Created
June 9, 2023 21:39
-
-
Save timb-machine/ebebe15809ac1abdc035989b7b74c238 to your computer and use it in GitHub Desktop.
Comparing and contrasting generations of RedMenshen AKA BPFDoor
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Recent: | |
$ ../../../src/tools/triage-binary.sh fa0defdabd9fd43fe2ef1ec33574ea1af1290bd3d763fdb2bed443f2bd996d73.elf.x86_64 | |
[Execution, Persistence, Discovery: attack:T1053.006:Systemd Timers, attack:T1543.002:Systemd Service, attack:T1007:System Service Discovery]: /usr/lib/systemd/systemd-journald (1) | |
[Defense Evasion: attack:T1070.004:File Deletion]: ldterm (1) | |
[Defense Evasion: attack:T1070.004:File Deletion]: unlink@@GLIBC_2.2.5 (1) | |
[Defense Evasion: uses:Auditd, attack:T1562.001:Disable or Modify Tools]: /sbin/auditd -n (1) | |
[Defense Evasion: uses:ProcessTreeSpoofing]: argv0 (1) | |
[Defense Evasion: uses:ProcessTreeSpoofing]: prctl@@GLIBC_2.2.5 (1) | |
[Defense Evasion: uses:ProcessTreeSpoofingForking]: fork@@GLIBC_2.2.5 (1) | |
[Discovery: attack:T1057:Process Discovery]: hald-addon-acpi: listening on acpi kernel interface /proc/acpi/event (1) | |
[Command and Control, Exfiltration: attack:T1205:Traffic Signaling, attack:T1048:Exfiltration Over Alternative Protocol]: bind@@GLIBC_2.2.5 (1) | |
[Command and Control, Exfiltration: attack:T1205:Traffic Signaling, attack:T1048:Exfiltration Over Alternative Protocol]: connect@@GLIBC_2.2.5 (1) | |
[Command and Control, Exfiltration: attack:T1205:Traffic Signaling, attack:T1048:Exfiltration Over Alternative Protocol]: listen@@GLIBC_2.2.5 (1) | |
[Command and Control, Exfiltration: attack:T1205:Traffic Signaling, attack:T1048:Exfiltration Over Alternative Protocol]: setsockopt@@GLIBC_2.2.5 (1) | |
Older (https://cyberplace.social/@GossiTheDog/110516069484635011 says pre-2021): | |
$ ../../../src/tools/triage-binary.sh a907e1e8145f46274943fb7451c62d83f5e5e683f57a69ddb7dbb520e04e04ce.elf.x86_64 | |
[Execution, Persistence, Discovery: attack:T1053.006:Systemd Timers, attack:T1543.002:Systemd Service, attack:T1007:System Service Discovery]: /usr/lib/systemd/systemd-journald (1) | |
[Defense Evasion: attack:T1070.004:File Deletion]: ldterm (1) | |
[Defense Evasion: uses:Auditd, attack:T1562.001:Disable or Modify Tools]: /sbin/auditd -n (1) | |
[Discovery: attack:T1057:Process Discovery]: hald-addon-acpi: listening on acpi kernel interface /proc/acpi/event (1) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment