Metadata-Version: 2.1
Name: RotL
Version: 0.0.5
Summary: A simple utility for converting files that describe malware infections into remediation scripts that can clean up infections using native OS tools.
Home-page: https://github.com/IntegralDefense/RotL
Author: Sean McFeely
Author-email: zsmcfeely@gmail.com
License: Apache-2.0
Keywords: Incident Response,Remediation,Malware
Platform: UNKNOWN
Classifier: Development Status :: 4 - Beta
Classifier: Intended Audience :: Developers
Classifier: Intended Audience :: Information Technology
Classifier: Intended Audience :: Telecommunications Industry
Classifier: Operating System :: OS Independent
Classifier: License :: OSI Approved :: Apache Software License
Classifier: Programming Language :: Python :: 3 :: Only
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.0
Classifier: Programming Language :: Python :: 3.1
Classifier: Programming Language :: Python :: 3.2
Classifier: Programming Language :: Python :: 3.3
Classifier: Programming Language :: Python :: 3.4
Classifier: Programming Language :: Python :: 3.5
Classifier: Programming Language :: Python :: 3.6
Description-Content-Type: text/markdown

# Remediation off the Land.

Remediationn off the Land (RotL) is a simple tool that converts a list of artifacts from a malware infection into commands that can be executed on the system to delete/remove those artifacts.

## Installation

``pip3 install rotl``

## The RotL script

When installed, a commannd line script named 'rotl' is supplied that can be used to convert the remediation scripts into remediation files. Currently only windows remediations are supported.

```
$ RotL -h
usage: RotL [-h] [-w {win}] [-f REMEDIATION] [-t {win}] [-o OUTFILE]

Remediation off the Land: Write remediation files to execute

optional arguments:
  -h, --help            show this help message and exit
  -w {win}, --write-template {win}
                        write a remediation template file to local dir.
  -f REMEDIATION, --remediation REMEDIATION
                        the remediation file describing the infection
  -t {win}, --os-type {win}
                        remediation type (operating system)
  -o OUTFILE, --outfile OUTFILE
                        name of output file to write.
```

## The Remediation File

You can use the rotl script to print a copy of the remediation template file that can be used to describe a malicious infection. 

```
$ RotL -w win
+ Wrote remediate.ini
```

Now, you can edit the remediate.ini file to reflect the infection.

```

$ cat remediate.ini 
## Example remediate routine file.
##  All keys are commented out under their respective sections by default.

# Specify full paths to files that you want to delete.
#  ex: file1=c:\programdata\lemontrack installer\winserv.exe
[files]
;file1=
;file2=
;file3=

# Specify processes that you want to kill by name. All processes matching the name will be killed
#  ex: proc1=winserv.exe
[process_names]
;proc1=
;proc2=
;proc3=

# Delete a scheduled task
#  ex: task1=DHCP Monitor Task
[scheduled_tasks]
;task1=
;task2=

# SC delete services by their name
[services]
;service1=
;service2=

# Delete entire directories
#  ex: directory1=C:\ProgramData\LemonTrack Installer
[directories]
;directory1=
;directory2=

# Delete processes by their ID
#  ex: pid1=2664
[pids]
;pid1=
;pid2=

# delete individual registry key-values
#  ex: reg1=HKU\S-1-5-21-1660022851-2357930215-3100199371-1001\Software\Microsoft\Windows\CurrentVersion\Run\LemonTrack
#  This translates to: REG DELETE "HKU\S-1-5-21-1660022851-2357930215-3100199371-1001\Software\Microsoft\Windows\CurrentVersion\Run" /v LemonTrack /f
[registry_values]
;reg1=
;reg2=

# delete all values behing a key
#  ex: reg1=HKLM\Software\Microsoft\Windows\CurrentVersion\Run
#  REG DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /f
[registry_keys]
;reg1=
;reg2=
```

### Example

Example remediate file describing a Qbot infection:

```
$ cat remediate.ini 
[files]
file1=C:\WINDOWS\TEMP\iajzq.mkt
file2=C:\Documents and Settings\Administrator\Application Data\Microsoft\Iajzq\iajzq.exe

[process_names]
proc1=cscript.exe
proc2=iajzq.exe
proc3=wscntfy.exe

[scheduled_tasks]
task1=mxsiajzqupd

[services]
service1=fehjgnzjh

[directories]
directory1=C:\documents and settings\administrator\application data\microsoft\iajzq

[pids]

[registry_values]
reg1=HKU\S-1-5-21-1549631456-1210741653-3294372961-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lcmkfq

[registry_keys]
```

Create the batch file:

```
$ RotL -f remediate.ini 
+ Wrote 'remediation.bat'
```

Now you this file was executed with admin rights on the infected system to remove the infection.

```
$ cat remediation.bat 
taskkill /IM "cscript.exe" /F
taskkill /IM "iajzq.exe" /F
taskkill /IM "wscntfy.exe" /F
REG DELETE "HKU\S-1-5-21-1549631456-1210741653-3294372961-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "lcmkfq" /f
del "C:\WINDOWS\TEMP\iajzq.mkt"
del "C:\Documents and Settings\Administrator\Application Data\Microsoft\Iajzq\iajzq.exe"
cd "C:\documents and settings\administrator\application data\microsoft\iajzq" && DEL /F /Q /S * > NUL && cd .. && RMDIR /Q /S "C:\documents and settings\administrator\application data\microsoft\iajzq"
schtasks /Delete /TN "mxsiajzqupd" /F
net stop "fehjgnzjh" && SC DELETE "fehjgnzjh"
```



