Triaging Linux malware with respect to ATT&CK

Triaging Linux malware with respect to ATT&CK

$ src/tools/triage-binary.sh malware/binaries/BPFDoor/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a.elf.sparc
[Privilege Escalation, Persistence: Unix Shell]: /usr/bin/bash (1)
[Persistence: Path Interception by PATH Environment Variable]: PATH=/bin:/usr/kerberos/sbin:/usr/kerberos/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/X11R6/bin:./bin (1)
[Persistence: Dynamic Linker Hijacking]: /usr/lib/ld.so.1 (1)
[Credential Access: Network Sniffing]: pcap_compile (2)
[Credential Access: Network Sniffing]: pcap_geterr (2)
[Credential Access: Network Sniffing]: pcap_loop (2)
[Credential Access: Network Sniffing]: pcap_open_live (2)
[Credential Access: Network Sniffing]: pcap_setfilter (2)
[Defense Evasion: LM: Non-persistant Storage]: /var/run/haldrund.pid (1)
[Defense Evasion: LM: Redirection To Null]: HISTFILE=/dev/null (1)
[Defense Evasion: LM: Redirection To Null]: MYSQL_HISTFILE=/dev/null (1)
[Defense Evasion: LM: Process Tree Spoofing]: argv0.2 (1)