-
Notifications
You must be signed in to change notification settings - Fork 1
/
sandfly.cheat.sav
61 lines (47 loc) · 1.76 KB
/
sandfly.cheat.sav
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
% security, tools, sandfly,pushou
# bash history zeroize
export HISTFILE=/dev/null
export HISTSIZE=0
export HISTFILESIZE=0
unset HISTFILE
rm $HISTIFLE
shred $HISTFILE
rm .bash_history
cat /dev/null > $HISTFILE
set +o history
chattr +i $HISTFILE
# env variable for a process
cat /proc/<PID>/environ | tr '\0' '\n'
strings /proc/<PID>/environ
# copy linux malware binary from /proc
cp /proc/<PID>/exe /tmp/badbin
# sniffer trace
strings /proc/<PID>/stack
ls -al /proc/<PID>/fd
# ebpf cap of a process
ss -0bp
# alter file hash in bash script
echo -ne '\0' >> $1
# whoami shellcode
dd bs=1 if=$(echo -e "\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x77\x68\x6f\x61\x6d\x69") of=./test;chmod +x ./test;echo -ne '\0' >> ./test;./test
# find malware masquerading as a kernel thread ([]=no argument and is for kernel thread and should have empty mapi problem if /tmp[..])
cat /proc/<PID>/maps
ps auxwf | grep "\["
ps auxww | grep \\[ | awk '{print $2}' | xargs -I % sh -c 'echo PID: %; cat /proc/%/maps' 2> /dev/null
ps auxwf | grep \\[ | grep -v "\_" | grep -v kthreadd
# variant of memfd create fileless attack. fork/setsid/kill(SIGSTOP) keep a process hanging in bg to hold memfd open
ls -alR /proc/*/fd 2> /dev/null | grep "memfd: (deleted)"
grep "memfd_create" /proc/*/cmdline
strings /proc/PID/cmdline
python3 -c "import os;os.fork()or(os.setsid(),print(f'/proc/{os.getpid()}/fd/{os.memfd_create(str())}'),os.kill(os.getpid(),19))"
# search malicious modules not hiding
sudo cat /proc/modules | grep \(.*\)
# search process with bracket with no parent trying to mimic kernel thread
ps auxwf | grep "\["
# do not fragment off
route-map nodf permit 10
set ip df 0
interface FastEthernet2
ip policy route-map nodf
$ PROTO: echo 'tcp udp all' | tr ' ' '\n'
$ IP_VERSION: echo '4 6' | tr ' ' '\n'