guardicore / labs_campaigns Goto Github PK

When searching for "deleted" missing the case where the
executable was run and deleted on an NFS volume.
eg
/proc/114028/exe -> /people/tiffin/.nfs0000000004b40e9f00093dd8

Vollgar_Detect_Issue.txt
Even with Execution policy bypass, powershell is not properly running the script. Powershell has administrator rights.

Small change for the detection of a deleted process:

for pn in "${proc_names[@]}"
do
for exe_pid in $(pidof $pn)
do
exe_path=$(ls -l /proc/$exe_pid/exe 2>/dev/null | grep deleted)
if [[ $exe_path ]]
then
malicious_proc=true
echo "[*] Fileless process" $pn "is running on the server."
fi
done
done

Just a small one:

netstat -ano | grep LISTEN | grep 1234

would also detect other open ports from othe processes like postfix running on 12346.
maybe would be better to use grep with "-w" option, to select only those lines containing matches that form whole word.

netstat missing

you might want to update to us SS -ano if netstat is missing

if [[ -x "$(command -v netstat)" ]]; then

    if [[ $(netstat -ano | grep LISTEN | grep 1234) ]]; then
    listening_port=true
    echo "[*] Listening on port 1234"
    fi
fi

if [[ -x "$(command -v ss)" ]]; then

    if [[ $(ss -ano | grep LISTEN | grep 1234) ]]; then
    listening_port=true
    echo "[*] Listening on port 1234"
    fi
fi

Hello,

I have identified that special characters are used in the host style list provided here.

Neither ! nor * are valid domain characters. International domain names (IDN) are typically requested only in their encoded form

Can you please verify and remove them or include ASCII characters only.

THX

Hello,
could you provide the list with domain names only in another file?
FortiGates are capable of fetching this data in Threat feets.
With that I can create a firewall rules to block traffic to that.
Thank you.
Cheers