Tim Brown timb-machine

## Bulk rename my mirror repos to reference original org
gh repo list timb-machine-mirrors --fork -L 1230 --json name | tr "," "\n" | cut -f 4 -d "\"" | while read line
do
  org=`gh repo view timb-machine-mirrors/$line --json parent | tr "," "\n" | grep login | cut -f 4 -d "\""`
  name=`gh repo view timb-machine-mirrors/$line --json parent | tr "," "\n" | grep name | cut -f 4 -d "\""`
  if [ "$line" != "$org-$name" ]
  then
    gh repo rename -y -R "timb-machine-mirrors/$line" "$org-$name"
  fi
done

## Messing with slash-proc
# ps -aef | grep 94
root        94     2  0 Jun16 ?        00:00:00 [kworker/6:1H]
root       594     2  0 Jun16 ?        00:00:00 [ipv6_addrconf]
root      4692  2509  0 01:17 pts/0    00:00:00 grep 94
root     20394     2  0 Oct08 ?        00:00:20 [kworker/u32:2]
# mkdir -p spoof/fd; mount -o bind spoof /proc/94; ln -s socket:\[283\] /proc/94/fd/99; ls -la /proc/94/fd
total 4
drwxr-xr-x   2 root root 4096 Oct  9 01:16 .
dr-xr-xr-x 193 root root    0 Jun 16 17:40 ..
lrwxrwxrwx   1 root root   12 Oct  9 01:16 99 -> socket:[283]

## What even is Mirai?
Unix.Trojan.Mirai$ ls *.elf.* | wc -l
      65
Unix.Trojan.Mirai$ clamscan *.elf.* | grep Unix.Trojan.Mirai | wc -l
      65
Unix.Trojan.Mirai$ wc -l triage/*
       2 triage/00bbe47a7af460fcd2beb72772965e2c3fcff93a91043f0d74ba33c92939fe9d.elf.x86.triage
       1 triage/0cb8d3af19c50201db3a63329d66ff18c3208135a40a237b98886f5d87f706bb.elf.x86.triage
       2 triage/11242cdb5dac9309a2f330bd0dad96efba9ccc9b9d46f2361e8bf8e4cde543c1.elf.m68k.triage
      11 triage/12330634ae5c2ac7da6d8d00f3d680630d596df154f74e03ff37e6942f90639e.elf.arm.triage
      17 triage/190333b93af51f9a3e3dc4186e4f1bdb4f92c05d3ce047fbe5c3670d1b5a87b4.elf.sparc.triage

## Triaging Linux malware with respect to ATT&CK
$ src/tools/triage-binary.sh malware/binaries/BPFDoor/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a.elf.sparc
[Privilege Escalation, Persistence: Unix Shell]: /usr/bin/bash (1)
[Persistence: Path Interception by PATH Environment Variable]: PATH=/bin:/usr/kerberos/sbin:/usr/kerberos/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/X11R6/bin:./bin (1)
[Persistence: Dynamic Linker Hijacking]: /usr/lib/ld.so.1 (1)
[Credential Access: Network Sniffing]: pcap_compile (2)
[Credential Access: Network Sniffing]: pcap_geterr (2)
[Credential Access: Network Sniffing]: pcap_loop (2)
[Credential Access: Network Sniffing]: pcap_open_live (2)
[Credential Access: Network Sniffing]: pcap_setfilter (2)
[Defense Evasion: LM: Non-persistant Storage]: /var/run/haldrund.pid (1)

## Tidal Cycles, my first noise
d1 $ s "bd:30*5 [~ sn:60] show cp"
d2 $ every 2 (0.25 <~) $ s "bd:100*5 [~ sn:60]"
d3 $ s "bd:90*5 cp" # s "feel" # speed 10
d4 $ jux rev $ s "drum*10 bd bd hh" # speed 0.5
d5 $ s "cp"
d6 $ s "bd:50*5 cp" # s "feel" # speed 0.6
d7 $ jux rev $ s "drum:100*10 bd bd hh" # speed 0.6
d8 $ s "bd:40*5 cp" # s "feel" # speed (slow 4 $ 0.4 + sine * 0.5)

## Words commonly found in Linux DFIR reports
Generated with:

#!/usr/bin/perl

my %dictionary;
my %words;

sub count {
        $filehandle = shift;
        while (<$filehandle>) {

## Linux techniques missing from ATT&CK?
T1134.004: Parent PID Spoofing

missing from ATT&CK

* https://magisterquis.github.io/2018/03/11/process-injection-with-gdb.html (https://github.com/timb-machine/linux-malware/issues/462), citable: False (TACTICS OR TECHNIQUES WRONG)
* https://grugq.github.io/docs/ul_exec.txt (https://github.com/timb-machine/linux-malware/issues/463), citable: False (TACTICS OR TECHNIQUES WRONG)
* https://gist.github.com/timb-machine/6177721c3eafba3e95abdf112b2a5902 (https://github.com/timb-machine/linux-malware/issues/461), citable: False (TACTICS OR TECHNIQUES WRONG)

T1055.012: Process Hollowing

## linux-malware to ATTACK.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              1 star
            
          
                timb-machine
                / linux-malware to ATTACK.md
            
            
              Last active
              August 23, 2022 09:57
            
              
                linux-malware to ATTACK.md
              
          
    Credential Access

T1556.003: Pluggable Authentication Modules

https://www.intezer.com/blog/research/new-linux-threat-symbiote/ (timb-machine/linux-malware#452), citable: True (TACTICS OR TECHNIQUES WRONG)
https://github.com/citronneur/pamspy (timb-machine/linux-malware#466), citable: False
https://www.mandiant.com/resources/unc2891-overview (timb-machine/linux-malware#112), citable: True
https://bazaar.abuse.ch/browse/tag/Symbiote/ (timb-machine/linux-malware#460), citable: False (TACTICS OR TECHNIQUES WRONG)

T1003: OS Credential Dumping

  
## What3Words are offensive
Never mind that what3words has real technical, logistical, practical limitations... Let's look at some of the dark, libellous, illegal and/or downright offensive combinations of /// addressess that their word lists can result in:

* https://what3words.com/mistakes.cost.lives
* https://what3words.com/troll.under.bridge
* https://what3words.com/burn.that.school
* https://what3words.com/lorry.catches.fire
* https://what3words.com/shank.that.police
* https://what3words.com/hang.puppy.quick
* https://what3words.com/master.whips.slave
* https://what3words.com/bullets.into.head

## badrpath.sh
#!/bin/sh
find / \( \( -perm -u+s \) -o \( -perm -g+s \) \) -a -type f 2>/dev/null | while read SUIDFILE
do
        LSFILE=`ls -la "$SUIDFILE"`
        objdump -x "$SUIDFILE" 2>&1| egrep 'RPATH|RUNPATH' | while read name paths
        do
                if [ -n "$paths" ]; then
                         echo "$paths" | tr ":" "\n" | while read RPATHDIR
                         do
                                 if [ "`echo "$RPATHDIR" | cut -c 1`" != "/" ]
	gh repo list timb-machine-mirrors --fork -L 1230 --json name \| tr "," "\n" \| cut -f 4 -d "\"" \| while read line
	do
	org=`gh repo view timb-machine-mirrors/$line --json parent \| tr "," "\n" \| grep login \| cut -f 4 -d "\""`
	name=`gh repo view timb-machine-mirrors/$line --json parent \| tr "," "\n" \| grep name \| cut -f 4 -d "\""`
	if [ "$line" != "$org-$name" ]
	then
	gh repo rename -y -R "timb-machine-mirrors/$line" "$org-$name"
	fi
	done
	# ps -aef \| grep 94
	root 94 2 0 Jun16 ? 00:00:00 [kworker/6:1H]
	root 594 2 0 Jun16 ? 00:00:00 [ipv6_addrconf]
	root 4692 2509 0 01:17 pts/0 00:00:00 grep 94
	root 20394 2 0 Oct08 ? 00:00:20 [kworker/u32:2]
	# mkdir -p spoof/fd; mount -o bind spoof /proc/94; ln -s socket:\[283\] /proc/94/fd/99; ls -la /proc/94/fd
	total 4
	drwxr-xr-x 2 root root 4096 Oct 9 01:16 .
	dr-xr-xr-x 193 root root 0 Jun 16 17:40 ..
	lrwxrwxrwx 1 root root 12 Oct 9 01:16 99 -> socket:[283]
	Unix.Trojan.Mirai$ ls .elf. \| wc -l
	65
	Unix.Trojan.Mirai$ clamscan .elf. \| grep Unix.Trojan.Mirai \| wc -l
	65
	Unix.Trojan.Mirai$ wc -l triage/*
	2 triage/00bbe47a7af460fcd2beb72772965e2c3fcff93a91043f0d74ba33c92939fe9d.elf.x86.triage
	1 triage/0cb8d3af19c50201db3a63329d66ff18c3208135a40a237b98886f5d87f706bb.elf.x86.triage
	2 triage/11242cdb5dac9309a2f330bd0dad96efba9ccc9b9d46f2361e8bf8e4cde543c1.elf.m68k.triage
	11 triage/12330634ae5c2ac7da6d8d00f3d680630d596df154f74e03ff37e6942f90639e.elf.arm.triage
	17 triage/190333b93af51f9a3e3dc4186e4f1bdb4f92c05d3ce047fbe5c3670d1b5a87b4.elf.sparc.triage
	$ src/tools/triage-binary.sh malware/binaries/BPFDoor/dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a.elf.sparc
	[Privilege Escalation, Persistence: Unix Shell]: /usr/bin/bash (1)
	[Persistence: Path Interception by PATH Environment Variable]: PATH=/bin:/usr/kerberos/sbin:/usr/kerberos/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/X11R6/bin:./bin (1)
	[Persistence: Dynamic Linker Hijacking]: /usr/lib/ld.so.1 (1)
	[Credential Access: Network Sniffing]: pcap_compile (2)
	[Credential Access: Network Sniffing]: pcap_geterr (2)
	[Credential Access: Network Sniffing]: pcap_loop (2)
	[Credential Access: Network Sniffing]: pcap_open_live (2)
	[Credential Access: Network Sniffing]: pcap_setfilter (2)
	[Defense Evasion: LM: Non-persistant Storage]: /var/run/haldrund.pid (1)
	d1 $ s "bd:30*5 [~ sn:60] show cp"
	d2 $ every 2 (0.25 <~) $ s "bd:100*5 [~ sn:60]"
	d3 $ s "bd:90*5 cp" # s "feel" # speed 10
	d4 $ jux rev $ s "drum*10 bd bd hh" # speed 0.5
	d5 $ s "cp"
	d6 $ s "bd:50*5 cp" # s "feel" # speed 0.6
	d7 $ jux rev $ s "drum:100*10 bd bd hh" # speed 0.6
	d8 $ s "bd:405 cp" # s "feel" # speed (slow 4 $ 0.4 + sine 0.5)
	Generated with:

	#!/usr/bin/perl

	my %dictionary;
	my %words;

	sub count {
	$filehandle = shift;
	while (<$filehandle>) {
	T1134.004: Parent PID Spoofing

	missing from ATT&CK

	* https://magisterquis.github.io/2018/03/11/process-injection-with-gdb.html (https://github.com/timb-machine/linux-malware/issues/462), citable: False (TACTICS OR TECHNIQUES WRONG)
	* https://grugq.github.io/docs/ul_exec.txt (https://github.com/timb-machine/linux-malware/issues/463), citable: False (TACTICS OR TECHNIQUES WRONG)
	* https://gist.github.com/timb-machine/6177721c3eafba3e95abdf112b2a5902 (https://github.com/timb-machine/linux-malware/issues/461), citable: False (TACTICS OR TECHNIQUES WRONG)

	T1055.012: Process Hollowing
	Never mind that what3words has real technical, logistical, practical limitations... Let's look at some of the dark, libellous, illegal and/or downright offensive combinations of /// addressess that their word lists can result in:

	* https://what3words.com/mistakes.cost.lives
	* https://what3words.com/troll.under.bridge
	* https://what3words.com/burn.that.school
	* https://what3words.com/lorry.catches.fire
	* https://what3words.com/shank.that.police
	* https://what3words.com/hang.puppy.quick
	* https://what3words.com/master.whips.slave
	* https://what3words.com/bullets.into.head
	#!/bin/sh
	find / \( \( -perm -u+s \) -o \( -perm -g+s \) \) -a -type f 2>/dev/null \| while read SUIDFILE
	do
	LSFILE=`ls -la "$SUIDFILE"`
	objdump -x "$SUIDFILE" 2>&1\| egrep 'RPATH\|RUNPATH' \| while read name paths
	do
	if [ -n "$paths" ]; then
	echo "$paths" \| tr ":" "\n" \| while read RPATHDIR
	do
	if [ "`echo "$RPATHDIR" \| cut -c 1`" != "/" ]