Hi, I’m new to all of this. I’ve been looking into setting up a set of confusion-generating tools, informed by what I’ve seen on various Youtube videos (Jim Browning, Lewis’s Tech, ScorpioNick). The idea is to stop the scammer from seeing anything “wrong”.
It is early days; so far, I've written a Python3 script that will search-and-replace some strings from the language files in system32/en-US (would also work for other en-locales):
- Taskmgr.exe.mui: change "Stopped" to "Running"
- msconfig.exe.mui: change "Stopped" to "Running"
- netstat.exe.mui: change "ESTABLISHED", "TIME_WAIT", and "CLOSE_WAIT" to "BLOCKED"
TODO:
- msinfo32: I can't find where it pulls the words "Stopped" and "Running" from for the services view. Doesn't seem to be in any language file in system32/en-US
- eventvwr: use wevtutil to delete errors/warnings (wevtutil qe / parse XML output / wevtutil cl)
- tree: create a clone that responds to Ctrl+C but also flushes the keyboard buffer before returning to cmd prompt (and displays a message like "0 viruses found. 0 trojans founds. System is secured.")
- Action Center: spoof security options, including Network Access Protection, to "Yes" in the correct green
- msinfo32 and Device Manager: spoof VM devices (reinventing the wheel?)
Anyone have any tips or suggestions? I'm really stuck on msinfo32