Tim Brown timb-machine

## List of CVEs for vulnerability disclosures
NDSA20020719.txt.asc, CVE-2002-2331
NDSA20021112.txt.asc, CVE-2002-2399
NDSA20050719.txt.asc
NDSA20060705.txt.asc, CVE-2006-3848
NDSA20070206.txt.asc, CVE-2007-0838
NDSA20070412.txt.asc
NDSA20070524.txt.asc, CVE-2007-3190, CVE-2007-3191, CVE-2007-3189
NDSA20071016.txt.asc, CVE-2007-5691, CVE-2007-5492, CVE-2007-5493, CVE-2007-5694, CVE-2007-5695
NDSA20071119.txt.asc, CVE-2007-6100
NDSA20080215.txt.asc, CVE-2007-4074

## A brief history of treasury bugs
$ ./get-attack-patterns.py treasury
I: searching for treasury%20
10
CVE-2017-3183
CVE-2019-0280
CVE-2019-0383
CVE-2019-0384
CVE-2020-6204
CVE-2019-20150
CVE-2019-20151

## Hunting for AIX getenv() victims
#!/bin/sh

find / \( -perm -u+s -o -perm -g+s \) 2>/dev/null | while read line
do
        echo +++ $line
        dump -X 32_64 -T $line 2>/dev/null | grep getenv
done

## Abusing sudo vim to create setUIDs you control
$ sudo chown root foo
Password:
$ sudo chmod u+rwxs foo
$ ls -la foo
-rwsr--r--  1 root  staff  0 13 Dec 15:19 foo
$ sudo vi foo
$ ls -la foo
-rwsr--r--  1 root  staff  1711088 13 Dec 15:19 foo

## Analysis of ATT&CK v12 bugs
Top 10 bugs:

CVE-2014-7169,8
CVE-2016-6662,8
CVE-2012-0158,9
cve-2017-8759,10
CVE-2017-8625,11
CVE-2017-8759,13
cve-2021-32648,15
CVE-2015-3113,21

## ATT&CK v11 vs v12 for Linux
$ jq '.objects[] | select(.type | contains("attack-pattern")) | select(.x_mitre_platforms[] | contains("Linux")) | .name' enterprise-attack-11.0.json | sort | uniq > 11.out
$ jq '.objects[] | select(.type | contains("attack-pattern")) | select(.x_mitre_platforms[] | contains("Linux")) | .name' enterprise-attack-12.0.json | sort | uniq > 12.out
$ diff 11.out 12.out
33a34,36
> "Clear Mailbox Data"
> "Clear Network Connection History and Configurations"
> "Clear Persistence"
93a97
> "Embedded Payloads"
145c149

## Bulk rename my mirror repos to reference original org
gh repo list timb-machine-mirrors --fork -L 1230 --json name | tr "," "\n" | cut -f 4 -d "\"" | while read line
do
  org=`gh repo view timb-machine-mirrors/$line --json parent | tr "," "\n" | grep login | cut -f 4 -d "\""`
  name=`gh repo view timb-machine-mirrors/$line --json parent | tr "," "\n" | grep name | cut -f 4 -d "\""`
  if [ "$line" != "$org-$name" ]
  then
    gh repo rename -y -R "timb-machine-mirrors/$line" "$org-$name"
  fi
done

## Messing with slash-proc
# ps -aef | grep 94
root        94     2  0 Jun16 ?        00:00:00 [kworker/6:1H]
root       594     2  0 Jun16 ?        00:00:00 [ipv6_addrconf]
root      4692  2509  0 01:17 pts/0    00:00:00 grep 94
root     20394     2  0 Oct08 ?        00:00:20 [kworker/u32:2]
# mkdir -p spoof/fd; mount -o bind spoof /proc/94; ln -s socket:\[283\] /proc/94/fd/99; ls -la /proc/94/fd
total 4
drwxr-xr-x   2 root root 4096 Oct  9 01:16 .
dr-xr-xr-x 193 root root    0 Jun 16 17:40 ..
lrwxrwxrwx   1 root root   12 Oct  9 01:16 99 -> socket:[283]

## What even is Mirai?
Unix.Trojan.Mirai$ ls *.elf.* | wc -l
      65
Unix.Trojan.Mirai$ clamscan *.elf.* | grep Unix.Trojan.Mirai | wc -l
      65
Unix.Trojan.Mirai$ wc -l triage/*
       2 triage/00bbe47a7af460fcd2beb72772965e2c3fcff93a91043f0d74ba33c92939fe9d.elf.x86.triage
       1 triage/0cb8d3af19c50201db3a63329d66ff18c3208135a40a237b98886f5d87f706bb.elf.x86.triage
       2 triage/11242cdb5dac9309a2f330bd0dad96efba9ccc9b9d46f2361e8bf8e4cde543c1.elf.m68k.triage
      11 triage/12330634ae5c2ac7da6d8d00f3d680630d596df154f74e03ff37e6942f90639e.elf.arm.triage
      17 triage/190333b93af51f9a3e3dc4186e4f1bdb4f92c05d3ce047fbe5c3670d1b5a87b4.elf.sparc.triage

## Triaging Linux malware with respect to ATT&CK
$ src/tools/triage-binary.sh malware/binaries/BPFDoor/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a.elf.sparc
[Privilege Escalation, Persistence: Unix Shell]: /usr/bin/bash (1)
[Persistence: Path Interception by PATH Environment Variable]: PATH=/bin:/usr/kerberos/sbin:/usr/kerberos/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/X11R6/bin:./bin (1)
[Persistence: Dynamic Linker Hijacking]: /usr/lib/ld.so.1 (1)
[Credential Access: Network Sniffing]: pcap_compile (2)
[Credential Access: Network Sniffing]: pcap_geterr (2)
[Credential Access: Network Sniffing]: pcap_loop (2)
[Credential Access: Network Sniffing]: pcap_open_live (2)
[Credential Access: Network Sniffing]: pcap_setfilter (2)
[Defense Evasion: LM: Non-persistant Storage]: /var/run/haldrund.pid (1)
	NDSA20020719.txt.asc, CVE-2002-2331
	NDSA20021112.txt.asc, CVE-2002-2399
	NDSA20050719.txt.asc
	NDSA20060705.txt.asc, CVE-2006-3848
	NDSA20070206.txt.asc, CVE-2007-0838
	NDSA20070412.txt.asc
	NDSA20070524.txt.asc, CVE-2007-3190, CVE-2007-3191, CVE-2007-3189
	NDSA20071016.txt.asc, CVE-2007-5691, CVE-2007-5492, CVE-2007-5493, CVE-2007-5694, CVE-2007-5695
	NDSA20071119.txt.asc, CVE-2007-6100
	NDSA20080215.txt.asc, CVE-2007-4074
	$ ./get-attack-patterns.py treasury
	I: searching for treasury%20
	10
	CVE-2017-3183
	CVE-2019-0280
	CVE-2019-0383
	CVE-2019-0384
	CVE-2020-6204
	CVE-2019-20150
	CVE-2019-20151
	#!/bin/sh

	find / \( -perm -u+s -o -perm -g+s \) 2>/dev/null \| while read line
	do
	echo +++ $line
	dump -X 32_64 -T $line 2>/dev/null \| grep getenv
	done
	$ sudo chown root foo
	Password:
	$ sudo chmod u+rwxs foo
	$ ls -la foo
	-rwsr--r-- 1 root staff 0 13 Dec 15:19 foo
	$ sudo vi foo
	$ ls -la foo
	-rwsr--r-- 1 root staff 1711088 13 Dec 15:19 foo
	Top 10 bugs:

	CVE-2014-7169,8
	CVE-2016-6662,8
	CVE-2012-0158,9
	cve-2017-8759,10
	CVE-2017-8625,11
	CVE-2017-8759,13
	cve-2021-32648,15
	CVE-2015-3113,21
	$ jq '.objects[] \| select(.type \| contains("attack-pattern")) \| select(.x_mitre_platforms[] \| contains("Linux")) \| .name' enterprise-attack-11.0.json \| sort \| uniq > 11.out
	$ jq '.objects[] \| select(.type \| contains("attack-pattern")) \| select(.x_mitre_platforms[] \| contains("Linux")) \| .name' enterprise-attack-12.0.json \| sort \| uniq > 12.out
	$ diff 11.out 12.out
	33a34,36
	> "Clear Mailbox Data"
	> "Clear Network Connection History and Configurations"
	> "Clear Persistence"
	93a97
	> "Embedded Payloads"
	145c149
	gh repo list timb-machine-mirrors --fork -L 1230 --json name \| tr "," "\n" \| cut -f 4 -d "\"" \| while read line
	do
	org=`gh repo view timb-machine-mirrors/$line --json parent \| tr "," "\n" \| grep login \| cut -f 4 -d "\""`
	name=`gh repo view timb-machine-mirrors/$line --json parent \| tr "," "\n" \| grep name \| cut -f 4 -d "\""`
	if [ "$line" != "$org-$name" ]
	then
	gh repo rename -y -R "timb-machine-mirrors/$line" "$org-$name"
	fi
	done
	# ps -aef \| grep 94
	root 94 2 0 Jun16 ? 00:00:00 [kworker/6:1H]
	root 594 2 0 Jun16 ? 00:00:00 [ipv6_addrconf]
	root 4692 2509 0 01:17 pts/0 00:00:00 grep 94
	root 20394 2 0 Oct08 ? 00:00:20 [kworker/u32:2]
	# mkdir -p spoof/fd; mount -o bind spoof /proc/94; ln -s socket:\[283\] /proc/94/fd/99; ls -la /proc/94/fd
	total 4
	drwxr-xr-x 2 root root 4096 Oct 9 01:16 .
	dr-xr-xr-x 193 root root 0 Jun 16 17:40 ..
	lrwxrwxrwx 1 root root 12 Oct 9 01:16 99 -> socket:[283]
	Unix.Trojan.Mirai$ ls .elf. \| wc -l
	65
	Unix.Trojan.Mirai$ clamscan .elf. \| grep Unix.Trojan.Mirai \| wc -l
	65
	Unix.Trojan.Mirai$ wc -l triage/*
	2 triage/00bbe47a7af460fcd2beb72772965e2c3fcff93a91043f0d74ba33c92939fe9d.elf.x86.triage
	1 triage/0cb8d3af19c50201db3a63329d66ff18c3208135a40a237b98886f5d87f706bb.elf.x86.triage
	2 triage/11242cdb5dac9309a2f330bd0dad96efba9ccc9b9d46f2361e8bf8e4cde543c1.elf.m68k.triage
	11 triage/12330634ae5c2ac7da6d8d00f3d680630d596df154f74e03ff37e6942f90639e.elf.arm.triage
	17 triage/190333b93af51f9a3e3dc4186e4f1bdb4f92c05d3ce047fbe5c3670d1b5a87b4.elf.sparc.triage
	$ src/tools/triage-binary.sh malware/binaries/BPFDoor/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a.elf.sparc
	[Privilege Escalation, Persistence: Unix Shell]: /usr/bin/bash (1)
	[Persistence: Path Interception by PATH Environment Variable]: PATH=/bin:/usr/kerberos/sbin:/usr/kerberos/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/X11R6/bin:./bin (1)
	[Persistence: Dynamic Linker Hijacking]: /usr/lib/ld.so.1 (1)
	[Credential Access: Network Sniffing]: pcap_compile (2)
	[Credential Access: Network Sniffing]: pcap_geterr (2)
	[Credential Access: Network Sniffing]: pcap_loop (2)
	[Credential Access: Network Sniffing]: pcap_open_live (2)
	[Credential Access: Network Sniffing]: pcap_setfilter (2)
	[Defense Evasion: LM: Non-persistant Storage]: /var/run/haldrund.pid (1)