added search for deleted binaries

2024-09-28 12:51:29 +02:00 · 2021-12-30 20:46:33 +01:00 · 2021-12-30 20:46:33 +01:00 · 6468ace0b8
commit 6468ace0b8
parent 224fa8185c
3 changed files with 104 additions and 12 deletions
--- a/README.md
+++ b/README.md
@ -22,15 +22,16 @@ Finally, you can run all configured scripts by executing `start_search.py` (whic

 ## List of Scripts

-| Name | Script |
-|---|---|
-| Monitoring /etc/hosts file | [monitor_hosts_file.py](scripts/monitor_hosts_file.py) |
-| Monitoring /etc/ld.so.preload file | [monitor_ld_preload.py](scripts/monitor_ld_preload.py) |
-| Monitoring /etc/passwd file | [monitor_passwd.py](scripts/monitor_passwd.py) |
-| Monitoring SSH authorized_keys files | [monitor_ssh_authorized_keys.py](scripts/monitor_ssh_authorized_keys.py) |
-| Search for executables in /dev/shm | [search_dev_shm.py](scripts/search_dev_shm.py) |
-| Search immutable files | [search_immutable_files.py](scripts/search_immutable_files.py) |
-| Search for fileless programs (memfd_create) | [search_memfd_create.py](scripts/search_memfd_create.py) |
-| Search for kernel thread impersonations | [search_non_kthreads.py](scripts/search_non_kthreads.py) |
-| Test script to check if alerting works | [test_alert.py](scripts/test_alert.py) |
-| Verify integrity of installed .deb packages | [verify_deb_packages.py](scripts/verify_deb_packages.py) |
+| Name                                        | Script                                                                   |
+|---------------------------------------------|--------------------------------------------------------------------------|
+| Monitoring /etc/hosts file                  | [monitor_hosts_file.py](scripts/monitor_hosts_file.py)                   |
+| Monitoring /etc/ld.so.preload file          | [monitor_ld_preload.py](scripts/monitor_ld_preload.py)                   |
+| Monitoring /etc/passwd file                 | [monitor_passwd.py](scripts/monitor_passwd.py)                           |
+| Monitoring SSH authorized_keys files        | [monitor_ssh_authorized_keys.py](scripts/monitor_ssh_authorized_keys.py) |
+| Search for running deleted programs         | [search_deleted_exe.py](scripts/search_deleted_exe.py)                  |
+| Search for executables in /dev/shm          | [search_dev_shm.py](scripts/search_dev_shm.py)                           |
+| Search immutable files                      | [search_immutable_files.py](scripts/search_immutable_files.py)           |
+| Search for fileless programs (memfd_create) | [search_memfd_create.py](scripts/search_memfd_create.py)                 |
+| Search for kernel thread impersonations     | [search_non_kthreads.py](scripts/search_non_kthreads.py)                 |
+| Test script to check if alerting works      | [test_alert.py](scripts/test_alert.py)                                   |
+| Verify integrity of installed .deb packages | [verify_deb_packages.py](scripts/verify_deb_packages.py)                 |
--- a/scripts/config/search_deleted_exe.py
+++ b/scripts/config/search_deleted_exe.py
@ -0,0 +1,2 @@
+# Is the script allowed to run or not?
+ACTIVATED = True
--- a/scripts/search_deleted_exe.py
+++ b/scripts/search_deleted_exe.py
@ -0,0 +1,89 @@
+#!/usr/bin/env python3
+
+# written by sqall
+# twitter: https://twitter.com/sqall01
+# blog: https://h4des.org
+# github: https://github.com/sqall01
+#
+# Licensed under the MIT License.
+
+"""
+Short summary:
+Search running programs whose binary was deleted. Indicator of malicious programs.
+
+Requirements:
+None
+"""
+
+import os
+import socket
+
+# Read configuration and library functions.
+try:
+    from config.config import ALERTR_FIFO, FROM_ADDR, TO_ADDR
+    from config.search_deleted_exe import ACTIVATED
+    from lib.alerts import raise_alert_alertr, raise_alert_mail
+except:
+    ALERTR_FIFO = None
+    FROM_ADDR = None
+    TO_ADDR = None
+    ACTIVATED = True
+
+
+def search_deleted_exe_files():
+
+    # Decide where to output results.
+    print_output = False
+    if ALERTR_FIFO is None and FROM_ADDR is None and TO_ADDR is None:
+        print_output = True
+
+    if not ACTIVATED:
+        if print_output:
+            print("Module deactivated.")
+        return
+
+    # Get all suspicious ELF files.
+    fd = os.popen("ls -laR /proc/*/exe 2> /dev/null | grep -v memfd: | grep \(deleted\)")
+    suspicious_exe_raw = fd.read().strip()
+    fd.close()
+
+    suspicious_exes = []
+    if suspicious_exe_raw.strip():
+        suspicious_exes.extend(suspicious_exe_raw.strip().split("\n"))
+
+    for suspicious_exe in suspicious_exes:
+
+        if print_output:
+            print("SUSPICIOUS")
+            print(suspicious_exe)
+            print("")
+
+        else:
+            if ALERTR_FIFO is not None:
+
+                hostname = socket.gethostname()
+                optional_data = dict()
+                optional_data["suspicious_exe"] = suspicious_exe
+                optional_data["hostname"] = hostname
+                message = "Deleted executable file on host '%s' found.\n\n" % hostname
+                message += suspicious_exe
+                optional_data["message"] = message
+
+                raise_alert_alertr(ALERTR_FIFO,
+                                   optional_data)
+
+            if FROM_ADDR is not None and TO_ADDR is not None:
+
+                hostname = socket.gethostname()
+                subject = "[Security] Deleted executable file on '%s'" % hostname
+                message = "Deleted executable file on host '%s' found.\n\n" % hostname
+                message += suspicious_exe
+
+                raise_alert_mail(FROM_ADDR,
+                                 TO_ADDR,
+                                 subject,
+                                 message)
+
+
+if __name__ == '__main__':
+    search_deleted_exe_files()