This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
platformtags: | |
- "linux" | |
checks: | |
- type: "Informational" | |
checks: | |
- name: "Platform" | |
exec: | |
- command: "uname" | |
stderr: true | |
encode: "" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Recent: | |
$ ../../../src/tools/triage-binary.sh fa0defdabd9fd43fe2ef1ec33574ea1af1290bd3d763fdb2bed443f2bd996d73.elf.x86_64 | |
[Execution, Persistence, Discovery: attack:T1053.006:Systemd Timers, attack:T1543.002:Systemd Service, attack:T1007:System Service Discovery]: /usr/lib/systemd/systemd-journald (1) | |
[Defense Evasion: attack:T1070.004:File Deletion]: ldterm (1) | |
[Defense Evasion: attack:T1070.004:File Deletion]: unlink@@GLIBC_2.2.5 (1) | |
[Defense Evasion: uses:Auditd, attack:T1562.001:Disable or Modify Tools]: /sbin/auditd -n (1) | |
[Defense Evasion: uses:ProcessTreeSpoofing]: argv0 (1) | |
[Defense Evasion: uses:ProcessTreeSpoofing]: prctl@@GLIBC_2.2.5 (1) | |
[Defense Evasion: uses:ProcessTreeSpoofingForking]: fork@@GLIBC_2.2.5 (1) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
NDSA20020719.txt.asc, CVE-2002-2331 | |
NDSA20021112.txt.asc, CVE-2002-2399 | |
NDSA20050719.txt.asc | |
NDSA20060705.txt.asc, CVE-2006-3848 | |
NDSA20070206.txt.asc, CVE-2007-0838 | |
NDSA20070412.txt.asc | |
NDSA20070524.txt.asc, CVE-2007-3190, CVE-2007-3191, CVE-2007-3189 | |
NDSA20071016.txt.asc, CVE-2007-5691, CVE-2007-5492, CVE-2007-5493, CVE-2007-5694, CVE-2007-5695 | |
NDSA20071119.txt.asc, CVE-2007-6100 | |
NDSA20080215.txt.asc, CVE-2007-4074 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ ./get-attack-patterns.py treasury | |
I: searching for treasury%20 | |
10 | |
CVE-2017-3183 | |
CVE-2019-0280 | |
CVE-2019-0383 | |
CVE-2019-0384 | |
CVE-2020-6204 | |
CVE-2019-20150 | |
CVE-2019-20151 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
We start by unpacking the patch. On this occasion it's shipped as an RTE file (an AIX specific backup format), so we need to unpack it on our AIX VM like so: | |
$ restore -T -f ../invscout.rte | |
/lpp_name | |
/usr | |
/usr/lpp | |
/usr/lpp/invscout.rte | |
/usr/lpp/invscout.rte/liblpp.a | |
/usr/lpp/invscout.rte/inst_root | |
/usr/lpp/invscout.rte/inst_root/liblpp.a |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
We start by unpacking the patch. On this occasion it's shipped as an RTE file (an AIX specific backup format), so we need to unpack it on our AIX VM like so: | |
$ restore -T -f ../invscout.rte | |
/lpp_name | |
/usr | |
/usr/lpp | |
/usr/lpp/invscout.rte | |
/usr/lpp/invscout.rte/liblpp.a | |
/usr/lpp/invscout.rte/inst_root | |
/usr/lpp/invscout.rte/inst_root/liblpp.a |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
find / \( -perm -u+s -o -perm -g+s \) 2>/dev/null | while read line | |
do | |
echo +++ $line | |
dump -X 32_64 -T $line 2>/dev/null | grep getenv | |
done |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ sudo chown root foo | |
Password: | |
$ sudo chmod u+rwxs foo | |
$ ls -la foo | |
-rwsr--r-- 1 root staff 0 13 Dec 15:19 foo | |
$ sudo vi foo | |
$ ls -la foo | |
-rwsr--r-- 1 root staff 1711088 13 Dec 15:19 foo |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Top 10 bugs: | |
CVE-2014-7169,8 | |
CVE-2016-6662,8 | |
CVE-2012-0158,9 | |
cve-2017-8759,10 | |
CVE-2017-8625,11 | |
CVE-2017-8759,13 | |
cve-2021-32648,15 | |
CVE-2015-3113,21 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ jq '.objects[] | select(.type | contains("attack-pattern")) | select(.x_mitre_platforms[] | contains("Linux")) | .name' enterprise-attack-11.0.json | sort | uniq > 11.out | |
$ jq '.objects[] | select(.type | contains("attack-pattern")) | select(.x_mitre_platforms[] | contains("Linux")) | .name' enterprise-attack-12.0.json | sort | uniq > 12.out | |
$ diff 11.out 12.out | |
33a34,36 | |
> "Clear Mailbox Data" | |
> "Clear Network Connection History and Configurations" | |
> "Clear Persistence" | |
93a97 | |
> "Embedded Payloads" | |
145c149 |
NewerOlder