forked from mandiant/citrix-ioc-scanner-cve-2023-3519
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathprocesses.sh
44 lines (42 loc) · 1.64 KB
/
processes.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
scan_process_nobody() {
# ref: https://www.mandiant.com/resources/blog/citrix-zero-day-espionage
local readonly entries=$(ps auxw | grep ^nobody | grep -v /bin/httpd | grep -v grep | grep -v "/tests/");
if [ -n "$entries" ]; then
report_match "unexpected process owned by user 'nobody'"
report "processes owned by nobody:"
report "$entries.";
else
debug "did not find unexpected processes owned by 'nobody'.";
fi
}
scan_process_tmp() {
# ref: https://www.mandiant.com/resources/blog/citrix-zero-day-espionage
local readonly entries=$(ps aux | grep /var/tmp | grep -v grep | grep -v "/tests/");
if [ -n "$entries" ]; then
report_match "unexpected processes executing out of '/var/tmp'"
report "processes executing out of /var/tmp"
report "$entries ";
else
debug "did not find processes executing out of '/var/tmp'.";
fi
}
scan_processes() {
# it only makes sense to scan ports when inspecting a running system.
if $live_mode; then
scan_process_nobody;
scan_process_tmp;
fi
}