Mirror/LSMS
1
0
Fork 0
mirror of https://github.com/sqall01/LSMS.git synced 2024-11-16 09:08:28 +01:00
Code Issues Projects Releases Packages Wiki Activity

added search for deleted binaries

Browse source
This commit is contained in:
Andre Pawlowski 2021-12-30 20:46:33 +01:00
parent 224fa8185c
commit 6468ace0b8
3 changed files with 104 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
README.md
View file

@ -23,11 +23,12 @@ Finally, you can run all configured scripts by executing `start_search.py` (whic
## List of Scripts
| Name | Script |
|---|---|
|---------------------------------------------|--------------------------------------------------------------------------|
| Monitoring /etc/hosts file | [monitor_hosts_file.py](scripts/monitor_hosts_file.py) |
| Monitoring /etc/ld.so.preload file | [monitor_ld_preload.py](scripts/monitor_ld_preload.py) |
| Monitoring /etc/passwd file | [monitor_passwd.py](scripts/monitor_passwd.py) |
| Monitoring SSH authorized_keys files | [monitor_ssh_authorized_keys.py](scripts/monitor_ssh_authorized_keys.py) |
| Search for running deleted programs | [search_deleted_exe.py](scripts/search_deleted_exe.py) |
| Search for executables in /dev/shm | [search_dev_shm.py](scripts/search_dev_shm.py) |
| Search immutable files | [search_immutable_files.py](scripts/search_immutable_files.py) |
| Search for fileless programs (memfd_create) | [search_memfd_create.py](scripts/search_memfd_create.py) |

2
scripts/config/search_deleted_exe.py Normal file
View file

@ -0,0 +1,2 @@
# Is the script allowed to run or not?
ACTIVATED = True

89
scripts/search_deleted_exe.py Executable file
View file

@ -0,0 +1,89 @@
#!/usr/bin/env python3
# written by sqall
# twitter: https://twitter.com/sqall01
# blog: https://h4des.org
# github: https://github.com/sqall01
#
# Licensed under the MIT License.
"""
Short summary:
Search running programs whose binary was deleted. Indicator of malicious programs.
Requirements:
None
"""
import os
import socket
# Read configuration and library functions.
try:
from config.config import ALERTR_FIFO, FROM_ADDR, TO_ADDR
from config.search_deleted_exe import ACTIVATED
from lib.alerts import raise_alert_alertr, raise_alert_mail
except:
ALERTR_FIFO = None
FROM_ADDR = None
TO_ADDR = None
ACTIVATED = True
def search_deleted_exe_files():
# Decide where to output results.
print_output = False
if ALERTR_FIFO is None and FROM_ADDR is None and TO_ADDR is None:
print_output = True
if not ACTIVATED:
if print_output:
print("Module deactivated.")
return
# Get all suspicious ELF files.
fd = os.popen("ls -laR /proc/*/exe 2> /dev/null | grep -v memfd: | grep \(deleted\)")
suspicious_exe_raw = fd.read().strip()
fd.close()
suspicious_exes = []
if suspicious_exe_raw.strip():
suspicious_exes.extend(suspicious_exe_raw.strip().split("\n"))
for suspicious_exe in suspicious_exes:
if print_output:
print("SUSPICIOUS")
print(suspicious_exe)
print("")
else:
if ALERTR_FIFO is not None:
hostname = socket.gethostname()
optional_data = dict()
optional_data["suspicious_exe"] = suspicious_exe
optional_data["hostname"] = hostname
message = "Deleted executable file on host '%s' found.\n\n" % hostname
message += suspicious_exe
optional_data["message"] = message
raise_alert_alertr(ALERTR_FIFO,
optional_data)
if FROM_ADDR is not None and TO_ADDR is not None:
hostname = socket.gethostname()
subject = "[Security] Deleted executable file on '%s'" % hostname
message = "Deleted executable file on host '%s' found.\n\n" % hostname
message += suspicious_exe
raise_alert_mail(FROM_ADDR,
TO_ADDR,
subject,
message)
if __name__ == '__main__':
search_deleted_exe_files()