Created
May 17, 2024 06:39
-
-
Save mqu/074e2ee64aa73ea66ab221c7abc86f92 to your computer and use it in GitHub Desktop.
ebury detection commands
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# doc: https://web-assets.esetstatic.com/wls/en/papers/white-papers/ebury-is-alive-but-unseen.pdf | |
# repo git: https://github.com/eset/malware-research/tree/master/ebury | |
url=https://raw.githubusercontent.com/eset/malware-research/master/ebury/detect_ebury.sh | |
curl -s $url > /tmp/detect_ebury.sh | |
chmod +x /tmp/detect_ebury.sh | |
# disable ebury (environnement variable) or login with console (not SSH) | |
# Ebury, can mask it presence with login with SSH. | |
export LD_PRELOAD= | |
export H=1 | |
# run Ebury detection script. Mainly based on socket presence | |
# - https://github.com/eset/malware-research/blob/master/ebury/detect_ebury.sh#L38 | |
/tmp/detect_ebury.sh | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment