diff --git a/rta/bin/netcon_exec_chain.elf b/rta/bin/netcon_exec_chain.elf new file mode 100755 index 000000000..4f7aee1a9 Binary files /dev/null and b/rta/bin/netcon_exec_chain.elf differ diff --git a/rta/exec_java_revshell_linux.py b/rta/exec_java_revshell_linux.py new file mode 100644 index 000000000..6afc5de9c --- /dev/null +++ b/rta/exec_java_revshell_linux.py @@ -0,0 +1,47 @@ +# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. + +from . import common +from . import RtaMetadata + +metadata = RtaMetadata( + uuid="e0db3577-879e-4ac2-bd58-691e1343afca", + platforms=["linux"], + endpoint=[{"rule_name": "Potential Linux Reverse Shell via Java", "rule_id": "e0db3577-879e-4ac2-bd58-691e1343afca"}], + siem=[], + techniques=["T1059", "T1071"], +) + +@common.requires_os(metadata.platforms) + +def main(): + common.log("Creating a fake Java executable..") + masquerade = "/bin/java" + source = common.get_path("bin", "netcon_exec_chain.elf") + common.copy_file(source, masquerade) + + common.log("Granting execute permissions...") + common.execute(['chmod', '+x', masquerade]) + + commands = [ + masquerade, + 'chain', + '-h', + '127.0.0.1', + '-p', + '1337', + '-c', + '-jar' + ] + + common.log("Simulating reverse shell activity..") + common.execute([*commands], timeout=5) + common.log("Reverse shell simulation successful!") + common.log("Cleaning...") + common.remove_file(masquerade) + common.log("RTA completed!") + +if __name__ == "__main__": + exit(main()) diff --git a/rta/src/netcon_exec_chain.go b/rta/src/netcon_exec_chain.go new file mode 100644 index 000000000..bf878a086 --- /dev/null +++ b/rta/src/netcon_exec_chain.go @@ -0,0 +1,97 @@ +package main + +import ( + "flag" + "fmt" + "net" + "os" + "os/exec" + "time" +) + +func main() { + netconCommand := flag.NewFlagSet("netcon", flag.ExitOnError) + netconIP := netconCommand.String("h", "", "IP address") + netconPort := netconCommand.Int("p", 0, "Port") + + execCommand := flag.NewFlagSet("exec", flag.ExitOnError) + execCmd := execCommand.String("c", "", "Shell command") + + chainCommand := flag.NewFlagSet("chain", flag.ExitOnError) + chainIP := chainCommand.String("h", "", "IP address") + chainPort := chainCommand.Int("p", 0, "Port") + chainCmd := chainCommand.String("c", "", "Shell command") + + if len(os.Args) < 2 { + fmt.Println("Usage:") + fmt.Println(" netcon -h -p ") + fmt.Println(" exec -c ") + fmt.Println(" chain -h -p -c ") + os.Exit(1) + } + + switch os.Args[1] { + case "netcon": + netconCommand.Parse(os.Args[2:]) + if *netconIP == "" || *netconPort == 0 { + fmt.Println("Missing IP address or port") + netconCommand.PrintDefaults() + os.Exit(1) + } + conn, err := net.Dial("tcp", fmt.Sprintf("%s:%d", *netconIP, *netconPort)) + if err != nil { + fmt.Println("Failed to connect:", err) + os.Exit(1) + } + conn.Close() + + case "exec": + execCommand.Parse(os.Args[2:]) + if *execCmd == "" { + fmt.Println("Missing command") + execCommand.PrintDefaults() + os.Exit(1) + } + cmd := exec.Command("/bin/sh", "-c", *execCmd) + cmd.Stdout = os.Stdout + cmd.Stderr = os.Stderr + err := cmd.Run() + if err != nil { + fmt.Println("Failed to execute command:", err) + os.Exit(1) + } + + case "chain": + chainCommand.Parse(os.Args[2:]) + if *chainIP == "" || *chainPort == 0 || *chainCmd == "" { + fmt.Println("Missing IP address, port, or command") + chainCommand.PrintDefaults() + os.Exit(1) + } + conn, err := net.Dial("tcp", fmt.Sprintf("%s:%d", *chainIP, *chainPort)) + if err != nil { + fmt.Println("Failed to connect:", err) + } else { + conn.Close() + } + + time.Sleep(10 * time.Millisecond) + + cmd := exec.Command("/bin/sh", "-c", *chainCmd) + cmd.Stdout = os.Stdout + cmd.Stderr = os.Stderr + err = cmd.Run() + if err != nil { + fmt.Println("Failed to execute command:", err) + os.Exit(1) + } + + default: + fmt.Println("Invalid command") + fmt.Println("Usage:") + fmt.Println(" netcon -h -p ") + fmt.Println(" exec -c ") + fmt.Println(" chain -h -p -c ") + os.Exit(1) + } +} \ No newline at end of file