-
Notifications
You must be signed in to change notification settings - Fork 94
/
Copy pathtriage-binary.sh
executable file
·81 lines (78 loc) · 8.03 KB
/
triage-binary.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
#!/bin/sh
FILENAME="${1}"
string_list () {
filename="${1}"
pattern="${2}"
tactic="${3}"
technique="${4}"
strings "${filename}" | egrep "${pattern}" | sort | uniq -c | while read count symbol
do
printf "[%s: %s]: %s (%i)\n" "${tactic}" "${technique}" "${symbol}" "${count}"
done
}
string_list "${FILENAME}" "arp([ ]+|$)|ifconfig([ ]+|$)|ping([ ]+|$)|nslookup([ ]+|$)" "Reconnaissance" "attack:T1590:Gather Victim Network Information"
string_list "${FILENAME}" "\/resolv.conf|nslookup([ ]+|$)" "Reconnaissance" "attack:T1071.004:DNS"
string_list "${FILENAME}" "buildroot\.org" "Resource Development" "uses:CrossCompiled"
string_list "${FILENAME}" "\/passwd" "Defense Evasion, Persistence, Privilege Escalation, Initial Access, Credential Access" "attack:T1078.003:Local Accounts, attack:T1003.008:/etc/passwd and /etc/shadow"
string_list "${FILENAME}" "python([ ]+|$)|Py_" "Execution" "attack:T1059.006:Python"
string_list "${FILENAME}" "\.go\$" "Execution" "uses:Go"
string_list "${FILENAME}" "docker([ ]+|$)|podman([ ]+|$)|kubectl([ ]+|$)" "Execution" "attack:T1609:Container Administration Command, attack:T1053.007:Container Orchestration Job, attack:T1610:Deploy Container"
string_list "${FILENAME}" "cron" "Execution" "attack:T1053.003:Cron"
string_list "${FILENAME}" "systemd|systemctl([ ]+|$)" "Execution, Persistence, Discovery" "attack:T1053.006:Systemd Timers, attack:T1543.002:Systemd Service, attack:T1007:System Service Discovery"
string_list "${FILENAME}" "\/bash([ ]+|$)|\/sh([ ]+|$)" "Execution" "attack:T1546.004:Unix Shell"
string_list "${FILENAME}" "rc\.d|init\.d" "Persistence, Privilege Escalation" "attack:T1037.004:RC Scripts"
string_list "${FILENAME}" "PATH" "Persistence" "attack:T1574.007:Path Interception by PATH Environment Variable"
string_list "${FILENAME}" "\/ld\.so\.|LD_" "Persistence" "attack:T1574.006:Dynamic Linker Hijacking"
string_list "${FILENAME}" "insmod([ ]+|$)|modprobe([ ]+|$)|init_module[@(]|\/proc\/ksym|\/dev\/kmem" "Persistence" "attack:T1215:Kernel Modules and Extensions"
string_list "${FILENAME}" "\/\.ssh|authorized_keys" "Persistence" "attack:T1098.004:SSH Authorized Keys"
string_list "${FILENAME}" "\/\.profile|\/\.bash" "Persistence, Privilege Escalation" "attack:T1037:Boot or Logon Initialization Scripts"
string_list "${FILENAME}" "chmod([ ]+|$)|chmod[@(]" "Defense Evasion, Privilege Escalation" "attack:T1548.001:Setuid and Setgid, attack:T1222:File and Directory Permissions Modification"
string_list "${FILENAME}" "ptrace[@(]" "Defense Evasion, Privilege Escalation" "attack:T1055.008:Ptrace System Calls, attack:T1622:Debugger Evasion"
string_list "${FILENAME}" "mprotect[@(]" "Defense Evasion, Privilege Escalation" "attack:T1055.012:Process Hollowing"
string_list "${FILENAME}" "history" "Credential Access, Defense Evasion" "attack:T1552.003:Bash History, attack:T1070.003:Clear Command History"
string_list "${FILENAME}" "gcc([ ]+|$)|g\+\+([ ]+|$)" "Defense Evasion" "attack:T1027.004:Compile After Delivery"
string_list "${FILENAME}" "iptables([ ]+|$)|ufw([ ]+|$)" "Defense Evasion" "attack:T1562.004:Disable or Modify System Firewall"
string_list "${FILENAME}" "base64([ ]+|$)|uudecode([ ]+|$)|uuencode([ ]+|$)" "Defense Evasion" "attack:T1001:Data Obfuscation"
string_list "${FILENAME}" "tar([ ]+|$)|gzip([ ]+|$)|gunzip([ ]+|$)|zlib|gz|UPX Team" "Defense Evasion" "attack:T1027.002:Software Packing"
string_list "${FILENAME}" "sudo([ ]+|$)|\/etc\/sudoers" "Defense Evasion" "attack:T1548.003:Sudo and Sudo Caching"
string_list "${FILENAME}" "touch([ ]+|$) " "Defense Evasion" "attack:T1070.006:Timestomp"
string_list "${FILENAME}" "rm([ ]+|$)|unlink[@(]" "Defense Evasion" "attack:T1070.004:File Deletion"
string_list "${FILENAME}" "\/var\/log" "Defense Evasion" "attack:T1070.002:Clear Linux or Mac System Logs"
string_list "${FILENAME}" "auditd|auditctl([ ]+|$)" "Defense Evasion" "uses:Auditd, attack:T1562.001:Disable or Modify Tools"
string_list "${FILENAME}" "selinux" "Defense Evasion" "uses:Auditd, attack:T1562.001:Disable or Modify Tools"
string_list "${FILENAME}" "syslogd([ ]+|$)|syslog-ng" "Defense Evasion" "attack:T1562.001:Disable or Modify Tools"
string_list "${FILENAME}" "\/etc\/ssl" "Defense Evasion" "attack:T1553.004:Install Root Certificate"
string_list "${FILENAME}" "memfd_" "Defense Evasion" "attack:T1620:Reflective Code Loading, uses:Non-persistentStorage"
string_list "${FILENAME}" "\/dev\/shm|\/tmp|\/var\/run|\/var\/tmp" "Defense Evasion" "uses:Non-persistentStorage"
string_list "${FILENAME}" "\/dev\/null" "Defense Evasion" "uses:RedirectionToNull"
string_list "${FILENAME}" "argv|setproctitle[@(]|prctl[@(]" "Defense Evasion" "uses:ProcessTreeSpoofing"
string_list "${FILENAME}" "mount.*bind.*proc" "Defense Evasion" "uses:ProcessTreeSpoofingBindMountProc"
string_list "${FILENAME}" "fork[@(]" "Defense Evasion" "uses:ProcessTreeSpoofingForking"
string_list "${FILENAME}" "pthread_create[@(]" "Defense Evasion" "uses:ProcessTreeSpoofingThreads"
string_list "${FILENAME}" "ebpf" "Defense Evasion" "uses:eBPF"
string_list "${FILENAME}" "\/dev\/[sh]da[0-9]" "Defense Evasion, Impact" "attack:T1006:Direct Volume Access, attack:T1561:Disk Wipe"
string_list "${FILENAME}" "pam_" "Credential Access" "attack:T1556.003:Pluggable Authentication Modules"
string_list "${FILENAME}" "\/shadow" "Credential Access" "attack:T1003.008:/etc/passwd and /etc/shadow"
string_list "${FILENAME}" "pcap_|tcpdump([ ]+|$)|tshark([ ]+|$)" "Credential Access, Discovery" "attack:T1040:Network Sniffing"
string_list "${FILENAME}" "\/\.ssh|id_[rd]sa" "Credential Access" "attack:T1552.004:Private Keys"
string_list "${FILENAME}" "KRB5CCNAME|klist([ ]+|$)|kinit([ ]+|$)|\/var\/lib\/sss|\/tmp\/krb5cc" "Credential Access" "attack:T1558:Steal or Forge Kerberos Tickets"
string_list "${FILENAME}" "\/proc\/[%i0-9]+\/maps|\/proc\/[%i0-9]+\/mem" "Credential Access" "attack:T1003.007:Proc Filesystem"
string_list "${FILENAME}" "readdir[@(]|find([ ]+)[A-Za-z./]" "Discovery" "attack:T1083:File and Directory Discovery"
string_list "${FILENAME}" "netstat([ ]+|$)|lsof([ ]+|$)" "Discovery" "attack:T1046:Network Service Discovery"
string_list "${FILENAME}" "\/group" "Discovery" "attack:T1069:Permission Groups Discovery"
string_list "${FILENAME}" "ps([ ]+|$)|\/proc" "Discovery" "attack:T1057:Process Discovery"
string_list "${FILENAME}" "yum([ ]+|$)|apt-get([ ]+|$)|apt([ ]+|$)|rpm([ ]+|$)|dpkg([ ]+|$)" "Discovery" "attack:T1518:Software Discovery"
string_list "${FILENAME}" "\/opt\/carbonblack|cbdaemon|cbsensor|\/opt\/sentinelone|\/opt\/CrowdStrike|falcond|falcon_" "Discovery" "attack:T1518.001:Security Software Discovery"
string_list "${FILENAME}" "3389|xfreerdp([ ]+|$)|rdesktop([ ]+|$)" "Lateral Movement" "attack:T1021.001:Remote Desktop Protocol"
string_list "${FILENAME}" "445|mount([ ]+|$)|smbclient([ ]+|$)|smb:" "Lateral Movement" "attack:T1021.002:SMB/Windows Admin Shares"
string_list "${FILENAME}" "ssh([ ]+|$)|scp([ ]+|$)" "Lateral Movement" "attack:T1021.004:SSH"
string_list "${FILENAME}" "tar([ ]+|$)" "Collection" "attack:T1560:Archive Collected Data"
string_list "${FILENAME}" "\/etc|\/\.local|\/.git|\/.svn" "Collection" "attack:T1005:Data from Local System"
string_list "${FILENAME}" "snmp" "Collection" "attack:T1602.001:SNMP (MIB Dump)"
string_list "${FILENAME}" "bind[@(]|connect[@(]|listen[@(]|setsockopt[@(]" "Command and Control, Exfiltration" "attack:T1205:Traffic Signaling, attack:T1048:Exfiltration Over Alternative Protocol"
string_list "${FILENAME}" "tls|ssl|https:\/\/" "Command and Control, Exfiltration" "attack:T1573:Encrypted Channel, attack:T1048:Exfiltration Over Alternative Protocol"
string_list "${FILENAME}" "http[s]_proxy" "Command and Control" "attack:T1090:Proxy"
string_list "${FILENAME}" "http:\/\/|https:\/\/|curl([ ]+|$)|wget([ ]+|$)" "Command and Control, Exfiltration" "attack:T1071.001:Web Protocols, attack:T1567:Exfiltration Over Web Service"
string_list "${FILENAME}" "irc|NICK|NOTICE" "Command and Control, Exfiltration" "uses:IRC, attack:T1048:Exfiltration Over Alternative Protocol"
string_list "${FILENAME}" "ftp([ ]+|$)" "Command and Control" "attack:T1071.002:File Transfer Protocols"
string_list "${FILENAME}" "\/www|\/public_html" "Impact" "attack:T1491:Defacement"