An environment for comprehensive, automated analysis of web-based exploits, based on Cuckoo sandbox.
Contributed By Check Point Software Technologies LTD.
CuckooSploit is an environment for comprehensive, automated analysis of web-based exploits, based on Cuckoo sandbox.
The framework accepts URL or a PCAP file, and works at three levels:
Exploitation Process - Detecting the core components of the exploitation process (ROP chains, shellcodes, and heap sprays) for when exploitation takes place but fails to launch payload for several reasons, along with immediate successful post-exploitation phenomena (example, process creation).
Full Flow Emulation - Implementing the approach of full web emulation, rather than emulation of a single file at a time, since many exploits served by Exploit Kits do not work out of the web-page context (require configurations and/or arguments).
By using full web emulation on different combinations of OS/browser/plugin version, CuckooSploit increases the rate of malicious URL detection and presents a reliable verdict and, in some cases, CVE identification.
According to our experience, IE process might crash or cause all kinds of problems when being injected with cuckoomon.dll while Windows defender and Windows Firewall are on (especially with versions 10/11 of IE). So currently we recommend turning both off (in addition to turning the UAC off for the PCAP emulation).
For enabling PCAP emulation using CapTipper, see the following instructions: