Created
September 4, 2022 18:49
-
-
Save timb-machine/9b438873ed0e23b39eb7363cab92e357 to your computer and use it in GitHub Desktop.
Triaging Linux malware with respect to ATT&CK
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ src/tools/triage-binary.sh malware/binaries/BPFDoor/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a.elf.sparc | |
[Privilege Escalation, Persistence: Unix Shell]: /usr/bin/bash (1) | |
[Persistence: Path Interception by PATH Environment Variable]: PATH=/bin:/usr/kerberos/sbin:/usr/kerberos/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/X11R6/bin:./bin (1) | |
[Persistence: Dynamic Linker Hijacking]: /usr/lib/ld.so.1 (1) | |
[Credential Access: Network Sniffing]: pcap_compile (2) | |
[Credential Access: Network Sniffing]: pcap_geterr (2) | |
[Credential Access: Network Sniffing]: pcap_loop (2) | |
[Credential Access: Network Sniffing]: pcap_open_live (2) | |
[Credential Access: Network Sniffing]: pcap_setfilter (2) | |
[Defense Evasion: LM: Non-persistant Storage]: /var/run/haldrund.pid (1) | |
[Defense Evasion: LM: Redirection To Null]: HISTFILE=/dev/null (1) | |
[Defense Evasion: LM: Redirection To Null]: MYSQL_HISTFILE=/dev/null (1) | |
[Defense Evasion: LM: Process Tree Spoofing]: argv0.2 (1) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment