"Exported Entities" blockfile:reg.jspfile:reg.jspreg.jspfile:cmd.jspfile:cmd.jspcmd.jspfile:404.jspfile:404.jsp404.jspfile:401.jspfile:401.jsp401.jspMalicious Exploitation of CVE-2021-35464Malware ArtifactsHighrule linux_RDS_socket_exploit_source { strings: $x = "[*] Linux kernel >= 2.6.30 RDS socket exploit" $ = "#define RECVPORT 5555" $ = "#define SENDPORT 6666" $ = "if(strncmp(ver.release, \"2.6.3\", 5))" $ = "s = socket(PF_RDS, SOCK_SEQPACKET, 0);" condition: filesize < 10KB and ($x or 4 of them) }HighHighMalicious Exploitation of CVE-2021-35464Malware ArtifactsHighrule webshell_401_jsp { strings: $ = "cmd = request.getParameter(\"401-Authentication\");" $ = "cmd = (String)request.getHeader(\"401-Authentication-Failed\");" $ = "Process p = Runtime.getRuntime().exec(cmd,null,null);" condition: filesize < 10KB and all of them }HighHighMalicious Exploitation of CVE-2021-35464Malware ArtifactsHighrule webshell_cmd_jsp { strings: $ = "<%@page import=\"java.io.*, java.util.*, javax.xml.bind.*, java.net.*\"%>" $ = "String o,l,d;" $ = "if(d.indexOf(\"c=\")>=0){" $ = "int b=d.indexOf(\"b=\");" $ = "int n=d.indexOf(\"n=\");" condition: filesize < 10KB and 4 of them }HighHighMalicious Exploitation of CVE-2021-35464Malware ArtifactsHighrule neoregeorg_jsp { strings: $ = "public static String b64en(byte[] data)" $ = "public static byte[] b64de(String str)" $ = "String rUrl = request.getHeader(" $ = "out.write(\"<!-- " condition: filesize < 50KB and all of them }HighHighMalicious Exploitation of CVE-2021-35464Malware ArtifactsHighrule linux_overlayfs_exploit_source { strings: $ = "static char child_stack[1024*1024];" $ = "system(\"rm -rf /tmp/haxhax\");" $ = "if(s.st_mode == 0x89ed)" $ = "if (mount(\"overlay\", " $ = "if(unshare(CLONE_NEWUSER) != 0)" condition: filesize < 20KB and all of them }HighHighMalicious Exploitation of CVE-2021-35464Malware ArtifactsHighrule linux_dirtycow_exploit_source { strings: $ = "####################### dirtyc0w.c #######################" $ = "$ gcc -pthread dirtyc0w.c -o dirtyc0w" $ = "\"usage: dirtyc0w target_file new_content\"" $ = "c+=madvise(map,100,MADV_DONTNEED);" condition: filesize < 5KB and 3 of them }HighHighMalicious Exploitation of CVE-2021-35464Malware ArtifactsHighrule linux_priv_checker_py { strings: $x = "[Title]: linuxprivchecker.py -- a Linux Privilege Escalation Check Script" $ = "find_likely_exploits(sysinfo, devtools, pkgsandprocs, driveinfo)" $ = "enum_root_pkg_proc(pkgsandprocs, userinfo)" $ = "enum_user_history_files()" $ = "The following exploits are applicable to this kernel version" $ = "The following exploits are ranked higher in probability of success" condition: filesize < 100KB and ($x or 4 of them) }HighHighMalicious Exploitation of CVE-2021-35464Malware ArtifactsHighrule linux_exploiter_suggester_pl { strings: $ = "Linux Exploit Suggester $VERSION" $ = "Linux_Exploit_Suggester.pl - A local exploit suggester for linux" $ = "$ Local_Exploit_Checker [-h] [-k kernel]" $ = "print 'Searching among ' . scalar keys(%exploits) . \" exploits..." $ = "foreach my $kernel ( @{ $exploits{$key}{vuln} } ) {" condition: filesize < 100KB and all of them }HighHighMalicious Exploitation of CVE-2021-35464Malware ArtifactsHighrule lin_enum_sh { strings: $ = "Local Linux Enumeration & Privilege Escalation Script" $ = "#A script to enumerate local information from a Linux host" $ = "Example: ./LinEnum.sh -k keyword -r report -e /tmp/ -t" $ = "format=$export/LinEnum-export-`date +\"%d-%m-%y\"`" condition: filesize < 200KB and 3 of them }HighHighMalicious Exploitation of CVE-2021-35464Malware ArtifactsHighrule mettle { strings: $ = "-p, --persist [none|install|uninstall] manage persistence" $ = "/mettle/mettle/src/main.c" $ = "/mettle/src/c2_http.c" $ = "/mettle/src/mettle.c" $ = "Could multiplex, but not asked to!" $ = "Failed to start extension from file '%s'" $ = "MSF_LICENSE" $ = "Registering command %u, cb %p, arg %p" $ = "could not find handlers for channel type %s" $ = "invalid background setting '%s': %s" $ = "invalid debug level '%s': %s" $ = "mettlesploit!" $ = "no handler found for command id: %u" $ = "process_new: got %zd byte executable to run in memory" condition: uint32(0) == 0x464c457f and filesize < 2MB and 8 of them }HighHighMalicious Exploitation of CVE-2021-35464Malware ArtifactsHighrule msf_reverse_tcp { strings: $hex = { 10 48 89 d6 4d 31 c9 6a 22 41 5a b2 07 0f 05 48 85 c0 78 51 6a 0a 41 59 50 6a 29 58 99 6a 02 5f 6a 01 5e 0f 05 48 85 c0 78 3b 48 97 48 b9 02 00 } condition: uint32(0) == 0x464c457f and filesize < 2KB and $hex }HighHighMalicious Exploitation of CVE-2021-35464Malware ArtifactsMediumMediumMalicious Exploitation of CVE-2021-35464Malware ArtifactsHighrule linux_CAP_SYS_ADMIN_to_root_exploit_source { strings: $ = "// Skeleton Structures of the Kernel Structures we're going to spoof" $ = "[*] This was a triumph... I'm making a note here, huge success." $ = "#define SYM_ADDRESS 0x4e4f4850" $ = "sock = socket(PF_PHONET, SOCK_DGRAM, 0);" $ = "const struct proto_ops_skel fake_proto_ops2 = {" $ = "proto = -((proto_tab - low_kern_sym) / sizeof(void *));" condition: filesize < 50KB and 5 of them }HighHighAntivirus/Antimalware (M1049) - MonitorMonitoring<p>Use signatures or heuristics to detect and monitor malicious software.</p><p>Additionally, use a centralised Security Information and Event Management (<strong>SIEM</strong>) system to collate information from deployed security controls to identify devices that execute, host or create suspicious or malicious files.</p><p></p><p>References: </p><p>https://attack.mitre.org/mitigations/M1049/ </p><p>https://www.cyber.gov.au/acsc/view-all-content/publications/strategies-mitigate-cyber-security-incidents-mitigation-details</p><p></p><p></p>Identify activity and monitor the behaviour.HighAustralian Cyber Security CentreACSC