###The Center for Internet Security Enumeration and Scanning Program
CIS-ESP gathers information from Windows systems via WMI. Currently CIS-ESP supports the gathering of:
- System Registry
- User Registry
- Application Compatibility Cache (Shim Cache)
- Services
- Service DLLs
- Local Accounts
- Local Admins
- Directory/File Listings
- Processes
- Process Modules
- Tasks
- Netstat
- DNS Cache
- Existence of Known Bad Files (by File Name)
- Shellbags
- USB Device Enumeration
CIS-ESP has two modes of operation: domain and standalone (single system). The domain version allows the user to specify an LDAP path for scanning while the standalone runs on the local system. The standalone version can also be used in conjunction with group policy to run on all systems at the same time and save output to a shared location.
CIS-ESP was written and tested on Python 2.7. The current modules require two third-party libraries:
- WMI (https://pypi.python.org/pypi/WMI/#downloads)
- active_directory (http://timgolden.me.uk/python/downloads/active_directory-0.6.7.zip)
###Setup: There are configuration files located in for the following modules:
- System Registry
- User Registry
- Directory/File Listings
- Existence of Known Bad Files (by File Name)
If you compile the program into a standalone executable, you can later add additional indicator files in a directory named "CIS-Config" in the same directory as the executable without the need to recompile.
The SystemRegistry.txt configuration file contains a case-insensitive, newline delimited list of SYSTEM or SOFTWARE Registry keys to gather from each system.
- SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
The UserRegistry.txt configuration file contains a case-insensitive, newline delimited list of NTUSER.DAT Registry keys to gather from each system. These keys are prepended with each user's Registry path during execution (ex. HKCU).
- \SOFTWARE\Sysinternals\PsExec
- \SOFTWARE\SimonTatham\PuTTY\SSHHostKeys
The FileList.txt configuration file contains a case-insensitive, newline delimited list of directories to enumerate files.
- C:\Windows\Prefetch\
- C:\Windows\Temp\
The DirectoryList.txt configuration file contains a case-insensitive, newline delimited list of directories to enumerate directories.
- C:\Program Files\
- C:\
The DataExists.txt configuration file contains a case-insensitive, newline delimited list of full paths to known bad files.
- C:\Temp\Program\evil.exe
- C:\Program Files\Evil\backdoor.exe
The UserDataExists.txt configuration file contains a case-insensitive, newline delimited list of relative paths (from each user's home directory) to known bad files.
- Desktop\ca_setup.exe
- ca_setup.exe
The DataExists.txt and UserDataExists.txt files are used to check for additional compromised systems after indicators of compromise are discovered on some systems. This will help determine the full scope of a compromise.
###Usage: cis-esp.py [-h] [-o DIR] [[-l LDAP] | [-i HOSTSFILE] | [-I OULISTFILE]] [-n NAME] [-x THREADS] [[--run TEST1,TEST2,...] | [--norun TEST1,TEST2,...] | [--tests BITSTRING]] [--listous]
####Center for Internet Security Enumeration and Scanning Program (CIS-ESP)
#####optional arguments:
-h, --help show this help message and exit
#####Domain or Standalone Version: These arguments can be used on either version of the scripts. A GUI will automatically display if no arguments are given.
-o DIR, --output DIR Path to store output. Must not have trailing slash. Example: "C:\My Folder".
--compress Compress the results after completion using TAR/BZ2. The uncompressed results will still remain. If run in standalone mode, the compressed file will be located in the results directory. #####Domain Version Only: These arguments will not have any affect on the standalone version. If LDAP path is not specified, it is assumed you are running the standalone version. If LDAP path is specified, it is assumed you are running the domain version.
-l LDAP, --ldap LDAP Case sensitive LDAP path to OU. Example: "LDAP://OU="Ball Room",DC=Domain,DC=local". This will enumerate all sub-OU's as well.
-i HOSTSFILE, --hosts HOSTSFILE Specifying the hosts file will skip enumerating any OUs and will only scan the systems included in the file. This file should contain a newline seperated list of computer names. Example: "hosts.txt".
-I OULISTFILE, --ous OULISTFILE Specify the OU list file to enumerate multiple separated OU's. Example: "ous.txt".
-n NAME, --name NAME One word conventional name for scan. Example: "HR".
-x THREADS, --threads THREADS Number of threads to use. Use more than one at your own risk.
#####Run Tests: Select which tests to run or not to run. Choose only one option --run, --norun, or --tests. The possible tests for --run and --norun are: LocalAccounts, Processes, Shellbags, SystemRegistry, DirectoryList, UserDataExists, ShimCache, UserRegistry, Tasks, Netstat, ServiceDlls, FileList, DataExists, Services, USBDevices. If none of these options is chosen, all tests are run.
--run TEST1,TEST2,... List the tests you want to run. Example: "--run UserRegistry,SystemRegistry" will run only the user and system registry modules.
--norun TEST1,TEST2,... List the tests you don't want to run. Example: "--norun DataExists,Processes,Tasks" will run all modules except data exists, processes, and tasks.
--tests BITSTRING 1 or 0 for run or don't run test. Must have exactly 15 digits (the number of possible tests).
#####Other Options: Additional options that you can use.
--listous If you want to enumerate the OUs without using the GUI or dsquery.
###Example: cis-esp.exe -l "LDAP://OU=Ball Room,DC=Domain,DC=local" -o "C:\Script Results" -n "Scan1" -x 4 --run UserRegistry,SystemRegistry,Services,DataExists,UserDataExists
The above example will run the specified scripts on all systems in the Ball Room organizational unit of the Domain.local domain.
A folder containing the results of this scan will be saved in the "C:\Script Results" directory.
The folder name is specified by a timestamp, the name of the scan, and the domain. If the scan started at noon on March 1, 2014, the folder would be 20140301120000-Scan1-Domain.local.
The scripts will be run with 4 separate threads (on 4 systems at the same time).
The specified scripts are the user registry, system registry, services, data exists, and user data exists modules.