Article Excerpt
Modified version of Matterpreter's DefenderCheck. Takes a binary as input (either from a file on disk or a URL), splits it until it pinpoints that exact bytes that the target engine will flag on and prints them to the screen.
property | value |
tags | malware-analysis,offensive-tradecraft,tactic-amsi-bypass,tradecraft-tool |
url | |
original_word_count | 226 |
Long Summary
ThreatCheck is a modified version of Matterpreter's DefenderCheck, a tool used to identify malicious code in a binary. It takes a binary as input, either from a file on disk or a URL, and splits it until it pinpoints the exact bytes that the target engine will flag on. It then prints these bytes to the screen, allowing users to identify the specific bad pieces of code in their tool or payload.
The ThreatCheck command line interface has two main options: -e and -f. The -e option allows users to specify the scanning engine, with the default being Defender. The -f option allows users to analyze a file on disk. The --url option allows users to analyze a file from a URL. The --help option displays a help screen, and the --version option displays version information.
An example of the ThreatCheck command line interface is provided. It shows the command being used to analyze a file called Grunt.bin, with the scanning engine set to AMSI. The output of the command shows the size of the target file, the analysis of the file, and the identified end of bad bytes at offset 0x6D7A. It also shows the status, output, GUID, type, meta, and encrypted message.
ThreatCheck is a useful tool for identifying malicious code in a binary. It is easy to use and provides detailed output that can be used to pinpoint the exact bytes that the target engine will flag on.
Short Summary
šš½ Modified version of Matterpreter's DefenderCheck. Takes a binary as input (either from a file on disk or a URL), splits it until it pinpoints that exact bytes that the target engine will flag on and prints them to the screen. šš½ ThreatCheck identifies malicious code in a binary. šš½ It is a modified version of Matterpreter's DefenderCheck tool. šš½ The tool takes a binary as input from a file on disk or a URL. šš½ It splits the binary to pinpoint the exact flagged bytes. šš½ The identified bytes are printed on the screen. šš½ The tool has a command-line interface with various options. šš½ The -e option allows users to select the scanning engine. šš½ The -f option analyzes a file on disk, while --url uses a URL. šš½ The output shows detailed information about the analyzed binary. šš½ ThreatCheck is a useful tool for bad code identification and offers ease of use.
š source link: https://github.com/rasta-mouse/ThreatCheck
š summarized content: https://hut.threathunterz.com/battlefield-intel/tradecraft-tools/https-github-com-rasta-mousethreatcheck
#ThreatCheck #BinaryAnalysis #MaliciousCode #CommandLineInterface #DetailedOutput