# Remediation off the Land.
Remediationn off the Land (RotL) is a simple tool that converts a list of artifacts from a malware infection into commands that can be executed on the system to delete/remove those artifacts.
## Installation
``pip3 install rotl``
## The RotL script
When installed, a commannd line script named 'rotl' is supplied that can be used to convert the remediation scripts into remediation files. Currently only windows remediations are supported.
```
$ RotL -h
usage: RotL [-h] [-w {win}] [-f REMEDIATION] [-t {win}] [-o OUTFILE]
Remediation off the Land: Write remediation files to execute
optional arguments:
-h, --help show this help message and exit
-w {win}, --write-template {win}
write a remediation template file to local dir.
-f REMEDIATION, --remediation REMEDIATION
the remediation file describing the infection
-t {win}, --os-type {win}
remediation type (operating system)
-o OUTFILE, --outfile OUTFILE
name of output file to write.
```
## The Remediation File
You can use the rotl script to print a copy of the remediation template file that can be used to describe a malicious infection.
```
$ RotL -w win
+ Wrote remediate.ini
```
Now, you can edit the remediate.ini file to reflect the infection.
```
$ cat remediate.ini
## Example remediate routine file.
## All keys are commented out under their respective sections by default.
# Specify full paths to files that you want to delete.
# ex: file1=c:\programdata\lemontrack installer\winserv.exe
[files]
;file1=
;file2=
;file3=
# Specify processes that you want to kill by name. All processes matching the name will be killed
# ex: proc1=winserv.exe
[process_names]
;proc1=
;proc2=
;proc3=
# Delete a scheduled task
# ex: task1=DHCP Monitor Task
[scheduled_tasks]
;task1=
;task2=
# SC delete services by their name
[services]
;service1=
;service2=
# Delete entire directories
# ex: directory1=C:\ProgramData\LemonTrack Installer
[directories]
;directory1=
;directory2=
# Delete processes by their ID
# ex: pid1=2664
[pids]
;pid1=
;pid2=
# delete individual registry key-values
# ex: reg1=HKU\S-1-5-21-1660022851-2357930215-3100199371-1001\Software\Microsoft\Windows\CurrentVersion\Run\LemonTrack
# This translates to: REG DELETE "HKU\S-1-5-21-1660022851-2357930215-3100199371-1001\Software\Microsoft\Windows\CurrentVersion\Run" /v LemonTrack /f
[registry_values]
;reg1=
;reg2=
# delete all values behing a key
# ex: reg1=HKLM\Software\Microsoft\Windows\CurrentVersion\Run
# REG DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /f
[registry_keys]
;reg1=
;reg2=
```
### Example
Example remediate file describing a Qbot infection:
```
$ cat remediate.ini
[files]
file1=C:\WINDOWS\TEMP\iajzq.mkt
file2=C:\Documents and Settings\Administrator\Application Data\Microsoft\Iajzq\iajzq.exe
[process_names]
proc1=cscript.exe
proc2=iajzq.exe
proc3=wscntfy.exe
[scheduled_tasks]
task1=mxsiajzqupd
[services]
service1=fehjgnzjh
[directories]
directory1=C:\documents and settings\administrator\application data\microsoft\iajzq
[pids]
[registry_values]
reg1=HKU\S-1-5-21-1549631456-1210741653-3294372961-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lcmkfq
[registry_keys]
```
Create the batch file:
```
$ RotL -f remediate.ini
+ Wrote 'remediation.bat'
```
Now you this file was executed with admin rights on the infected system to remove the infection.
```
$ cat remediation.bat
taskkill /IM "cscript.exe" /F
taskkill /IM "iajzq.exe" /F
taskkill /IM "wscntfy.exe" /F
REG DELETE "HKU\S-1-5-21-1549631456-1210741653-3294372961-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "lcmkfq" /f
del "C:\WINDOWS\TEMP\iajzq.mkt"
del "C:\Documents and Settings\Administrator\Application Data\Microsoft\Iajzq\iajzq.exe"
cd "C:\documents and settings\administrator\application data\microsoft\iajzq" && DEL /F /Q /S * > NUL && cd .. && RMDIR /Q /S "C:\documents and settings\administrator\application data\microsoft\iajzq"
schtasks /Delete /TN "mxsiajzqupd" /F
net stop "fehjgnzjh" && SC DELETE "fehjgnzjh"
```
没有合适的资源?快使用搜索试试~ 我知道了~
温馨提示
共13个文件
txt:4个
py:3个
pkg-info:2个
资源分类:Python库 所属语言:Python 资源全名:RotL-0.0.4.tar.gz 资源来源:官方 安装方法:https://lanzao.blog.csdn.net/article/details/101784059
资源推荐
资源详情
资源评论
收起资源包目录
RotL-0.0.4.tar.gz (13个子文件)
RotL-0.0.4
MANIFEST.in 57B
PKG-INFO 6KB
RotL.egg-info
PKG-INFO 6KB
SOURCES.txt 254B
entry_points.txt 36B
top_level.txt 5B
dependency_links.txt 1B
RotL
templates
windows_remediation_template.ini 1KB
__init__.py 4KB
windows.py 2KB
setup.cfg 38B
setup.py 3KB
README.md 4KB
共 13 条
- 1
资源评论
挣扎的蓝藻
- 粉丝: 13w+
- 资源: 15万+
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功