timb-machine/Comparing and contrasting generations of RedMenshen AKA BPFDoor

## Comparing and contrasting generations of RedMenshen AKA BPFDoor
Recent:

$ ../../../src/tools/triage-binary.sh fa0defdabd9fd43fe2ef1ec33574ea1af1290bd3d763fdb2bed443f2bd996d73.elf.x86_64
[Execution, Persistence, Discovery: attack:T1053.006:Systemd Timers, attack:T1543.002:Systemd Service, attack:T1007:System Service Discovery]: /usr/lib/systemd/systemd-journald (1)
[Defense Evasion: attack:T1070.004:File Deletion]: ldterm (1)
[Defense Evasion: attack:T1070.004:File Deletion]: unlink@@GLIBC_2.2.5 (1)
[Defense Evasion: uses:Auditd, attack:T1562.001:Disable or Modify Tools]: /sbin/auditd -n (1)
[Defense Evasion: uses:ProcessTreeSpoofing]: argv0 (1)
[Defense Evasion: uses:ProcessTreeSpoofing]: prctl@@GLIBC_2.2.5 (1)
[Defense Evasion: uses:ProcessTreeSpoofingForking]: fork@@GLIBC_2.2.5 (1)
[Discovery: attack:T1057:Process Discovery]: hald-addon-acpi: listening on acpi kernel interface /proc/acpi/event (1)
[Command and Control, Exfiltration: attack:T1205:Traffic Signaling, attack:T1048:Exfiltration Over Alternative Protocol]: bind@@GLIBC_2.2.5 (1)
[Command and Control, Exfiltration: attack:T1205:Traffic Signaling, attack:T1048:Exfiltration Over Alternative Protocol]: connect@@GLIBC_2.2.5 (1)
[Command and Control, Exfiltration: attack:T1205:Traffic Signaling, attack:T1048:Exfiltration Over Alternative Protocol]: listen@@GLIBC_2.2.5 (1)
[Command and Control, Exfiltration: attack:T1205:Traffic Signaling, attack:T1048:Exfiltration Over Alternative Protocol]: setsockopt@@GLIBC_2.2.5 (1)

Older (https://cyberplace.social/@GossiTheDog/110516069484635011 says pre-2021):
$ ../../../src/tools/triage-binary.sh a907e1e8145f46274943fb7451c62d83f5e5e683f57a69ddb7dbb520e04e04ce.elf.x86_64
[Execution, Persistence, Discovery: attack:T1053.006:Systemd Timers, attack:T1543.002:Systemd Service, attack:T1007:System Service Discovery]: /usr/lib/systemd/systemd-journald (1)
[Defense Evasion: attack:T1070.004:File Deletion]: ldterm (1)
[Defense Evasion: uses:Auditd, attack:T1562.001:Disable or Modify Tools]: /sbin/auditd -n (1)
[Discovery: attack:T1057:Process Discovery]: hald-addon-acpi: listening on acpi kernel interface /proc/acpi/event (1)
	Recent:

	$ ../../../src/tools/triage-binary.sh fa0defdabd9fd43fe2ef1ec33574ea1af1290bd3d763fdb2bed443f2bd996d73.elf.x86_64
	[Execution, Persistence, Discovery: attack:T1053.006:Systemd Timers, attack:T1543.002:Systemd Service, attack:T1007:System Service Discovery]: /usr/lib/systemd/systemd-journald (1)
	[Defense Evasion: attack:T1070.004:File Deletion]: ldterm (1)
	[Defense Evasion: attack:T1070.004:File Deletion]: unlink@@GLIBC_2.2.5 (1)
	[Defense Evasion: uses:Auditd, attack:T1562.001:Disable or Modify Tools]: /sbin/auditd -n (1)
	[Defense Evasion: uses:ProcessTreeSpoofing]: argv0 (1)
	[Defense Evasion: uses:ProcessTreeSpoofing]: prctl@@GLIBC_2.2.5 (1)
	[Defense Evasion: uses:ProcessTreeSpoofingForking]: fork@@GLIBC_2.2.5 (1)
	[Discovery: attack:T1057:Process Discovery]: hald-addon-acpi: listening on acpi kernel interface /proc/acpi/event (1)
	[Command and Control, Exfiltration: attack:T1205:Traffic Signaling, attack:T1048:Exfiltration Over Alternative Protocol]: bind@@GLIBC_2.2.5 (1)
	[Command and Control, Exfiltration: attack:T1205:Traffic Signaling, attack:T1048:Exfiltration Over Alternative Protocol]: connect@@GLIBC_2.2.5 (1)
	[Command and Control, Exfiltration: attack:T1205:Traffic Signaling, attack:T1048:Exfiltration Over Alternative Protocol]: listen@@GLIBC_2.2.5 (1)
	[Command and Control, Exfiltration: attack:T1205:Traffic Signaling, attack:T1048:Exfiltration Over Alternative Protocol]: setsockopt@@GLIBC_2.2.5 (1)

	Older (https://cyberplace.social/@GossiTheDog/110516069484635011 says pre-2021):
	$ ../../../src/tools/triage-binary.sh a907e1e8145f46274943fb7451c62d83f5e5e683f57a69ddb7dbb520e04e04ce.elf.x86_64
	[Execution, Persistence, Discovery: attack:T1053.006:Systemd Timers, attack:T1543.002:Systemd Service, attack:T1007:System Service Discovery]: /usr/lib/systemd/systemd-journald (1)
	[Defense Evasion: attack:T1070.004:File Deletion]: ldterm (1)
	[Defense Evasion: uses:Auditd, attack:T1562.001:Disable or Modify Tools]: /sbin/auditd -n (1)
	[Discovery: attack:T1057:Process Discovery]: hald-addon-acpi: listening on acpi kernel interface /proc/acpi/event (1)