From 020140a9a72cc94dd363f6f334d5e7694c60cfbe Mon Sep 17 00:00:00 2001 From: protections machine <72879786+protectionsmachine@users.noreply.github.com> Date: Thu, 24 Oct 2024 00:48:36 +1100 Subject: [PATCH] react_sync_rta_updates_4215 Network Connection by Foomatic-rip Child (#4196) (cherry picked from commit 77f0ee85d90aff7373cd71b1e936a3d028f618d7) --- ...d_and_control_cupsd_foomatic_rip_netcon.py | 52 +++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 rta/linux_command_and_control_cupsd_foomatic_rip_netcon.py diff --git a/rta/linux_command_and_control_cupsd_foomatic_rip_netcon.py b/rta/linux_command_and_control_cupsd_foomatic_rip_netcon.py new file mode 100644 index 00000000000..fc823dbd5d6 --- /dev/null +++ b/rta/linux_command_and_control_cupsd_foomatic_rip_netcon.py @@ -0,0 +1,52 @@ +# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. + +import sys +from . import RtaMetadata, common + +metadata = RtaMetadata( + uuid="8c634401-fd71-475e-b449-41b776b2b8c9", + platforms=["linux"], + endpoint=[ + { + "rule_name": "Network Connection by Foomatic-rip Child", + "rule_id": "93d7b72d-3914-44fb-92bf-63675769ef12", + }, + ], + techniques=["T1203"], +) + + +@common.requires_os(*metadata.platforms) +def main() -> None: + # Path for the fake executable + masquerade = "/tmp/foomatic-rip" + source = common.get_path("bin", "netcon_exec_chain.elf") + + common.log("Creating a fake executable..") + common.copy_file(source, masquerade) + common.log("Granting execute permissions...") + common.execute(['chmod', '+x', masquerade]) + + # Execute the fake executable + common.log("Executing the fake executable..") + commands = [ + masquerade, + 'chain', + '-h', + '8.8.8.8', + '-p', + '53', + '-c', + '/tmp/foomatic-rip netcon -h 8.8.8.8 -p 53' + ] + common.execute([*commands], timeout=5, kill=True) + + # Cleanup + common.remove_file(masquerade) + + +if __name__ == "__main__": + sys.exit(main())