I created this tool because I wanted an easier way to evaluate the output of MalwareBytes scans that were being conducted by infrastructure teams.
Normally the output of these scans outputs to an XML file that is somewhat difficult to interpret unless the user has read through the entire 37 page guide. This tool will provide a more standard human-readable output that can more easily be interpreted by non-security personnel using this tool.
The official documentation on the Malwarebytes MBBR tool is at this LINK, however a high-level synopsis is given from Malwarebytes on what their tool is designed to do.
Malwarebytes Breach Remediation is designed to allow business users to detect and remove malware from endpoints. It is built upon the power of our flagship anti-malware client, Malwarebytes Anti-Malware, which allows Malwarebytes Breach Remediation to run in environments which often render other anti-malware applications helpless.
An example of the standard output of a scan is below:
<?xml version="1.0" encoding="UTF-16" ?>
<mbam-log>
<header>
<date>2015/01/08 16:28:18 -0800</date>
<logfile>MP-STDOUT.XML</logfile>
<isadmin>no</isadmin>
</header>
<engine>
<version>2.00.0.1030</version>
<malware-database>v2015.01.07.14</malware-database>
<rootkit-database>v2015.01.07.01</rootkit-database>
<license>premium</license>
<file-protection>disabled</file-protection>
<web-protection>disabled</web-protection>
<self-protection>disabled</self-protection>
</engine>
<system>
<osversion>Windows 8.1</osversion>
<arch>x64</arch>
<username>administrator</username>
<filesys>NTFS</filesys>
</system>
<summary>
<type>custom</type>
<result>completed</result>
<objects>231856</objects>
<time>30</time>
<processes>1</processes>
<modules>1</modules>
<keys>1</keys>
<values>1</values>
<datas>1</datas>
<folders>1</folders>
<files>1</files>
<sectors>1</sectors>
</summary>
<options>
<memory>enabled</memory>
<startup>enabled</startup>
<filesystem>enabled</filesystem>
<archives>enabled</archives>
<rootkits>disabled</rootkits>
<deeprootkit>disabled</deeprootkit>
<heuristics>enabled</heuristics>
<pup>enabled</pup>
<pum>enabled</pum>
</options>
<items>
<process>
<path>HKLM\PROCESS1\Google\Chrome\Extensions\blmchfpimpbbdmgpcieclabeafkljbhm</path>
<vendor>PUP.Optional.Groovorio.A</vendor>
<action></action>
<hash>8dfc9b5b4841ff3703a7196e3ec5ab55</hash>
</process>
<module>
<path>HKLM\MODULE1\Google\Chrome\Extensions\blmchfpimpbbdmgpcieclabeafkljbhm</path>
<vendor>PUP.Optional.Groovorio.A</vendor>
<action></action>
<hash>8dfc9b5b4841ff3703a7196e3ec5ab55</hash>
</module>
<key>
<path>HKLM\KEY1\Google\Chrome\Extensions\blmchfpimpbbdmgpcieclabeafkljbhm</path>
<vendor>PUP.Optional.Groovorio.A</vendor>
<action></action>
<hash>8dfc9b5b4841ff3703a7196e3ec5ab55</hash>
</key>
<value>
<path>HKLM\VALUE1\Google\Chrome\Extensions\blmchfpimpbbdmgpcieclabeafkljbhm</path>
<vendor>PUP.Optional.Groovorio.A</vendor>
<action></action>
<hash>8dfc9b5b4841ff3703a7196e3ec5ab55</hash>
</value>
<data>
<path>c:\DATA1\test-trojan.exe</path>
<vendor>MBAM.Test.Trojan</vendor>
<action></action>
<hash>e2b839bb6a1fda5c4bdadd73ac56cb35</hash>
</data>
<folder>
<path>c:\FOLDER1\test-trojan.exe</path>
<vendor>MBAM.Test.Trojan</vendor>
<action></action>
<hash>e2b839bb6a1fda5c4bdadd73ac56cb35</hash>
</folder>
<file>
<path>c:\FILE1\test-trojan.exe</path>
<vendor>MBAM.Test.Trojan</vendor>
<action></action>
<hash>e2b839bb6a1fda5c4bdadd73ac56cb35</hash>
</file>
<sector>
<path>c:\SECTOR1\test-trojan.exe</path>
<vendor>MBAM.Test.Trojan</vendor>
<action></action>
<hash>e2b839bb6a1fda5c4bdadd73ac56cb35</hash>
</sector>
</items>
</mbam-log>
- Will take a MBBR-STDOUT XML file and parse it into a concise standard-text output
- Can accept a file dropped onto the CLI or manually typed path to XML file
- To use the default functionality of this tool (parsing XML files) no extra library's or modules are needed
- This tool needs a
Python interpreter, v3.6 or higher due to string interpolation
- This can be converted to a standalone exe if run on Windows OS
- This should work on Linux, OSX, or Windows OS's
- I have provided example output files of the MBBR scan's, they all should start with 'MBBR-STDOUT' and will denote the expected output
rootdir:.
│ config.json
│ main.py
│ README.md
│ requirements.txt
│
├───resources
│ │ check_for_threats.py
│ │ compare_dates.py
│ │ errors.py
│ │ user_prompts.py
│ │ utils.py
│ │ __init__.py
│
├───tests
│ │ test_check_for_threats.py
│ │ test_compare_dates.py
│ │ test_main.py
│ │ test_user_prompts.py
│ │ __init__.py
│ │
│ ├───test_resources
│ │ MBBR-STDOUT_all_single_events.XML
│ │ MBBR-STDOUT_mixed_results.XML
│ │ MBBR-STDOUT_no_events.XML
│
Run the binary or standalone exe to start CLI prompts.
Either drag and drop the output XML file into the CLI or manually define the path to the file. This example is the output from a clean scan.
Either drag and drop the output XML file into the CLI or manually define the path to the file. This example is the output from a dirty scan.
#blueteam