timb-machine

$ src/tools/triage-binary.sh malware/binaries/BPFDoor/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a.elf.sparc
[Privilege Escalation, Persistence: Unix Shell]: /usr/bin/bash (1)
[Persistence: Path Interception by PATH Environment Variable]: PATH=/bin:/usr/kerberos/sbin:/usr/kerberos/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/X11R6/bin:./bin (1)
[Persistence: Dynamic Linker Hijacking]: /usr/lib/ld.so.1 (1)
[Credential Access: Network Sniffing]: pcap_compile (2)
[Credential Access: Network Sniffing]: pcap_geterr (2)
[Credential Access: Network Sniffing]: pcap_loop (2)
[Credential Access: Network Sniffing]: pcap_open_live (2)
[Credential Access: Network Sniffing]: pcap_setfilter (2)
[Defense Evasion: LM: Non-persistant Storage]: /var/run/haldrund.pid (1)

timb-machine

d1 $ s "bd:30*5 [~ sn:60] show cp"
d2 $ every 2 (0.25 <~) $ s "bd:100*5 [~ sn:60]"
d3 $ s "bd:90*5 cp" # s "feel" # speed 10
d4 $ jux rev $ s "drum*10 bd bd hh" # speed 0.5
d5 $ s "cp"
d6 $ s "bd:50*5 cp" # s "feel" # speed 0.6
d7 $ jux rev $ s "drum:100*10 bd bd hh" # speed 0.6
d8 $ s "bd:40*5 cp" # s "feel" # speed (slow 4 $ 0.4 + sine * 0.5)

timb-machine

Generated with:

#!/usr/bin/perl
  
my %dictionary;
my %words;

sub count {
        $filehandle = shift;
        while (<$filehandle>) {

timb-machine

T1134.004: Parent PID Spoofing

missing from ATT&CK

* https://magisterquis.github.io/2018/03/11/process-injection-with-gdb.html (https://github.com/timb-machine/linux-malware/issues/462), citable: False (TACTICS OR TECHNIQUES WRONG)
* https://grugq.github.io/docs/ul_exec.txt (https://github.com/timb-machine/linux-malware/issues/463), citable: False (TACTICS OR TECHNIQUES WRONG)
* https://gist.github.com/timb-machine/6177721c3eafba3e95abdf112b2a5902 (https://github.com/timb-machine/linux-malware/issues/461), citable: False (TACTICS OR TECHNIQUES WRONG)

T1055.012: Process Hollowing

timb-machine

Credential Access

T1556.003: Pluggable Authentication Modules

• https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (timb-machine/linux-malware#452), citable: True (TACTICS OR TECHNIQUES WRONG)
• https://github.com/citronneur/pamspy (timb-machine/linux-malware#466), citable: False
• https://www.mandiant.com/resources/unc2891-overview (timb-machine/linux-malware#112), citable: True
• https://bazaar.abuse.ch/browse/tag/Symbiote/ (timb-machine/linux-malware#460), citable: False (TACTICS OR TECHNIQUES WRONG)

T1003: OS Credential Dumping

timb-machine

Never mind that what3words has real technical, logistical, practical limitations... Let's look at some of the dark, libellous, illegal and/or downright offensive combinations of /// addressess that their word lists can result in:

* https://what3words.com/mistakes.cost.lives
* https://what3words.com/troll.under.bridge
* https://what3words.com/burn.that.school
* https://what3words.com/lorry.catches.fire
* https://what3words.com/shank.that.police
* https://what3words.com/hang.puppy.quick
* https://what3words.com/master.whips.slave
* https://what3words.com/bullets.into.head

timb-machine

#!/bin/sh
find / \( \( -perm -u+s \) -o \( -perm -g+s \) \) -a -type f 2>/dev/null | while read SUIDFILE
do
        LSFILE=`ls -la "$SUIDFILE"`
        objdump -x "$SUIDFILE" 2>&1| egrep 'RPATH|RUNPATH' | while read name paths
        do
                if [ -n "$paths" ]; then
                         echo "$paths" | tr ":" "\n" | while read RPATHDIR
                         do
                                 if [ "`echo "$RPATHDIR" | cut -c 1`" != "/" ]

timb-machine

$ nc -v -l -p 5000 & ps -aef | grep nc; sudo gdb /bin/nc `pgrep nc`
timb      3976   952  0 00:22 pts/0    00:00:00 nc -v -l -p 5000
[1] 3976
listening on [any] 5000 ...
(gdb) info variable environ
All variables matching regular expression "environ":
(gdb) print execve("/bin/bash", 0x00007f717f158118, 0)
process 3976 is executing new program: /bin/bash
$ ps -aef | grep timb
timb      3976   952  0 00:22 pts/0    00:00:00 ?.#.?.

timb-machine

#include <sys/types.h>
#include <sys/ptrace.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <openssl/aes.h>

#define MAXIMUMWIDTH 80
#define MAXIMUMHEIGHT 20

timb-machine

$ cat racecar.sh 
#!/bin/sh

while :
do
echo "#!/bin/sh" > /Volumes/USB/a
chmod u+xs /Volumes/USB/a
ls -la /Volumes/USB/a | grep sr | grep -v 10
done