[New ER RTA] Potential Linux Rev Shell via Java (#2897)

* [New ER RTA] Potential Linux Rev Shell via Java * Added execute permissions to the RTA * Added 10 millisecond sleep to fix sequencing issue * Update exec_java_revshell_linux.py * Added source code
2023-06-30 14:21:06 +02:00
parent 9794f8f0af
commit cf4bbfbcef
3 changed files with 144 additions and 0 deletions
@@ -0,0 +1,47 @@
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+
+from . import common
+from . import RtaMetadata
+
+metadata = RtaMetadata(
+    uuid="e0db3577-879e-4ac2-bd58-691e1343afca",
+    platforms=["linux"],
+    endpoint=[{"rule_name": "Potential Linux Reverse Shell via Java", "rule_id": "e0db3577-879e-4ac2-bd58-691e1343afca"}],
+    siem=[],
+    techniques=["T1059", "T1071"],
+)
+
+@common.requires_os(metadata.platforms)
+
+def main():
+  common.log("Creating a fake Java executable..")
+  masquerade = "/bin/java"
+  source = common.get_path("bin", "netcon_exec_chain.elf")
+  common.copy_file(source, masquerade)
+
+  common.log("Granting execute permissions...")
+  common.execute(['chmod', '+x', masquerade])
+
+  commands = [
+   masquerade,
+   'chain',
+   '-h',
+   '127.0.0.1',
+   '-p',
+   '1337',
+   '-c',
+   '-jar'
+  ]
+
+  common.log("Simulating reverse shell activity..")
+  common.execute([*commands], timeout=5)
+  common.log("Reverse shell simulation successful!")
+  common.log("Cleaning...")
+  common.remove_file(masquerade)
+  common.log("RTA completed!")
+
+if __name__ == "__main__":
+   exit(main())
@@ -0,0 +1,97 @@
+package main
+
+import (
+        "flag"
+        "fmt"
+        "net"
+        "os"
+        "os/exec"
+        "time"
+)
+
+func main() {
+        netconCommand := flag.NewFlagSet("netcon", flag.ExitOnError)
+        netconIP := netconCommand.String("h", "", "IP address")
+        netconPort := netconCommand.Int("p", 0, "Port")
+
+        execCommand := flag.NewFlagSet("exec", flag.ExitOnError)
+        execCmd := execCommand.String("c", "", "Shell command")
+
+        chainCommand := flag.NewFlagSet("chain", flag.ExitOnError)
+        chainIP := chainCommand.String("h", "", "IP address")
+        chainPort := chainCommand.Int("p", 0, "Port")
+        chainCmd := chainCommand.String("c", "", "Shell command")
+
+        if len(os.Args) < 2 {
+                fmt.Println("Usage:")
+                fmt.Println("  netcon -h <IP> -p <Port>")
+                fmt.Println("  exec -c <command>")
+                fmt.Println("  chain -h <IP> -p <Port> -c <command>")
+                os.Exit(1)
+        }
+
+        switch os.Args[1] {
+        case "netcon":
+                netconCommand.Parse(os.Args[2:])
+                if *netconIP == "" || *netconPort == 0 {
+                        fmt.Println("Missing IP address or port")
+                        netconCommand.PrintDefaults()
+                        os.Exit(1)
+                }
+                conn, err := net.Dial("tcp", fmt.Sprintf("%s:%d", *netconIP, *netconPort))
+                if err != nil {
+                        fmt.Println("Failed to connect:", err)
+                        os.Exit(1)
+                }
+                conn.Close()
+
+        case "exec":
+                execCommand.Parse(os.Args[2:])
+                if *execCmd == "" {
+                        fmt.Println("Missing command")
+                        execCommand.PrintDefaults()
+                        os.Exit(1)
+                }
+                cmd := exec.Command("/bin/sh", "-c", *execCmd)
+                cmd.Stdout = os.Stdout
+                cmd.Stderr = os.Stderr
+                err := cmd.Run()
+                if err != nil {
+                        fmt.Println("Failed to execute command:", err)
+                        os.Exit(1)
+                }
+
+        case "chain":
+                chainCommand.Parse(os.Args[2:])
+                if *chainIP == "" || *chainPort == 0 || *chainCmd == "" {
+                        fmt.Println("Missing IP address, port, or command")
+                        chainCommand.PrintDefaults()
+                        os.Exit(1)
+                }
+                conn, err := net.Dial("tcp", fmt.Sprintf("%s:%d", *chainIP, *chainPort))
+                if err != nil {
+                        fmt.Println("Failed to connect:", err)
+                } else {
+                        conn.Close()
+                }
+
+                time.Sleep(10 * time.Millisecond)
+
+                cmd := exec.Command("/bin/sh", "-c", *chainCmd)
+                cmd.Stdout = os.Stdout
+                cmd.Stderr = os.Stderr
+                err = cmd.Run()
+                if err != nil {
+                        fmt.Println("Failed to execute command:", err)
+                        os.Exit(1)
+                }
+
+        default:
+                fmt.Println("Invalid command")
+                fmt.Println("Usage:")
+                fmt.Println("  netcon -h <IP> -p <Port>")
+                fmt.Println("  exec -c <command>")
+                fmt.Println("  chain -h <IP> -p <Port> -c <command>")
+                os.Exit(1)
+        }
+}