Project Goals

After making really good progress with my command and control malware, I decided to try my had at making a good defensive tool. The main purpose of the tool I decided to develop is to automate my five minute plan. The tool also acts as a watchdog, keeping an eye on active TCP connections and other potentially malicious red team activities. As a result, I will be able to spend less time checking for new red team accounts and reverse shells, and spend more time threat hunting.

This tool is not a general purpose anti-virus/anti-malware program. It was specifically designed to aid me in Red team/Blue team competitions. Certain actions like disabling all users, auto deleting new user accounts, and mass changing passwords are not always desirable. During competitions, however, this can be extremely useful. When the whole competition takes place in a number of hours, automating these tasks can make a sink or swim difference.

More information

if the -a flag is passed to the program when it is ran, it will:

• change the password for all accounts on the box
• disable shell access for all users
• kick all currently logged in users out the box
• kill all services started by any user other then the current user
• delete the home directory of any shelled accounts.
• generate a report listing active connections, services, processes, etc.

The tool can also detect and alert the user to new and existing TCP/UDP connections, making it nice and easy to spot reverse shells. When it spots a connection, it logs the service name and process ID, making it easy to investigate further, or outright kill the process.

Want to get involved?

This project is currently open source and I encourage anyone who has an interest in my tool to check it out on my GitHub. https://github.com/F1shh-sec/BlueTeamTools