search

blueteamvillage / DC31-obsidian-sec-eng

MIT License
1 stars 0 forks source link

Feature request - AutoHotKeys on User Workstations #45

Closed aviditas-security closed 1 year ago

aviditas-security commented 1 year ago

Background:

Provided I have enough lead up time knowing the OS and version of the workstations, I can setup AHK to run scripts at startup to emulate a user interacting with the system. This would allow us to have much richer data over a longer period of time to further obfuscate the malicious activity like in a real network environment. https://www.autohotkey.com/

Request for us to build

Install AutoHotKeys on the user workstations, then setup testing for a single workstation to ensure that the script generates the data we are looking for without appearing like a bot. If AHK is not possible or testing makes the kickoff process broken for analysis, then I can convert the AHK to an exe file to use instead. There are limitations to the exe version and they have a higher failure rate. The AHK script allows for recovery after errors and multiple scripts to crosslink for better reliability.

CRITERIA FOR SUCCESS

Install AutoHotKeys on user workstation(s) Added the provided (by me) AHK script Test the script on a workstation and review data for quality

Alternative Place the exe version of the AHK script on a user workstation Test the script to ensure the data quality Add the exe to the builds of the user workstations

DRIs

a.skye (aviditas)#6832

juju4 commented 1 year ago

AutoHotKey is available in chocolatey so install should not be a problem https://community.chocolatey.org/packages/autohotkey

On the script usage, would it be through scheduled tasks? If I remember correctly, there is an option to give access to desktop/user session. If through ansible, I would think that it has no access to desktop An early/poc test script to validate would be great! Also want to confirm security tools don't block it directly :)

There are few github projects that may be interesting if not already looked at it. but not tested any. https://github.com/michaelb/simple-user-simulation (powershell) https://github.com/Julian-Theis/UserActivitySimulation (python) https://github.com/ShiftHackZ/ActionSimulator (C#) https://github.com/0xleone/NotARobot (AutoIt)

Ooops, I got it wrong. AutoIt and AutoHotKey are different things. I'm familiar only with first one.

zveroboy152 commented 1 year ago

Hi @aviditas-security ,

We wanted to follow up on this request. Can you comment back to Juju to see if that is what you need?

zveroboy152 commented 1 year ago

Hi @aviditas-security ,

This was assigned to me. I'll take care of deploying Auto-hotkey to the Windows Clients in the corporate subnet.

I'll close out this issue when the code is completed and pushed to the environment.

-Tyler

juju4 commented 1 year ago

https://github.com/blueteamvillage/DC31-obsidian-sec-eng/pull/80