|
| 1 | +# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one |
| 2 | +# or more contributor license agreements. Licensed under the Elastic License |
| 3 | +# 2.0; you may not use this file except in compliance with the Elastic License |
| 4 | +# 2.0. |
| 5 | + |
| 6 | +import sys |
| 7 | +from . import RtaMetadata, common |
| 8 | + |
| 9 | +metadata = RtaMetadata( |
| 10 | + uuid="8c634401-fd71-475e-b449-41b776b2b8c9", |
| 11 | + platforms=["linux"], |
| 12 | + endpoint=[ |
| 13 | + { |
| 14 | + "rule_name": "Network Connection by Foomatic-rip Child", |
| 15 | + "rule_id": "93d7b72d-3914-44fb-92bf-63675769ef12", |
| 16 | + }, |
| 17 | + ], |
| 18 | + techniques=["T1203"], |
| 19 | +) |
| 20 | + |
| 21 | + |
| 22 | +@common.requires_os(*metadata.platforms) |
| 23 | +def main() -> None: |
| 24 | + # Path for the fake executable |
| 25 | + masquerade = "/tmp/foomatic-rip" |
| 26 | + source = common.get_path("bin", "netcon_exec_chain.elf") |
| 27 | + |
| 28 | + common.log("Creating a fake executable..") |
| 29 | + common.copy_file(source, masquerade) |
| 30 | + common.log("Granting execute permissions...") |
| 31 | + common.execute(['chmod', '+x', masquerade]) |
| 32 | + |
| 33 | + # Execute the fake executable |
| 34 | + common.log("Executing the fake executable..") |
| 35 | + commands = [ |
| 36 | + masquerade, |
| 37 | + 'chain', |
| 38 | + '-h', |
| 39 | + '8.8.8.8', |
| 40 | + '-p', |
| 41 | + '53', |
| 42 | + '-c', |
| 43 | + '/tmp/foomatic-rip netcon -h 8.8.8.8 -p 53' |
| 44 | + ] |
| 45 | + common.execute([*commands], timeout=5, kill=True) |
| 46 | + |
| 47 | + # Cleanup |
| 48 | + common.remove_file(masquerade) |
| 49 | + |
| 50 | + |
| 51 | +if __name__ == "__main__": |
| 52 | + sys.exit(main()) |
0 commit comments