From 3e1fe91a1c51725ea99bcd618b67d0b8128afe0b Mon Sep 17 00:00:00 2001 From: protections machine <72879786+protectionsmachine@users.noreply.github.com> Date: Wed, 23 Oct 2024 16:22:28 +1100 Subject: [PATCH] Sync RTA Potential Proxy Execution via Sysctl (#4179) Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> --- ...ense_evasion_proxy_execution_via_sysctl.py | 47 +++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 rta/linux_defense_evasion_proxy_execution_via_sysctl.py diff --git a/rta/linux_defense_evasion_proxy_execution_via_sysctl.py b/rta/linux_defense_evasion_proxy_execution_via_sysctl.py new file mode 100644 index 000000000..0e7cb1764 --- /dev/null +++ b/rta/linux_defense_evasion_proxy_execution_via_sysctl.py @@ -0,0 +1,47 @@ +# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. + +import sys +from . import RtaMetadata, common + +metadata = RtaMetadata( + uuid="aed2d3be-94d1-4e19-80dd-6412b336e827", + platforms=["linux"], + endpoint=[ + { + "rule_name": "Potential Proxy Execution via Sysctl", + "rule_id": "268ffea4-fc13-4ab5-a473-07d10255ea8d", + }, + ], + techniques=["T1218", "T1059"], +) + + +@common.requires_os(*metadata.platforms) +def main() -> None: + common.log("Creating a fake executable..") + masquerade = "/tmp/sysctl" + masquerade2 = "/tmp/sh" + + source = common.get_path("bin", "linux.ditto_and_spawn") + common.copy_file(source, masquerade) + common.log("Granting execute permissions...") + common.execute(["chmod", "+x", masquerade]) + + source = common.get_path("bin", "linux.ditto_and_spawn") + common.copy_file(source, masquerade2) + common.log("Granting execute permissions...") + common.execute(["chmod", "+x", masquerade2]) + + commands = [masquerade, masquerade, 'kernel.core_pattern=/bin/sh -c'] + common.execute([*commands], timeout=5, kill=True) + common.log("Cleaning...") + common.remove_file(masquerade) + common.remove_file(masquerade2) + common.log("Simulation successfull!") + + +if __name__ == "__main__": + sys.exit(main())