{ "info": { "author": "Sean McFeely", "author_email": "zsmcfeely@gmail.com", "bugtrack_url": null, "classifiers": [ "Development Status :: 4 - Beta", "Intended Audience :: Developers", "Intended Audience :: Information Technology", "Intended Audience :: Telecommunications Industry", "License :: OSI Approved :: Apache Software License", "Operating System :: OS Independent", "Programming Language :: Python :: 3", "Programming Language :: Python :: 3.0", "Programming Language :: Python :: 3.1", "Programming Language :: Python :: 3.2", "Programming Language :: Python :: 3.3", "Programming Language :: Python :: 3.4", "Programming Language :: Python :: 3.5", "Programming Language :: Python :: 3.6", "Programming Language :: Python :: 3 :: Only" ], "description": "# Remediation off the Land.\n\nRemediationn off the Land (RotL) is a simple tool that converts a list of artifacts from a malware infection into commands that can be executed on the system to delete/remove those artifacts.\n\n## Installation\n\n``pip3 install rotl``\n\n## The RotL script\n\nWhen installed, a commannd line script named 'rotl' is supplied that can be used to convert the remediation scripts into remediation files. Currently only windows remediations are supported.\n\n```\n$ RotL -h\nusage: RotL [-h] [-w {win}] [-f REMEDIATION] [-t {win}] [-o OUTFILE]\n\nRemediation off the Land: Write remediation files to execute\n\noptional arguments:\n -h, --help show this help message and exit\n -w {win}, --write-template {win}\n write a remediation template file to local dir.\n -f REMEDIATION, --remediation REMEDIATION\n the remediation file describing the infection\n -t {win}, --os-type {win}\n remediation type (operating system)\n -o OUTFILE, --outfile OUTFILE\n name of output file to write.\n```\n\n## The Remediation File\n\nYou can use the rotl script to print a copy of the remediation template file that can be used to describe a malicious infection. \n\n```\n$ RotL -w win\n+ Wrote remediate.ini\n```\n\nNow, you can edit the remediate.ini file to reflect the infection.\n\n```\n\n$ cat remediate.ini \n## Example remediate routine file.\n## All keys are commented out under their respective sections by default.\n\n# Specify full paths to files that you want to delete.\n# ex: file1=c:\\programdata\\lemontrack installer\\winserv.exe\n[files]\n;file1=\n;file2=\n;file3=\n\n# Specify processes that you want to kill by name. All processes matching the name will be killed\n# ex: proc1=winserv.exe\n[process_names]\n;proc1=\n;proc2=\n;proc3=\n\n# Delete a scheduled task\n# ex: task1=DHCP Monitor Task\n[scheduled_tasks]\n;task1=\n;task2=\n\n# SC delete services by their name\n[services]\n;service1=\n;service2=\n\n# Delete entire directories\n# ex: directory1=C:\\ProgramData\\LemonTrack Installer\n[directories]\n;directory1=\n;directory2=\n\n# Delete processes by their ID\n# ex: pid1=2664\n[pids]\n;pid1=\n;pid2=\n\n# delete individual registry key-values\n# ex: reg1=HKU\\S-1-5-21-1660022851-2357930215-3100199371-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\LemonTrack\n# This translates to: REG DELETE \"HKU\\S-1-5-21-1660022851-2357930215-3100199371-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /v LemonTrack /f\n[registry_values]\n;reg1=\n;reg2=\n\n# delete all values behing a key\n# ex: reg1=HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\n# REG DELETE HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f\n[registry_keys]\n;reg1=\n;reg2=\n```\n\n### Example\n\nExample remediate file describing a Qbot infection:\n\n```\n$ cat remediate.ini \n[files]\nfile1=C:\\WINDOWS\\TEMP\\iajzq.mkt\nfile2=C:\\Documents and Settings\\Administrator\\Application Data\\Microsoft\\Iajzq\\iajzq.exe\n\n[process_names]\nproc1=cscript.exe\nproc2=iajzq.exe\nproc3=wscntfy.exe\n\n[scheduled_tasks]\ntask1=mxsiajzqupd\n\n[services]\nservice1=fehjgnzjh\n\n[directories]\ndirectory1=C:\\documents and settings\\administrator\\application data\\microsoft\\iajzq\n\n[pids]\n\n[registry_values]\nreg1=HKU\\S-1-5-21-1549631456-1210741653-3294372961-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\lcmkfq\n\n[registry_keys]\n```\n\nCreate the batch file:\n\n```\n$ RotL -f remediate.ini \n+ Wrote 'remediation.bat'\n```\n\nNow you this file was executed with admin rights on the infected system to remove the infection.\n\n```\n$ cat remediation.bat \ntaskkill /IM \"cscript.exe\" /F\ntaskkill /IM \"iajzq.exe\" /F\ntaskkill /IM \"wscntfy.exe\" /F\nREG DELETE \"HKU\\S-1-5-21-1549631456-1210741653-3294372961-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"lcmkfq\" /f\ndel \"C:\\WINDOWS\\TEMP\\iajzq.mkt\"\ndel \"C:\\Documents and Settings\\Administrator\\Application Data\\Microsoft\\Iajzq\\iajzq.exe\"\ncd \"C:\\documents and settings\\administrator\\application data\\microsoft\\iajzq\" && DEL /F /Q /S * > NUL && cd .. && RMDIR /Q /S \"C:\\documents and settings\\administrator\\application data\\microsoft\\iajzq\"\nschtasks /Delete /TN \"mxsiajzqupd\" /F\nnet stop \"fehjgnzjh\" && SC DELETE \"fehjgnzjh\"\n```\n\n\n\n", "description_content_type": "text/markdown", "docs_url": null, "download_url": "", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "https://github.com/IntegralDefense/RotL", "keywords": "Incident Response,Remediation,Malware", "license": "Apache-2.0", "maintainer": "", "maintainer_email": "", "name": "RotL", "package_url": "https://pypi.org/project/RotL/", "platform": "", "project_url": "https://pypi.org/project/RotL/", "project_urls": { "Homepage": "https://github.com/IntegralDefense/RotL" }, "release_url": "https://pypi.org/project/RotL/0.0.5/", "requires_dist": null, "requires_python": "", "summary": "A simple utility for converting files that describe malware infections into remediation scripts that can clean up infections using native OS tools.", "version": "0.0.5" }, "last_serial": 5448042, "releases": { "0.0.1": [ { "comment_text": "", "digests": { "md5": "7ecaaadfeefa58fa32fb92f45db085de", "sha256": "bb9ffa78e66f5a481e2c3d8374dc7d374985cc0e4c3e2faf0abc6fd6311afc20" }, "downloads": -1, "filename": "RotL-0.0.1-py3-none-any.whl", "has_sig": false, "md5_digest": "7ecaaadfeefa58fa32fb92f45db085de", "packagetype": "bdist_wheel", "python_version": "py3", "requires_python": null, "size": 10326, "upload_time": "2019-05-22T14:26:42", "url": "https://files.pythonhosted.org/packages/44/2c/684089eab783a339697792389aa920d0020bb0ca9bb303967313134e0c48/RotL-0.0.1-py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "599050a65a41f8f493426e67402906f3", "sha256": "38da17783c95085f767903f9b143c5a410f7915f72ef35bb4bd880df2973a2af" }, "downloads": -1, "filename": "RotL-0.0.1.tar.gz", "has_sig": false, "md5_digest": "599050a65a41f8f493426e67402906f3", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 6252, "upload_time": "2019-05-22T14:26:43", "url": "https://files.pythonhosted.org/packages/2b/fc/9bade733a1d1599019ad3683f9fa1408e8c7e9d6b831494545f6b38c0cf6/RotL-0.0.1.tar.gz" } ], "0.0.2": [ { "comment_text": "", "digests": { "md5": "cc736b8c8063e82c321e72312f26eb5b", "sha256": "1dd66815957c62eb5d13095932781910cd43a93e7832d7da3da77e8dcf682a79" }, "downloads": -1, "filename": "RotL-0.0.2-py3-none-any.whl", "has_sig": false, "md5_digest": "cc736b8c8063e82c321e72312f26eb5b", "packagetype": "bdist_wheel", "python_version": "py3", "requires_python": null, "size": 10323, "upload_time": "2019-05-23T19:22:54", "url": "https://files.pythonhosted.org/packages/cb/8b/7619e69f5357786404d82ece629cced10fdfd32d77c96d94ceeec842aec5/RotL-0.0.2-py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "1931dce6f37cbda04f010879896a6925", "sha256": "84e729d8a76df8947d51745befa3ab9acd367b869ebdbead0dc0afdd5f55b108" }, "downloads": -1, "filename": "RotL-0.0.2.tar.gz", "has_sig": false, "md5_digest": "1931dce6f37cbda04f010879896a6925", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 6256, "upload_time": "2019-05-23T19:22:56", "url": "https://files.pythonhosted.org/packages/34/c9/651bb4ca5221d9377041c15b6b0c33cb9125543bbb15f5cadce87c4d90e1/RotL-0.0.2.tar.gz" } ], "0.0.3": [ { "comment_text": "", "digests": { "md5": "3e05f36444b230c7e457ee4ca55ce019", "sha256": "5e490fd46b77ac06fb24ec6ed25642bba1ed067985db8f5f41d6f28ae6ad3337" }, "downloads": -1, "filename": "RotL-0.0.3-py3-none-any.whl", "has_sig": false, "md5_digest": "3e05f36444b230c7e457ee4ca55ce019", "packagetype": "bdist_wheel", "python_version": "py3", "requires_python": null, "size": 10347, "upload_time": "2019-06-18T19:59:41", "url": "https://files.pythonhosted.org/packages/b3/84/7a7ab08d3a1a3175f95fc69f2b9a144072b66e41e851d0280dd36b75e501/RotL-0.0.3-py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "dcea43e0db48bfe251d367b7795fa7d7", "sha256": "b386a7386cc3b91e8fee531dbaa5088977a8a53079b17bc009cf5867c337b6b0" }, "downloads": -1, "filename": "RotL-0.0.3.tar.gz", "has_sig": false, "md5_digest": "dcea43e0db48bfe251d367b7795fa7d7", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 6271, "upload_time": "2019-06-18T19:59:42", "url": "https://files.pythonhosted.org/packages/ed/ba/91e88ddc1d129d79421858ec5b60ad93fde30cec47b75d15116f146f4cd2/RotL-0.0.3.tar.gz" } ], "0.0.4": [ { "comment_text": "", "digests": { "md5": "66f25b003a072101e5c8e18a5526b581", "sha256": "34c29ce9641a194f16c4b8cd025215ef7322808410a857acbe873b35f1494c37" }, "downloads": -1, "filename": "RotL-0.0.4-py3-none-any.whl", "has_sig": false, "md5_digest": "66f25b003a072101e5c8e18a5526b581", "packagetype": "bdist_wheel", "python_version": "py3", "requires_python": null, "size": 10321, "upload_time": "2019-06-18T20:13:37", "url": "https://files.pythonhosted.org/packages/b6/0c/5c3fd215ab8c298a5d056329a0a39a4c2323ec68b9a720bf0e76b8d79142/RotL-0.0.4-py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "adf43309d15b2cdbc0660652f256e368", "sha256": "bada3e9a49383d1c756d37f5ea04362182ceb59da28e3b4b0340535b5d5704d6" }, "downloads": -1, "filename": "RotL-0.0.4.tar.gz", "has_sig": false, "md5_digest": "adf43309d15b2cdbc0660652f256e368", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 6242, "upload_time": "2019-06-18T20:13:38", "url": "https://files.pythonhosted.org/packages/03/25/c2be00b60a3bea4f95caf7d8c38c7d52281e5b98ae940ecd6e1462e8e48f/RotL-0.0.4.tar.gz" } ], "0.0.5": [ { "comment_text": "", "digests": { "md5": "691a9adad55b605ec11edb0f4de15ba6", "sha256": "8991842b5c23c9fbc0186c3aa9a4fa17650af0e80574c0b0743e08f577fdf655" }, "downloads": -1, "filename": "RotL-0.0.5-py3-none-any.whl", "has_sig": false, "md5_digest": "691a9adad55b605ec11edb0f4de15ba6", "packagetype": "bdist_wheel", "python_version": "py3", "requires_python": null, "size": 10325, "upload_time": "2019-06-25T19:25:35", "url": "https://files.pythonhosted.org/packages/a5/8e/85da47ce5f260b1736884fe87b1d3f4dcfcb6ff3e4013b2f126998de4665/RotL-0.0.5-py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "c0e6c80decee4b261212823d2e58de33", "sha256": "b84b731d57f60408f38dabccd35e813419855625d14366b24b20673157e9ea47" }, "downloads": -1, "filename": "RotL-0.0.5.tar.gz", "has_sig": false, "md5_digest": "c0e6c80decee4b261212823d2e58de33", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 6244, "upload_time": "2019-06-25T19:25:36", "url": "https://files.pythonhosted.org/packages/c7/83/47fae9b66cc281816347ed87da5b00b30fa99f6886052b65f51553752cbf/RotL-0.0.5.tar.gz" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "691a9adad55b605ec11edb0f4de15ba6", "sha256": "8991842b5c23c9fbc0186c3aa9a4fa17650af0e80574c0b0743e08f577fdf655" }, "downloads": -1, "filename": "RotL-0.0.5-py3-none-any.whl", "has_sig": false, "md5_digest": "691a9adad55b605ec11edb0f4de15ba6", "packagetype": "bdist_wheel", "python_version": "py3", "requires_python": null, "size": 10325, "upload_time": "2019-06-25T19:25:35", "url": "https://files.pythonhosted.org/packages/a5/8e/85da47ce5f260b1736884fe87b1d3f4dcfcb6ff3e4013b2f126998de4665/RotL-0.0.5-py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "c0e6c80decee4b261212823d2e58de33", "sha256": "b84b731d57f60408f38dabccd35e813419855625d14366b24b20673157e9ea47" }, "downloads": -1, "filename": "RotL-0.0.5.tar.gz", "has_sig": false, "md5_digest": "c0e6c80decee4b261212823d2e58de33", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 6244, "upload_time": "2019-06-25T19:25:36", "url": "https://files.pythonhosted.org/packages/c7/83/47fae9b66cc281816347ed87da5b00b30fa99f6886052b65f51553752cbf/RotL-0.0.5.tar.gz" } ] }