Linux HackTool Execution

 1title: Linux HackTool Execution
 2id: a015e032-146d-4717-8944-7a1884122111
 3status: experimental
 4description: Detects known hacktool execution based on image name.
 5references:
 6    - https://github.com/Gui774ume/ebpfkit
 7    - https://github.com/pathtofile/bad-bpf
 8    - https://github.com/carlospolop/PEASS-ng
 9    - https://github.com/t3l3machus/hoaxshell
10    - https://github.com/t3l3machus/Villain
11    - https://github.com/HavocFramework/Havoc
12    - https://github.com/1N3/Sn1per
13    - https://github.com/Ne0nd0g/merlin
14    - https://github.com/Pennyw0rth/NetExec/
15author: Nasreddine Bencherchali (Nextron Systems), Georg Lauenstein (sure[secure])
16date: 2023/01/03
17modified: 2023/10/25
18tags:
19    - attack.execution
20    - attack.resource_development
21    - attack.t1587
22logsource:
23    product: linux
24    category: process_creation
25detection:
26    selection_c2_frameworks:
27        Image|endswith:
28            - '/crackmapexec'
29            - '/havoc'
30            - '/merlin-agent'
31            - '/merlinServer-Linux-x64'
32            - '/msfconsole'
33            - '/msfvenom'
34            - '/ps-empire server'
35            - '/ps-empire'
36            - '/sliver-client'
37            - '/sliver-server'
38            - '/Villain.py'
39    selection_c2_framework_cobaltstrike:
40        Image|contains:
41            - '/cobaltstrike'
42            - '/teamserver'
43    selection_scanners:
44        Image|endswith:
45            - '/autorecon'
46            - '/httpx'
47            - '/legion'
48            - '/naabu'
49            - '/netdiscover'
50            - '/nmap'
51            - '/nuclei'
52            - '/recon-ng'
53            - '/zenmap'
54    selection_scanners_sniper:
55        Image|contains: '/sniper'
56    selection_web_enum:
57        Image|endswith:
58            - '/dirb'
59            - '/dirbuster'
60            - '/eyewitness'
61            - '/feroxbuster'
62            - '/ffuf'
63            - '/gobuster'
64            - '/wfuzz'
65            - '/whatweb'
66    selection_web_vuln:
67        Image|endswith:
68            - '/joomscan'
69            - '/nikto'
70            - '/wpscan'
71    selection_exploit_tools:
72        Image|endswith:
73            - '/aircrack-ng'
74            - '/bloodhound-python'
75            - '/bpfdos'
76            - '/ebpfki'
77            - '/evil-winrm'
78            - '/hashcat'
79            - '/hoaxshell.py'
80            - '/hydra'
81            - '/john'
82            - '/ncrack'
83            # default binary: https://github.com/Pennyw0rth/NetExec/releases/download/v1.0.0/nxc-ubuntu-latest
84            - '/nxc-ubuntu-latest'
85            - '/pidhide'
86            - '/pspy32'
87            - '/pspy32s'
88            - '/pspy64'
89            - '/pspy64s'
90            - '/setoolkit'
91            - '/sqlmap'
92            - '/writeblocker'
93    selection_linpeas:
94        # covers: all linux versions listed here: https://github.com/carlospolop/PEASS-ng/releases
95        Image|contains: '/linpeas'
96    condition: 1 of selection_*
97falsepositives:
98    - Unlikely
99level: high

References

• GitHub - Gui774ume/ebpfkit: ebpfkit is a rootkit powered by eBPF

  

  ebpfkit is a rootkit powered by eBPF. Contribute to Gui774ume/ebpfkit development by creating an account on GitHub.

  
  Read More

• GitHub - pathtofile/bad-bpf: A collection of eBPF programs demonstrating bad behavior, presented at DEF CON 29

  

  A collection of eBPF programs demonstrating bad behavior, presented at DEF CON 29 - GitHub - pathtofile/bad-bpf: A collection of eBPF programs demonstrating bad behavior, presented at DEF CON 29

  
  Read More

• GitHub - carlospolop/PEASS-ng: PEASS - Privilege Escalation Awesome Scripts SUITE (with colors)

  

  PEASS - Privilege Escalation Awesome Scripts SUITE (with colors) - GitHub - carlospolop/PEASS-ng: PEASS - Privilege Escalation Awesome Scripts SUITE (with colors)

  
  Read More

• GitHub - t3l3machus/hoaxshell: A Windows reverse shell payload generator and handler that abuses the http(s) protocol to establish a beacon-like reverse shell.

  

  A Windows reverse shell payload generator and handler that abuses the http(s) protocol to establish a beacon-like reverse shell. - GitHub - t3l3machus/hoaxshell: A Windows reverse shell payload gen...

  
  Read More

• GitHub - t3l3machus/Villain: Villain is a C2 framework that can handle multiple TCP socket & HoaxShell-based reverse shells, enhance their functionality with additional features (commands, utilities etc) and share them among connected sibling servers (Villain instances running on different machines).

  

  Villain is a C2 framework that can handle multiple TCP socket & HoaxShell-based reverse shells, enhance their functionality with additional features (commands, utilities etc) and share them amo...

  
  Read More

• GitHub - HavocFramework/Havoc: The Havoc Framework.

  

  The Havoc Framework. Contribute to HavocFramework/Havoc development by creating an account on GitHub.

  
  Read More

• GitHub - 1N3/Sn1per: Attack Surface Management Platform

  

  Attack Surface Management Platform. Contribute to 1N3/Sn1per development by creating an account on GitHub.

  
  Read More

• GitHub - Ne0nd0g/merlin: Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang.

  

  Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang. - GitHub - Ne0nd0g/merlin: Merlin is a cross-platform post-exploitation HTTP/2 Command...

  
  Read More

• GitHub - Pennyw0rth/NetExec: The Network Execution Tool

  

  The Network Execution Tool. Contribute to Pennyw0rth/NetExec development by creating an account on GitHub.

  
  Read More

Related rules

• CVE-2021-1675 Print Spooler Exploitation Filename Pattern
• Suspicious Word Cab File Write CVE-2021-40444
• FoggyWeb Backdoor DLL Loading
• PUA - CsExec Execution
• HackTool - PurpleSharp Execution