Following the release today by the United States Computer Emergency Readiness Team (https://www.us-cert.gov/APTs-Targeting-IT-Service-Provider-Customers), one of the steps they recommend is to use tools to detect intrusions and identify compromised systems and that these tool reports on APT (advanced persistent threat) actors using Sogu (also called PlugX) to compromise MSP systems. NCCIC recommends that network defenders use these tools to help identify APT activity.
This is where this script comes in. I’ve encapsulated the Powershell script into an Automate script. This script uses C# code to generate a list of SOGU filenames based on the algorithm used in the SOGU implant. The script then utilizes PowerShell to query the system for drive information and, if selected, locates any Sogu files found on disk. If found, a ticket, alert and e-mail will be generated.
As always I would recommend testing this script thoroughly before running it across your estate.
This XML will import two scripts – one to Impact Computing\Security – Maintenance, and another to Impact Computing\Function Scripts – the latter is a Darren White script and is a function script to send results to a technician.
If you are going to schedule to run this, I would schedule it out of hours as it has the potential to spike disk IO. This script purposely bypasses the LabTech Guarding Process so it can run longer than 5 minutes, so if the script sticks you will be left with a powershell.exe instance running until reboot. This won’t cause an immediate problem, but worth bearing in mind. None of mine stuck during test, and this script should work on anything with Powershell 2 or above.