[New ER RTA] Potential Linux Rev Shell via Java (#2897)

* [New ER RTA] Potential Linux Rev Shell via Java * Added execute permissions to the RTA * Added 10 millisecond sleep to fix sequencing issue * Update exec_java_revshell_linux.py * Added source code
2023-06-30 14:21:06 +02:00
parent 9794f8f0af
commit cf4bbfbcef
3 changed files with 144 additions and 0 deletions
@@ -0,0 +1,47 @@
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+
+from . import common
+from . import RtaMetadata
+
+metadata = RtaMetadata(
+    uuid="e0db3577-879e-4ac2-bd58-691e1343afca",
+    platforms=["linux"],
+    endpoint=[{"rule_name": "Potential Linux Reverse Shell via Java", "rule_id": "e0db3577-879e-4ac2-bd58-691e1343afca"}],
+    siem=[],
+    techniques=["T1059", "T1071"],
+)
+
+@common.requires_os(metadata.platforms)
+
+def main():
+  common.log("Creating a fake Java executable..")
+  masquerade = "/bin/java"
+  source = common.get_path("bin", "netcon_exec_chain.elf")
+  common.copy_file(source, masquerade)
+
+  common.log("Granting execute permissions...")
+  common.execute(['chmod', '+x', masquerade])
+
+  commands = [
+   masquerade,
+   'chain',
+   '-h',
+   '127.0.0.1',
+   '-p',
+   '1337',
+   '-c',
+   '-jar'
+  ]
+
+  common.log("Simulating reverse shell activity..")
+  common.execute([*commands], timeout=5)
+  common.log("Reverse shell simulation successful!")
+  common.log("Cleaning...")
+  common.remove_file(masquerade)
+  common.log("RTA completed!")
+
+if __name__ == "__main__":
+   exit(main())