From 264938236c2cfd1c72bf533f1aca79fccab3af22 Mon Sep 17 00:00:00 2001 From: protections machine <72879786+protectionsmachine@users.noreply.github.com> Date: Wed, 2 Oct 2024 03:17:04 +1000 Subject: [PATCH] Sync RTA Hexadecimal Payload Execution (#4109) Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> --- ...x_defense_evasion_hex_payload_execution.py | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 rta/linux_defense_evasion_hex_payload_execution.py diff --git a/rta/linux_defense_evasion_hex_payload_execution.py b/rta/linux_defense_evasion_hex_payload_execution.py new file mode 100644 index 00000000000..03162623c6d --- /dev/null +++ b/rta/linux_defense_evasion_hex_payload_execution.py @@ -0,0 +1,40 @@ +# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. + +import sys + +from . import RtaMetadata, common + +metadata = RtaMetadata( + uuid="88b8c5e8-43d4-4063-9d0f-e1fc3063447b", + platforms=["linux"], + endpoint=[ + { + "rule_name": "Hexadecimal Payload Execution", + "rule_id": "f2d206e0-97c9-484b-8b6a-5eecd82fbfdc", + }, + ], + techniques=["T1027", "T1140", "T1059", "T1204"], +) + + +@common.requires_os(*metadata.platforms) +def main() -> None: + common.log("Creating a fake executable..") + masquerade = "/tmp/evil" + source = common.get_path("bin", "netcon_exec_chain.elf") + common.copy_file(source, masquerade) + common.log("Granting execute permissions...") + common.execute(["chmod", "+x", masquerade]) + + commands = [masquerade, "exec", "-c", "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"] + common.execute([*commands], timeout=5, kill=True) + common.log("Cleaning...") + common.remove_file(masquerade) + common.log("Simulation successfull!") + + +if __name__ == "__main__": + sys.exit(main())