EyeWitness - Looking Sharp

Ever since its initial release, EyeWitness has only had a Linux version (originally in Python 2, and now in Python 3). This has proven very useful for us on our tests and it's a tool we run on every single assessment. However, there has always been a need for a real Windows version of EyeWitness. It would make life easier for us while on tests, especially if installing and running EyeWitness on a Linux system wasn't an option.

With Cobalt Strike's Beacon having the ability to run .Net assemblies all in memory on a system, we had a real reason to write a .Net version of EyeWitness. This would allow us to not only run it stand-alone on a Windows system, but also deploy EyeWitness through Beacon on our assessments. Finally, after having the time to build out this functionality, we are happy to release a .Net implementation of EyeWitness - available here!

EyeWitness running in Cobalt Strike

For the tool's first release, we want to talk about different ways that we think EyeWitness could be detected within an environment. Our next blog post will talk about methods of using EyeWitness from an offensive perspective.

Keep in mind, these opportunities for detection could possibly be improved upon, and we'd be happy to update this post with any missing detections that could better help identify malicious use of EyeWitness.

First, when you look at specific strings within EyeWitness you can see that a pdb path is listed as "C:\Users\User\Desktop\EyeWitness-master\CS\EyeWitness\obj\Debug\EyeWitness.pdb".

Embedded Path

The compiled version of EyeWitness included under the "Releases" of Github is a version which is compiled in Debug mode rather than Release.

EyeWitness still attempts to identify default credentials associated with each web application that it screenshots. It also attempts to categorize web applications (to group similar web apps in the report). EyeWitness accomplishes both of these tasks by parsing a text file containing "signatures". EyeWitness will make a web request each time that it runs to the following URLs:

Embedded URLs

EyeWitness makes a web request to each of those URLs to have the latest signatures each time it runs, so if you observe web requests to those URLs, then it's very possible that EyeWitness is running.

Finally, EyeWitness will always write out its report within the current user accounts AppData\Roaming directory. The EyeWitness directory also contains the date and time that someone ran EyeWitness (to ensure a unique directory is created for each run. The code for the directory creation is as follows:

Directory creation

I hope that this helps give some ideas on how you can detect EyeWitness. If you have any questions, feel free to Contact Us!