1. Endpoint.go
All security tests import the Endpoint module, which contains a collection of common functions for engaging with an endpoint. Functions include the ability to read and write files, locate installed applications or run shell commands.
//go:build windows
// +build windows
/*
ID: a0f02780-7807-4d8f-8f8e-82e16f56e35c
NAME: Mimikatz
CREATED: 2023-04-17
*/
package main
import (
_ "embed"
"runtime"
Endpoint "github.com/preludeorg/test/endpoint"
)
//go:embed mimikatz.exe
var malicious []byte
var supported = map[string][]string{
"windows": {"cmd", "/C", "mimikatz.exe", "sekurlsa::logonpasswords", "exit"},
}
func test() {
println("[+] Extracting file for quarantine test")
println("[+] Pausing for 3 seconds to gauge defensive reaction")
if Endpoint.Quarantined("mimikatz.exe", malicious) {
println("[+] Malicious file was caught!")
Endpoint.Stop(105)
return
}
println("[-] Malicious file was not caught")
command := supported[runtime.GOOS]
println("[+] Executing Mimikatz")
_, err := Endpoint.Shell(command)
if err != nil {
println("[+] Execution was prevented")
Endpoint.Stop(100)
}
println("[-] Mimikatz was not blocked")
Endpoint.Stop(101)
}
func main() {
Endpoint.Start(test)
}
2. Build flags
In Go, we may create build flags to make compilation easier. They act as build restrictions, ensuring that the code is only built on the designated operating system.
//go:build windows
// +build windows
/*
ID: a0f02780-7807-4d8f-8f8e-82e16f56e35c
NAME: Mimikatz
CREATED: 2023-04-17
*/
package main
import (
_ "embed"
"runtime"
Endpoint "github.com/preludeorg/test/endpoint"
)
//go:embed mimikatz.exe
var malicious []byte
var supported = map[string][]string{
"windows": {"cmd", "/C", "mimikatz.exe", "sekurlsa::logonpasswords", "exit"},
}
func test() {
println("[+] Extracting file for quarantine test")
println("[+] Pausing for 3 seconds to gauge defensive reaction")
if Endpoint.Quarantined("mimikatz.exe", malicious) {
println("[+] Malicious file was caught!")
Endpoint.Stop(105)
return
}
println("[-] Malicious file was not caught")
command := supported[runtime.GOOS]
println("[+] Executing Mimikatz")
_, err := Endpoint.Shell(command)
if err != nil {
println("[+] Execution was prevented")
Endpoint.Stop(100)
}
println("[-] Mimikatz was not blocked")
Endpoint.Stop(101)
}
func main() {
Endpoint.Start(test)
}
3. Starting a test
Every test starts in the main function, where Endpoint.Start(..) is passed the test function to run - and optionally a clean up function to reverse the effects of the test.
The Start function sets a 10 second timer to ensure all tests finish within this time. If a test exceeds 10s it will be stopped and a time out exit code will be sent to Detect
//go:build windows
// +build windows
/*
ID: a0f02780-7807-4d8f-8f8e-82e16f56e35c
NAME: Mimikatz
CREATED: 2023-04-17
*/
package main
import (
_ "embed"
"runtime"
Endpoint "github.com/preludeorg/test/endpoint"
)
//go:embed mimikatz.exe
var malicious []byte
var supported = map[string][]string{
"windows": {"cmd", "/C", "mimikatz.exe", "sekurlsa::logonpasswords", "exit"},
}
func test() {
println("[+] Extracting file for quarantine test")
println("[+] Pausing for 3 seconds to gauge defensive reaction")
if Endpoint.Quarantined("mimikatz.exe", malicious) {
println("[+] Malicious file was caught!")
Endpoint.Stop(105)
return
}
println("[-] Malicious file was not caught")
command := supported[runtime.GOOS]
println("[+] Executing Mimikatz")
_, err := Endpoint.Shell(command)
if err != nil {
println("[+] Execution was prevented")
Endpoint.Stop(100)
}
println("[-] Mimikatz was not blocked")
Endpoint.Stop(101)
}
func main() {
Endpoint.Start(test)
}
4. Embedded malware
Go has a unique keyword called "embed" that allows you to include an arbitrary file inside the compiled Go file. The file contents are available in a []byte variable during the code's runtime (called "malicious" in the example here).
//go:build windows
// +build windows
/*
ID: a0f02780-7807-4d8f-8f8e-82e16f56e35c
NAME: Mimikatz
CREATED: 2023-04-17
*/
package main
import (
_ "embed"
"runtime"
Endpoint "github.com/preludeorg/test/endpoint"
)
//go:embed mimikatz.exe
var malicious []byte
var supported = map[string][]string{
"windows": {"cmd", "/C", "mimikatz.exe", "sekurlsa::logonpasswords", "exit"},
}
func test() {
println("[+] Extracting file for quarantine test")
println("[+] Pausing for 3 seconds to gauge defensive reaction")
if Endpoint.Quarantined("mimikatz.exe", malicious) {
println("[+] Malicious file was caught!")
Endpoint.Stop(105)
return
}
println("[-] Malicious file was not caught")
command := supported[runtime.GOOS]
println("[+] Executing Mimikatz")
_, err := Endpoint.Shell(command)
if err != nil {
println("[+] Execution was prevented")
Endpoint.Stop(100)
}
println("[-] Mimikatz was not blocked")
Endpoint.Stop(101)
}
func main() {
Endpoint.Start(test)
}
5. Log statements
Tests can contain print statements that write to standard out or standard error. These statements are helpful for debugging but will also appear in the Detect log file (prelude.log) if the probe used an installer.
//go:build windows
// +build windows
/*
ID: a0f02780-7807-4d8f-8f8e-82e16f56e35c
NAME: Mimikatz
CREATED: 2023-04-17
*/
package main
import (
_ "embed"
"runtime"
Endpoint "github.com/preludeorg/test/endpoint"
)
//go:embed mimikatz.exe
var malicious []byte
var supported = map[string][]string{
"windows": {"cmd", "/C", "mimikatz.exe", "sekurlsa::logonpasswords", "exit"},
}
func test() {
println("[+] Extracting file for quarantine test")
println("[+] Pausing for 3 seconds to gauge defensive reaction")
if Endpoint.Quarantined("mimikatz.exe", malicious) {
println("[+] Malicious file was caught!")
Endpoint.Stop(105)
return
}
println("[-] Malicious file was not caught")
command := supported[runtime.GOOS]
println("[+] Executing Mimikatz")
_, err := Endpoint.Shell(command)
if err != nil {
println("[+] Execution was prevented")
Endpoint.Stop(100)
}
println("[-] Mimikatz was not blocked")
Endpoint.Stop(101)
}
func main() {
Endpoint.Start(test)
}
6. Quarantine check
Some tests rely on the Quarantined function, which writes the embedded malware to disk, opens a file handle to it - in an attempt to trigger the defense, and then waits a few seconds before checking if the file was scooped up by any endpoint defense.
If a test was quarantined it will exit with a 105, representing a quarantine event.
//go:build windows
// +build windows
/*
ID: a0f02780-7807-4d8f-8f8e-82e16f56e35c
NAME: Mimikatz
CREATED: 2023-04-17
*/
package main
import (
_ "embed"
"runtime"
Endpoint "github.com/preludeorg/test/endpoint"
)
//go:embed mimikatz.exe
var malicious []byte
var supported = map[string][]string{
"windows": {"cmd", "/C", "mimikatz.exe", "sekurlsa::logonpasswords", "exit"},
}
func test() {
println("[+] Extracting file for quarantine test")
println("[+] Pausing for 3 seconds to gauge defensive reaction")
if Endpoint.Quarantined("mimikatz.exe", malicious) {
println("[+] Malicious file was caught!")
Endpoint.Stop(105)
return
}
println("[-] Malicious file was not caught")
command := supported[runtime.GOOS]
println("[+] Executing Mimikatz")
_, err := Endpoint.Shell(command)
if err != nil {
println("[+] Execution was prevented")
Endpoint.Stop(100)
}
println("[-] Mimikatz was not blocked")
Endpoint.Stop(101)
}
func main() {
Endpoint.Start(test)
}
7. Technique execution
Certain tests implement specific procedures in the event that the Quarantine test does not stop the test. Some of these procedures will be composed in pure Go language, while others will leverage the Shell function. This function accepts an array of commands and carries them out as a shell process.
In the event that execution is blocked, the test will terminate, resulting in an exit code of 100.
//go:build windows
// +build windows
/*
ID: a0f02780-7807-4d8f-8f8e-82e16f56e35c
NAME: Mimikatz
CREATED: 2023-04-17
*/
package main
import (
_ "embed"
"runtime"
Endpoint "github.com/preludeorg/test/endpoint"
)
//go:embed mimikatz.exe
var malicious []byte
var supported = map[string][]string{
"windows": {"cmd", "/C", "mimikatz.exe", "sekurlsa::logonpasswords", "exit"},
}
func test() {
println("[+] Extracting file for quarantine test")
println("[+] Pausing for 3 seconds to gauge defensive reaction")
if Endpoint.Quarantined("mimikatz.exe", malicious) {
println("[+] Malicious file was caught!")
Endpoint.Stop(105)
return
}
println("[-] Malicious file was not caught")
command := supported[runtime.GOOS]
println("[+] Executing Mimikatz")
_, err := Endpoint.Shell(command)
if err != nil {
println("[+] Execution was prevented")
Endpoint.Stop(100)
}
println("[-] Mimikatz was not blocked")
Endpoint.Stop(101)
}
func main() {
Endpoint.Start(test)
}
8. UNPROTECTED!
If a test is not blocked at any stage of the attack, it will exit with a 101 code - meaning the endpoint failed the antivirus check.
//go:build windows
// +build windows
/*
ID: a0f02780-7807-4d8f-8f8e-82e16f56e35c
NAME: Mimikatz
CREATED: 2023-04-17
*/
package main
import (
_ "embed"
"runtime"
Endpoint "github.com/preludeorg/test/endpoint"
)
//go:embed mimikatz.exe
var malicious []byte
var supported = map[string][]string{
"windows": {"cmd", "/C", "mimikatz.exe", "sekurlsa::logonpasswords", "exit"},
}
func test() {
println("[+] Extracting file for quarantine test")
println("[+] Pausing for 3 seconds to gauge defensive reaction")
if Endpoint.Quarantined("mimikatz.exe", malicious) {
println("[+] Malicious file was caught!")
Endpoint.Stop(105)
return
}
println("[-] Malicious file was not caught")
command := supported[runtime.GOOS]
println("[+] Executing Mimikatz")
_, err := Endpoint.Shell(command)
if err != nil {
println("[+] Execution was prevented")
Endpoint.Stop(100)
}
println("[-] Mimikatz was not blocked")
Endpoint.Stop(101)
}
func main() {
Endpoint.Start(test)
}