-
Notifications
You must be signed in to change notification settings - Fork 12
/
Copy pathfs-paths.sh
116 lines (99 loc) · 3.42 KB
/
fs-paths.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
# Copyright 2020 FireEye, Inc. and Citrix Systems, Inc.
scan_fs_netscalerd() {
# ref: https://www.reddit.com/r/blueteamsec/comments/en4m7j/multiple_exploits_for_cve201919781_citrix/
if [ -f "$root_directory/var/tmp/netscalerd" ]; then
report_match "found /var/tmp/netscalerd, known path to coinminer.";
else
debug "did not find /var/tmp/netscalerd";
fi
}
scan_fs_notrobin() {
# ref: https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html
declare -a notrobin_paths;
notrobin_paths[0]="/var/nstmp/.nscache/httpd";
notrobin_paths[1]="/tmp/.init/httpd";
# from subsequent post
notrobin_paths[2]="/var/nstmp/.nscache/prev.sh";
notrobin_paths[3]="/var/nstmp/.nscache/httpd-nscache_clean";
local found=false;
for notrobin_path in "${notrobin_paths[@]}"; do
if [ -f "$root_directory/$notrobin_path" ]; then
found=true;
report_match "$notrobin_path, known path to NOTROBIN artifact.";
fi
done
declare -a dirs;
dirs[0]="/var/vpn/theme";
dirs[1]="/var/vpn/themes";
declare -a blacklist;
blacklist[0]="[a-f0-9]\{32\}\.php";
blacklist[1]="[a-f0-9]\{32\}_[a-zA-Z0-9]\{1,12\}\.\(php\|pl\)";
for dir in "${dirs[@]}"; do
if [ -d "$root_directory/$dir" ]; then
for blackterm in "${blacklist[@]}"; do
local entries=$(ls "$root_directory/$dir" | grep "$blackterm");
if [ -n "$entries" ]; then
found=true;
report_match "$entries, known path to NOTROBIN artifact.";
fi
done
fi
done
if [ "$found" != true ]; then
debug "did not find NOTROBIN artifacts";
fi
}
scan_fs_isc_paths() {
# ref: https://isc.sans.edu/forums/diary/Citrix+ADC+Exploits+Overview+of+Observed+Payloads/25704/
declare -a isc_paths;
isc_paths[0]="/netscaler/portal/scripts/PersonalBookmak.pl";
isc_paths[1]="/netscaler/portal/scripts/AJ3UBK2MP.pl";
local found=false;
for isc_path in "${isc_paths[@]}"; do
if [ -f "$root_directory/$isc_path" ]; then
found=true;
report_match "$isc_path, known path to post-exploitation artifact.";
fi
done
if [ "$found" != true ]; then
debug "did not find artifact enumerated by SANS ISC";
fi
}
scan_fs_apt41() {
declare -a paths;
paths[0]="/tmp/bsd";
paths[1]="/tmp/un";
local found=false;
for path in "${paths[@]}"; do
if [ -f "$root_directory/$path" ]; then
found=true;
report_match "$path, known path to post-exploitation artifact.";
fi
done
if [ "$found" != true ]; then
debug "did not find file system artifact";
fi
}
scan_fs_other_paths() {
declare -a paths;
paths[0]="/vpn/themes/imgs/tiny.php";
paths[1]="/vpn/themes/imgs/debug.php";
paths[2]="/vpn/themes/imgs/conn.php";
local found=false;
for path in "${paths[@]}"; do
if [ -f "$root_directory/$path" ]; then
found=true;
report_match "$path, known path to post-exploitation artifact.";
fi
done
if [ "$found" != true ]; then
debug "did not find file system artifact";
fi
}
scan_fs_known_paths() {
scan_fs_netscalerd;
scan_fs_notrobin;
scan_fs_isc_paths;
scan_fs_apt41;
scan_fs_other_paths;
}