Update to 1.6

[H4NM]

Changelog

✨Features:

• Added compression alternativ in which the output folder is compressed to a zip file for easier extraction of data in case the data is analyzed elsewhere
• Added metadata retrieval of Executable related to running process such as checksums, creation time of executable (when it landed on the system), if its digitally signed or not. MD5, SHA1 and SHA256 are all retrieved, and lots more. Having multiple different checksums increases the likelihood of finding a correct match
• Added retrieval of user name in which processes are running as
• Added retrieval of established TCP connections by processes for when monitoring everything and when listening to a specific PID. This is to extend the capture capabilities beyond ETW and to ensure the initial state is immediately captured. See it as an initial netstat being run before listening to ETW
• Added the ability to supply whole IP or start of IP for automatic interface selection. Example, you can supply -i 192.168 or full IP -i 192.168.20.15 which will select the corresponding interface with that start IP. Selecting the index number for the NIC is still applicable, as long as a . is not included where it will search for related IP
• Extended host metadata thats captured
• CallMapper:
  • Major UI improvement
  • Added functionality to visualize multiple WYC result files. This allows for mapping host-based processes to domains and IPs and find shared telemetry activity
  • Greatly extended filtering capabilities where details regarding IPs, domains and processes and executables.
  • Added arguments to CallMapper to specify IP and port to expose the UI
  • Added tabs. Currently there's Summary, Map and Supporters

📄Changes:

• Removed Summary.txt
• Changed filenames per process folder for consistency
• Removed console clear on start
• Made process start events only to be registered when listening to a specific pid or executing a program. When monitoring everything there's simply too much noise.
• Removed option to track processes by name as it's more suitable to monitor everything and filter thereafter. It was also removed for better performance and for less complexity overall.
• Extended the Executable name field in monitored processes to hold an Executable object with more detailed information - see features.
• Modified the output argument to be able to take custom folders in which the results are stored in, allowing for simplified extraction of results
• Removed the flag to explicitly state that no full packet capture is collected, which now occurs by default when no interface/ip is provided
• Renamed the argument "Illuminate" to simply "Machine". This applies to both the short and long flag argument where capital I was provided for illuminate and now it's capital M, with their long variants with the double dash and word. The reason for this is simply that it doesn't really make sense to call it "Illuminate" rather than it's a theatric word for what it does
• Renamed fields for MonitoredProcess from ProcessStartTime, ProcessStopTime to just StartTime and StopTime. Also renamed ETWRegisteredStartTime to just StartTime for childprocesses as it takes the embedded start timestamp in the event
• Removed adding started processes when using the Illuminate flag as it tended to add alot of noise. Even though the data with processes with telemetry is primarily output from WYC, the Result.json that's read into callmapper becomes too noisy (and large) In addition, the goal of WYC is to identify processes with telemetry, the previous code did not align
• CallMapper:
  • API calls are no longer made at the start of the script. API calls are now made per node in the web GUI.
    • Removed the possibility of having it become backwards compatible to older Results.json files.
  • Made the phone in the icon black instead of white (big change)
• Lots of Refactoring and code cleaning. This can basically always be expected in every patch.

🛠️ Fixes:

• Fixed bug where ETW registered TCP/UDP events sometimes do not include the process name causing the events not to be cataloged
• Fix issue where incorrect filter type was passed for DFL filter per process