Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add internet detector utility #1121

Merged
merged 1 commit into from
Sep 2, 2024
Merged

Add internet detector utility #1121

merged 1 commit into from
Sep 2, 2024

Conversation

emtuls
Copy link
Member

@emtuls emtuls commented Aug 24, 2024

This adds a script to detect if internet connection is active or not by adding an icon in the taskbar and also changing the background based on if internet is detected or not.

This will also require an addition of a new python libraries to install:
pywin32

@emtuls emtuls added the 🌀 FLARE-VM A package or feature to be used by FLARE-VM label Aug 24, 2024
@emtuls emtuls self-assigned this Aug 24, 2024
@emtuls emtuls requested a review from Ana06 August 24, 2024 21:57
scripts/utils/internet_detect_tool.py Outdated Show resolved Hide resolved
scripts/utils/internet_detect_tool.py Outdated Show resolved Hide resolved
scripts/utils/internet_detect_tool.py Outdated Show resolved Hide resolved
scripts/utils/internet_detect_tool.py Outdated Show resolved Hide resolved
scripts/utils/internet_detect_tool.py Outdated Show resolved Hide resolved
@mr-tz
Copy link
Contributor

mr-tz commented Aug 26, 2024

How does this script interact with FakeNet? Should FakeNet be handled specifically?

@Ana06
Copy link
Member

Ana06 commented Aug 26, 2024

How does this script interact with FakeNet? Should FakeNet be handled specifically?

If fakenet response is the one we would get with internet, our tool (as other programs like malware) thinks the internet is on. The default fakenet response shouldn't match the ones we are expecting, so without modifying the default fakenet configuration, it will think there is no internet.

@mr-tz do you have a proposal to improve the implementation? What do you exactly mean with handling fakenet specifically?

Note: I think this tool could be hosted in the fakenet repository and even been part of fakenet, it would need to be discussed with the fakenet maintainers to see if it is feasible once we have a working and tested version.

@mr-tz
Copy link
Contributor

mr-tz commented Aug 26, 2024

I'd expect it to not warn users that the Internet is reachable if FakeNet is running.

@emtuls emtuls force-pushed the internet-detector branch from c6c2aed to dd7fd97 Compare August 27, 2024 01:03
@emtuls
Copy link
Member Author

emtuls commented Aug 27, 2024

This raises a good thought.

While the tool works with FakeNet active, you would see a lot of requests generated in order for the tool to function promptly. We can potentially reduce the request interval, but this would cause a delay in detecting internet which is a trade-off we need to consider.

What interval would be fair enough to detect a real internet connection in enough time for a user to be aware while also not being too intrusive in a FakeNet output? Also note, due to adding backup internet connectivity URL's, there are now multiple requests that are issued consecutively, rather than a single one.

@emtuls emtuls requested a review from Ana06 August 27, 2024 01:09
@emtuls emtuls force-pushed the internet-detector branch 2 times, most recently from 0df911b to d142d11 Compare August 27, 2024 02:09
@emtuls
Copy link
Member Author

emtuls commented Aug 27, 2024

I was able to remove the PyQt5 dependency. :)

@emtuls emtuls force-pushed the internet-detector branch from d142d11 to 4549599 Compare August 27, 2024 02:17
@emtuls
Copy link
Member Author

emtuls commented Aug 27, 2024

Added nicer tooltips that explain what the icons mean: "Internet Detected" vs "Internet Not Detected"
image
image

@emtuls emtuls force-pushed the internet-detector branch 2 times, most recently from 9fceab4 to b12faaf Compare August 27, 2024 02:36
@mr-tz
Copy link
Contributor

mr-tz commented Aug 27, 2024

I remember some filtering work FakeNet did on Internet connectivity checks to reduce noise. Maybe @tinajohnson can chime in on this?

I'm not sure what a good interval would be, maybe 20 seconds?

@Ana06
Copy link
Member

Ana06 commented Aug 27, 2024

I remember some filtering work FakeNet did on Internet connectivity checks to reduce noise.

We can use the fakenet listener filtering by ensuring the process name has a unique name. We can do this either in fakenet or in the tool package (that should be added to this PR too)

@emtuls emtuls force-pushed the internet-detector branch 3 times, most recently from 394cfd5 to 68bf888 Compare August 28, 2024 04:07
@emtuls
Copy link
Member Author

emtuls commented Aug 28, 2024

Chatting with FakeNet team, it sounds like we can add the tool to "Diverter's ProcessBlackList and HTTPListener's ProcessBlackList":
see the second paragraph here ("You may also want to enable..." : https://github.com/mandiant/flare-fakenet-ng?tab=readme-ov-file#anonymous-listener

@emtuls
Copy link
Member Author

emtuls commented Aug 28, 2024

I also updated the tool to use a pink icon when internet is active and gray when not, as well as convert everything over to a VM Package and have it install a scheduled task to run every 2 minutes.

It is a .pyw file in order to not have a terminal interface popup for it to run.
image
image

@emtuls emtuls force-pushed the internet-detector branch 2 times, most recently from 871bbf1 to 593bdaa Compare August 28, 2024 04:32
@emtuls
Copy link
Member Author

emtuls commented Aug 28, 2024

Also note, this will fail to pass the test_upload due to requiring certain files to be existent in the main branch already:
https://github.com/mandiant/VM-Packages/pull/1121/files#diff-bb3df9f8d616b7a9b00f92220dafa6cc20883cdd518f04b8e2c3e3993dfe9fe6R15

@emtuls emtuls requested a review from Ana06 August 28, 2024 05:06
@emtuls emtuls force-pushed the internet-detector branch 3 times, most recently from b1a6741 to a5a7a32 Compare August 29, 2024 04:28
@emtuls emtuls requested a review from Ana06 August 29, 2024 04:31
Copy link
Member

@Ana06 Ana06 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work @emtuls 🎉

image

Just some minor improvement suggestions 😉

  • can we change the pink icon to have more contrast with the pink taskbask? (for example with a more intense/lighter pink) it is a bit difficult to see when it is hidden and it does not hurt when it is not:
    image
    image

  • it would be nice that the icon is always visible. It seems I can move it manually to the taskbar and then it stays there. It would be nice if the tool could place it there. I propose you open an issue your this and research if it is possible after this PR has been merged. As it can be placed manually in the taskbar, I do not consider this a blocker and I would like to start using the tool! 🎉

@Ana06 Ana06 requested review from williballenthin and mr-tz August 29, 2024 10:27
@emtuls emtuls force-pushed the internet-detector branch from a5a7a32 to 272fac7 Compare August 29, 2024 18:11
@emtuls emtuls requested a review from Ana06 August 29, 2024 18:22
@emtuls
Copy link
Member Author

emtuls commented Aug 29, 2024

Great work @emtuls 🎉

image

Just some minor improvement suggestions 😉

  • can we change the pink icon to have more contrast with the pink taskbask? (for example with a more intense/lighter pink) it is a bit difficult to see when it is hidden and it does not hurt when it is not:
    image
    image
  • it would be nice that the icon is always visible. It seems I can move it manually to the taskbar and then it stays there. It would be nice if the tool could place it there. I propose you open an issue your this and research if it is possible after this PR has been merged. As it can be placed manually in the taskbar, I do not consider this a blocker and I would like to start using the tool! 🎉

I have updated it to just use the colored version, which I think looks great with the pink taskbar.

Unfortunately, I don't think there's a way to force the icon to stay on the tray in the taskbar...For me, it starts there, but sometimes gets moved, but it can be moved back down manually. Couldn't find any way to force it to stay on the bottom.

image

@emtuls emtuls force-pushed the internet-detector branch 2 times, most recently from 2ad703a to 1d88d3b Compare August 29, 2024 18:58
Copy link
Member

@Ana06 Ana06 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tool looks good! we need to figure out

packages/internet_detector.vm/tools/default.ini Outdated Show resolved Hide resolved
packages/internet_detector.vm/tools/chocolateyinstall.ps1 Outdated Show resolved Hide resolved
packages/internet_detector.vm/tools/chocolateyinstall.ps1 Outdated Show resolved Hide resolved
@emtuls emtuls force-pushed the internet-detector branch 4 times, most recently from 571d770 to b0c56b2 Compare August 30, 2024 18:58
Copy link
Member

@Ana06 Ana06 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I have internet in the VM and I start fakenet, I expect the tool to keep showing me there is internet. But this is not the case at the moment (both with and without the config file). Is this the fakenet bug reported in mandiant/flare-fakenet-ng#190?

packages/internet_detector.vm/tools/chocolateyinstall.ps1 Outdated Show resolved Hide resolved
# $trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 2)
# Register-ScheduledTask -Action $action -Trigger $trigger -TaskName 'Internet Detector' -Force

# Copy updated `default.ini` with tool added to ProcessBlackList to FakeNet Config Directory
Copy link
Member

@Ana06 Ana06 Sep 2, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If fakenet is reinstalled (to update to a newer version for example) this change will be lost. So I think we should contribute explaining this is a temporary workaround in a TODO comment here and aim to contribute this change to fakenet soon.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alternatively (better more robust solution): Move this to our fakenet package in this PR.

We can still open the PR/issue in fakenet afterwards to discuss if porting the change upstream is an option, as otherwise we will have to keep this file in sync in our package which is not ideal.

packages/internet_detector.vm/tools/chocolateyinstall.ps1 Outdated Show resolved Hide resolved
@emtuls emtuls force-pushed the internet-detector branch 4 times, most recently from dd87129 to d24ab7f Compare September 2, 2024 15:51
Copy link
Member

@Ana06 Ana06 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for all the work @emtuls, two minor improvement suggestions, but I think we are good to merge this! 😉

packages/fakenet-ng.vm/tools/chocolateyinstall.ps1 Outdated Show resolved Hide resolved
packages/fakenet-ng.vm/tools/chocolateyinstall.ps1 Outdated Show resolved Hide resolved
Co-authored-by: Ana Martinez Gomez <[email protected]>
Copy link
Member

@Ana06 Ana06 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We are ready to finally get this in and get my pink dynamic analysis VM! 🩷

@emtuls emtuls merged commit 24c8bca into main Sep 2, 2024
6 checks passed
@emtuls emtuls deleted the internet-detector branch September 2, 2024 16:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
🌀 FLARE-VM A package or feature to be used by FLARE-VM
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants