|
| 1 | +# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one |
| 2 | +# or more contributor license agreements. Licensed under the Elastic License |
| 3 | +# 2.0; you may not use this file except in compliance with the Elastic License |
| 4 | +# 2.0. |
| 5 | + |
| 6 | +import sys |
| 7 | +from . import RtaMetadata, common |
| 8 | + |
| 9 | +metadata = RtaMetadata( |
| 10 | + uuid="4e6ded7e-23cb-460c-8a5b-21c5e5e8d6e8", |
| 11 | + platforms=["linux"], |
| 12 | + endpoint=[ |
| 13 | + { |
| 14 | + "rule_name": "Potential Process Masquerading via Exec", |
| 15 | + "rule_id": "e6669bc3-cb75-4fb3-91e0-ddaa06dd59b2", |
| 16 | + }, |
| 17 | + ], |
| 18 | + techniques=["T1564", "T1059"], |
| 19 | +) |
| 20 | + |
| 21 | + |
| 22 | +@common.requires_os(*metadata.platforms) |
| 23 | +def main() -> None: |
| 24 | + common.log("Creating a fake executable..") |
| 25 | + masquerade = "[foo]" |
| 26 | + masquerade2 = "/tmp/sh" |
| 27 | + |
| 28 | + source = common.get_path("bin", "linux.ditto_and_spawn") |
| 29 | + common.copy_file(source, masquerade) |
| 30 | + common.log("Granting execute permissions...") |
| 31 | + common.execute(["chmod", "+x", masquerade]) |
| 32 | + |
| 33 | + source = common.get_path("bin", "linux.ditto_and_spawn") |
| 34 | + common.copy_file(source, masquerade2) |
| 35 | + common.log("Granting execute permissions...") |
| 36 | + common.execute(["chmod", "+x", masquerade2]) |
| 37 | + |
| 38 | + commands = [masquerade2, masquerade] |
| 39 | + common.execute([*commands], timeout=5, kill=True) |
| 40 | + common.log("Cleaning...") |
| 41 | + common.remove_file(masquerade) |
| 42 | + common.remove_file(masquerade2) |
| 43 | + common.log("Simulation successfull!") |
| 44 | + |
| 45 | + |
| 46 | +if __name__ == "__main__": |
| 47 | + sys.exit(main()) |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4&size=40){kind=avatar}
0 commit comments