Neton is a tool for getting information from Internet connected sandboxes. It is composed by an agent and a web interface that displays the collected information.
The Neton agent gets information from the systems on which it runs and exfiltrates it via HTTPS to the web server.

Some of the information it collects:

• Operating system and hardware information
• Find files on mounted drives
• List unsigned

  Deployment

  NetonWeb

  1. Install (with virtualenv):

  python3 -m venv venv
  source venv/bin/activate
  pip3 install -r requirements.txt
  

  2. Configure the database:

  python3 manage.py migrate
  python3 manage.py makemigrations core
  python3 manage.py migrate core
  

  • Create user:

  python3 manage.py createsuperuser
  

  Launch (test)

  python3 manage.py runserver
  

  Launch (prod)

  • Generate the

  Sample data

  In the sample data folder there is a sqlite database with several samples collected from the following services:

  • Virustotal
  • Tria.ge
  • Metadefender
  • Hybrid Analysis
  • Any.run
  • Intezer Analyze
  • Pikker
  • AlienVault OTX
  • Threat.Zone

  To access the sample information copy the sqlite file to the NetonWeb folder and run the application.

  Credentials:

  • User: raccoon
  • Password: jAmb.Abj3.j11pmMa

  Extra info

  • Slides (ES): https://github.com/Aetsu/Presentaciones/blob/master/Sandbox%20fingerprinting%20-%20Evadiendo%20entornos%20de%20analisis.pdf
  • Video (ES): https://www.youtube.com/watch?v=AyVgIttiUpQ
  • Video (EN): https://www.youtube.com/watch?v=KzwEddl80OQ

  Credits

  • SharpEDRChecker: https://github.com/PwnDexter/SharpEDRChecker
  • Pafish: https://github.com/a0rtega/pafish
  • Al-Khaser: https://github.com/LordNoteworthy/al-khaser
  • OffensiveCSharp -> HookDetector: https://github.com/matterpreter/OffensiveCSharp/tree/master/HookDetector
  • OffensiveCSharp -> DriverQuery: https://github.com/matterpreter/OffensiveCSharp/tree/master/DriverQuery
  Download Neton