From 5553864ae309b83d0202f7b36a67b77e150857c3 Mon Sep 17 00:00:00 2001 From: protections machine <72879786+protectionsmachine@users.noreply.github.com> Date: Wed, 23 Oct 2024 19:07:44 +1100 Subject: [PATCH] Sync RTA Reverse or Bind Shell via Suspicious Utility (#4187) Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> (cherry picked from commit 21c45f97fed56e0f3015457e1246563b43ed6153) --- ...ution_reverse_or_bind_shell_via_utility.py | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 rta/linux_execution_reverse_or_bind_shell_via_utility.py diff --git a/rta/linux_execution_reverse_or_bind_shell_via_utility.py b/rta/linux_execution_reverse_or_bind_shell_via_utility.py new file mode 100644 index 00000000000..faaca08ec12 --- /dev/null +++ b/rta/linux_execution_reverse_or_bind_shell_via_utility.py @@ -0,0 +1,40 @@ +# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. + +import sys +from . import RtaMetadata, common + +metadata = RtaMetadata( + uuid="8f5607f7-4c55-4458-b908-b2cb22c54cf4", + platforms=["linux"], + endpoint=[ + { + "rule_name": "Reverse or Bind Shell via Suspicious Utility", + "rule_id": "bb330560-0042-48a5-8232-7f2012d6e440", + }, + ], + techniques=["T1059", "T1071"], +) + + +@common.requires_os(*metadata.platforms) +def main() -> None: + common.log("Creating a fake executable..") + masquerade = "/tmp/vim" + + source = common.get_path("bin", "linux.ditto_and_spawn") + common.copy_file(source, masquerade) + common.log("Granting execute permissions...") + common.execute(["chmod", "+x", masquerade]) + + commands = [masquerade, '-c', "socket"] + common.execute([*commands], timeout=5, kill=True) + common.log("Cleaning...") + common.remove_file(masquerade) + common.log("Simulation successfull!") + + +if __name__ == "__main__": + sys.exit(main())