https://github.com/rasta-mouse/ThreatCheck

Article Excerpt

Modified version of Matterpreter's DefenderCheck. Takes a binary as input (either from a file on disk or a URL), splits it until it pinpoints that exact bytes that the target engine will flag on and prints them to the screen.

property
value
tags
malware-analysis,offensive-tradecraft,tactic-amsi-bypass,tradecraft-tool
url
original_word_count
226

Long Summary

ThreatCheck is a modified version of Matterpreter's DefenderCheck, a tool used to identify malicious code in a binary. It takes a binary as input, either from a file on disk or a URL, and splits it until it pinpoints the exact bytes that the target engine will flag on. It then prints these bytes to the screen, allowing users to identify the specific bad pieces of code in their tool or payload.

The ThreatCheck command line interface has two main options: -e and -f. The -e option allows users to specify the scanning engine, with the default being Defender. The -f option allows users to analyze a file on disk. The --url option allows users to analyze a file from a URL. The --help option displays a help screen, and the --version option displays version information.

An example of the ThreatCheck command line interface is provided. It shows the command being used to analyze a file called Grunt.bin, with the scanning engine set to AMSI. The output of the command shows the size of the target file, the analysis of the file, and the identified end of bad bytes at offset 0x6D7A. It also shows the status, output, GUID, type, meta, and encrypted message.

ThreatCheck is a useful tool for identifying malicious code in a binary. It is easy to use and provides detailed output that can be used to pinpoint the exact bytes that the target engine will flag on.

Short Summary

šŸ‘‰šŸ½ Modified version of Matterpreter's DefenderCheck. Takes a binary as input (either from a file on disk or a URL), splits it until it pinpoints that exact bytes that the target engine will flag on and prints them to the screen. šŸ‘‰šŸ½ ThreatCheck identifies malicious code in a binary. šŸ‘‰šŸ½ It is a modified version of Matterpreter's DefenderCheck tool. šŸ‘‰šŸ½ The tool takes a binary as input from a file on disk or a URL. šŸ‘‰šŸ½ It splits the binary to pinpoint the exact flagged bytes. šŸ‘‰šŸ½ The identified bytes are printed on the screen. šŸ‘‰šŸ½ The tool has a command-line interface with various options. šŸ‘‰šŸ½ The -e option allows users to select the scanning engine. šŸ‘‰šŸ½ The -f option analyzes a file on disk, while --url uses a URL. šŸ‘‰šŸ½ The output shows detailed information about the analyzed binary. šŸ‘‰šŸ½ ThreatCheck is a useful tool for bad code identification and offers ease of use.

#ThreatCheck #BinaryAnalysis #MaliciousCode #CommandLineInterface #DetailedOutput