adding kscan and upx. fixing fps

mandiant · Aug 17, 2023 · 8c49872 · 8c49872
1 parent c5170d1
commit 8c49872
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 8 deletions.
diff --git a/ioc-scanner-CVE-2023-3519.sh b/ioc-scanner-CVE-2023-3519.sh
@@ -77,6 +77,19 @@ fmt_key_val() {
     printf "%-$3s : %s\n" "$1" "$2"
 }
 
+# record suspicious paths - we handle this differently to raise a lower alarm
+report_permission_match() {
+    found_evidence_compromise="Manual review required"
+    report "";
+    report "**********************************************************************";
+    report "MATCH: $@";
+    report "Found evidence of files with non-standard permissions.                ";
+    report "You should manually review these files for suspicious content         ";
+    report "Some, like files in the nsinstall file may be legitimate, but          ";
+    report "others like PHP files and executables warrant more review              ";
+    report "**********************************************************************";
+}
+
 # record a match - that a compromise was detected.
 report_match() {
     found_evidence_compromise="Yes"

diff --git a/scanners/netscaler-content.sh b/scanners/netscaler-content.sh
@@ -43,6 +43,9 @@ ns_content_denylist[12]="<?=\`curl";
 # mass scanning
 ns_content_denylist[13]="168\.100\.11\.89:8000";
 
+# port scanner
+ns_content_denylist[14]="github\.com/lcvvv/kscan";
+
 # tunnelers
 # look for printable strings left from the build process
 declare -a ns_binary_content_denylist;
@@ -51,6 +54,7 @@ ns_binary_content_denylist[1]="sshd/server\.go";
 ns_binary_content_denylist[2]="test/httpdemo/main\.go";
 ns_binary_content_denylist[3]="ehang\.io/nps";
 ns_binary_content_denylist[4]="\[library-to-inject\]";
+ns_binary_content_denylist[5]="UPX executable";
 
 report_ns_matches() {
     entries="$1";
@@ -71,8 +75,8 @@ scan_ns_directory_content() {
 
     local found=false;
     for re in "${ns_content_denylist[@]}"; do
-        local findcmd="find -L $path -type f";
-        local entries=$($findcmd \( -not -path "/proc/*" -and -not -regex "/tmp/[0-9]\{10\}/.*" -and -not -path "/var/nsproflog/newproflog_mgmtcpu" -and -not -path "/var/log/notice.log" \) -exec grep -lI --null -e "$re" {} + | perl -0ne 'chomp; print(unpack("H*", $_), "\n")');
+        local findcmd="find -EL $path -type f";
+        local entries=$($findcmd \( -not -path "/proc/*" -and -not -regex "/tmp/[0-9]{10}/.*" -and -not -regex "/var(/crash)?/nsproflog/newproflog.*" -and -not -regex "/var(/crash)?/log/notice.log" \) -exec grep -lI --null -e "$re" {} + | perl -0ne 'chomp; print(unpack("H*", $_), "\n")');
         if [ -n "$entries" ]; then
             found=true;
             report_match "denylisted content '$re'";
@@ -99,8 +103,8 @@ scan_ns_directory_binary_content() {
 
     local found=false;
     for re in "${ns_binary_content_denylist[@]}"; do
-        local findcmd="find -L $path -type f -size -10M";
-        local entries=$($findcmd \( -not -path "/proc/*" -and -not -regex "/tmp/[0-9]\{10\}/.*" -and -not -path "/var/nsproflog/newproflog_mgmtcpu" -and -not -path "/var/log/notice.log" \) -exec grep -l --null -e "$re" {} + | perl -0ne 'chomp; print(unpack("H*", $_), "\n")');
+        local findcmd="find -EL $path -type f -size -10M";
+        local entries=$($findcmd \( -not -path "/proc/*" -and -not -regex "/tmp/[0-9]{10}/.*" -and -not -regex "/var(/crash)?/nsproflog/newproflog.*" -and -not -regex "/var(/crash)?/log/notice.log" \) -exec grep -l --null -e "$re" {} + | perl -0ne 'chomp; print(unpack("H*", $_), "\n")');
         if [ -n "$entries" ]; then
             found=true;
             report_match "denylisted content '$re' in binary file";
@@ -127,11 +131,11 @@ scan_ns_file_ownership() {
 
     local entries=$(find -L "$path" -type f -user nobody -gid 0 -not -path "/proc/*" -exec file {} \; | egrep -i "script|html|executable|compressed|archive" | awk -F":" '{print $1}' | perl -0ne 'chomp; print(unpack("H*", $_), "\n")');
     if [ -n "$entries" ]; then
-        report_match "suspicious file ownership";
+        report_permission_match "suspicious file ownership";
         report "files with ownership nobody:root:";
         report_ns_matches "$entries";
-        report "Please review the above paths for any unexpected files.";
-        report "Exploits commonly write to files with these ownerships;"
+        report "Please review the above paths for suspicious content.";
+        report "Exploits commonly write to files with these permissions;"
     else
         debug "did not find incorrect permissions in $path";
     fi

diff --git a/scanners/processes.sh b/scanners/processes.sh
@@ -14,7 +14,7 @@
 
 scan_process_nobody() {
     # ref: https://www.mandiant.com/resources/blog/citrix-zero-day-espionage
-    local readonly entries=$(ps aux | grep ^nobody | grep -v /bin/httpd | grep -v grep | grep -v "/tests/");
+    local readonly entries=$(ps auxw | grep ^nobody | grep -v /bin/httpd | grep -v grep | grep -v "/tests/");
     if [ -n "$entries" ]; then
         report_match "unexpected process owned by user 'nobody'"
         report "processes owned by nobody:"