=drive_web On 15 Nov 2016 20:40, "biggiesmallsAG" notifications@github.com wrote:
Hey Gaz,
Can you zip up a copy of the audit and send it to me? There is definitely a bug (another user has experienced similar) and it may have to do with meta in the audit files. Id like to test so i can get to the bottom of it as i havent experienced this myself.
Dan
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/biggiesmallsAG/nightHawkResponse/issues/20#issuecomment-260761108, or mute the thread https://github.com/notifications/unsubscribe-auth/AVkjyvx-Jb9taEvf79Fx_7BOu54TP0zpks5q-hjVgaJpZM4KydES .
biggiesmallsAG
commented
7 years ago Hey Gaz,
Im at a conference at the moment but will get these and test them asap. Will be back in touch soon.
Regards,
Dan
biggiesmallsAG
commented
7 years ago Hi Gaz,
So the issue is this; the case name supplied has "-" in it and it causes the urls.py regex which looks for "(?
Ive tested against your triage files and after implementing the fix all works fine.
We are just discussing the best way to release the fix, will be back to you very shortly.
Dan
Hi,
Whilst testing nightHawk I have ran into a bit of an issue and was wondering if anyone could help me?
I have a VM that I have ran the Zeus RAT on and then ran a comprehensive redline collector. When I uploaded it to nightHawk and went to investigate it, it gave me the following:
http://i78.photobucket.com/albums/j81/gazTD/crashed.png
Ant ideas would be greatly appreciated. I find it hard to believe that Zeus has caused this.