Tim Brown timb-machine
timb-machine
/ Abusing sudo vim to create setUIDs you control
Last active
December 13, 2022 15:22
Abusing sudo vim to create setUIDs you control
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ sudo chown root foo | |
| Password: | |
| $ sudo chmod u+rwxs foo | |
| $ ls -la foo | |
| -rwsr--r-- 1 root staff 0 13 Dec 15:19 foo | |
| $ sudo vi foo | |
| $ ls -la foo | |
| -rwsr--r-- 1 root staff 1711088 13 Dec 15:19 foo |
timb-machine
/ Analysis of ATT&CK v12 bugs
Created
December 4, 2022 07:47
Analysis of ATT&CK v12 bugs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Top 10 bugs: | |
| CVE-2014-7169,8 | |
| CVE-2016-6662,8 | |
| CVE-2012-0158,9 | |
| cve-2017-8759,10 | |
| CVE-2017-8625,11 | |
| CVE-2017-8759,13 | |
| cve-2021-32648,15 | |
| CVE-2015-3113,21 |
timb-machine
/ ATT&CK v11 vs v12 for Linux
Created
October 25, 2022 19:29
ATT&CK v11 vs v12 for Linux
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ jq '.objects[] | select(.type | contains("attack-pattern")) | select(.x_mitre_platforms[] | contains("Linux")) | .name' enterprise-attack-11.0.json | sort | uniq > 11.out | |
| $ jq '.objects[] | select(.type | contains("attack-pattern")) | select(.x_mitre_platforms[] | contains("Linux")) | .name' enterprise-attack-12.0.json | sort | uniq > 12.out | |
| $ diff 11.out 12.out | |
| 33a34,36 | |
| > "Clear Mailbox Data" | |
| > "Clear Network Connection History and Configurations" | |
| > "Clear Persistence" | |
| 93a97 | |
| > "Embedded Payloads" | |
| 145c149 |
timb-machine
/ Bulk rename my mirror repos to reference original org
Created
October 22, 2022 15:56
Bulk rename my mirror repos to reference original org
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| gh repo list timb-machine-mirrors --fork -L 1230 --json name | tr "," "\n" | cut -f 4 -d "\"" | while read line | |
| do | |
| org=`gh repo view timb-machine-mirrors/$line --json parent | tr "," "\n" | grep login | cut -f 4 -d "\""` | |
| name=`gh repo view timb-machine-mirrors/$line --json parent | tr "," "\n" | grep name | cut -f 4 -d "\""` | |
| if [ "$line" != "$org-$name" ] | |
| then | |
| gh repo rename -y -R "timb-machine-mirrors/$line" "$org-$name" | |
| fi | |
| done |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # ps -aef | grep 94 | |
| root 94 2 0 Jun16 ? 00:00:00 [kworker/6:1H] | |
| root 594 2 0 Jun16 ? 00:00:00 [ipv6_addrconf] | |
| root 4692 2509 0 01:17 pts/0 00:00:00 grep 94 | |
| root 20394 2 0 Oct08 ? 00:00:20 [kworker/u32:2] | |
| # mkdir -p spoof/fd; mount -o bind spoof /proc/94; ln -s socket:\[283\] /proc/94/fd/99; ls -la /proc/94/fd | |
| total 4 | |
| drwxr-xr-x 2 root root 4096 Oct 9 01:16 . | |
| dr-xr-xr-x 193 root root 0 Jun 16 17:40 .. | |
| lrwxrwxrwx 1 root root 12 Oct 9 01:16 99 -> socket:[283] |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Unix.Trojan.Mirai$ ls *.elf.* | wc -l | |
| 65 | |
| Unix.Trojan.Mirai$ clamscan *.elf.* | grep Unix.Trojan.Mirai | wc -l | |
| 65 | |
| Unix.Trojan.Mirai$ wc -l triage/* | |
| 2 triage/00bbe47a7af460fcd2beb72772965e2c3fcff93a91043f0d74ba33c92939fe9d.elf.x86.triage | |
| 1 triage/0cb8d3af19c50201db3a63329d66ff18c3208135a40a237b98886f5d87f706bb.elf.x86.triage | |
| 2 triage/11242cdb5dac9309a2f330bd0dad96efba9ccc9b9d46f2361e8bf8e4cde543c1.elf.m68k.triage | |
| 11 triage/12330634ae5c2ac7da6d8d00f3d680630d596df154f74e03ff37e6942f90639e.elf.arm.triage | |
| 17 triage/190333b93af51f9a3e3dc4186e4f1bdb4f92c05d3ce047fbe5c3670d1b5a87b4.elf.sparc.triage |
timb-machine
/ Triaging Linux malware with respect to ATT&CK
Created
September 4, 2022 18:49
Triaging Linux malware with respect to ATT&CK
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ src/tools/triage-binary.sh malware/binaries/BPFDoor/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a.elf.sparc | |
| [Privilege Escalation, Persistence: Unix Shell]: /usr/bin/bash (1) | |
| [Persistence: Path Interception by PATH Environment Variable]: PATH=/bin:/usr/kerberos/sbin:/usr/kerberos/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/X11R6/bin:./bin (1) | |
| [Persistence: Dynamic Linker Hijacking]: /usr/lib/ld.so.1 (1) | |
| [Credential Access: Network Sniffing]: pcap_compile (2) | |
| [Credential Access: Network Sniffing]: pcap_geterr (2) | |
| [Credential Access: Network Sniffing]: pcap_loop (2) | |
| [Credential Access: Network Sniffing]: pcap_open_live (2) | |
| [Credential Access: Network Sniffing]: pcap_setfilter (2) | |
| [Defense Evasion: LM: Non-persistant Storage]: /var/run/haldrund.pid (1) |
timb-machine
/ Tidal Cycles, my first noise
Created
August 24, 2022 22:55
Tidal Cycles, my first noise
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| d1 $ s "bd:30*5 [~ sn:60] show cp" | |
| d2 $ every 2 (0.25 <~) $ s "bd:100*5 [~ sn:60]" | |
| d3 $ s "bd:90*5 cp" # s "feel" # speed 10 | |
| d4 $ jux rev $ s "drum*10 bd bd hh" # speed 0.5 | |
| d5 $ s "cp" | |
| d6 $ s "bd:50*5 cp" # s "feel" # speed 0.6 | |
| d7 $ jux rev $ s "drum:100*10 bd bd hh" # speed 0.6 | |
| d8 $ s "bd:40*5 cp" # s "feel" # speed (slow 4 $ 0.4 + sine * 0.5) |
timb-machine
/ Words commonly found in Linux DFIR reports
Last active
August 27, 2022 12:25
Words commonly found in Linux DFIR reports
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Generated with: | |
| #!/usr/bin/perl | |
| my %dictionary; | |
| my %words; | |
| sub count { | |
| $filehandle = shift; | |
| while (<$filehandle>) { |
timb-machine
/ Linux techniques missing from ATT&CK?
Created
August 13, 2022 12:06
Linux techniques missing from ATT&CK?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| T1134.004: Parent PID Spoofing | |
| missing from ATT&CK | |
| * https://magisterquis.github.io/2018/03/11/process-injection-with-gdb.html (https://github.com/timb-machine/linux-malware/issues/462), citable: False (TACTICS OR TECHNIQUES WRONG) | |
| * https://grugq.github.io/docs/ul_exec.txt (https://github.com/timb-machine/linux-malware/issues/463), citable: False (TACTICS OR TECHNIQUES WRONG) | |
| * https://gist.github.com/timb-machine/6177721c3eafba3e95abdf112b2a5902 (https://github.com/timb-machine/linux-malware/issues/461), citable: False (TACTICS OR TECHNIQUES WRONG) | |
| T1055.012: Process Hollowing |