## Setup the ssh connection to the remote server

In [38]:
# import the modules
import paramiko
from getpass import getpass
import os


# Check to see if result text files exists
rootdir = 'results'
fList = []
# Crawl through the provided directory
for root, subfolders, filenames in os.walk(rootdir):
    for f in filenames:
        fileList = root + "/" + f
        fList.append(fileList)

# Check to see if ssh_results file exists
for eachFile in fList:
    if os.path.exists(eachFile):
        # If so ask user to delete file
        user_input = input("The file: "+ eachFile + " exists do you want to delete the file?(Y/N)")

        # If yes delete the file
        if user_input == "Y":
            os.remove(eachFile)


# create the password prompt
thePass = getpass(prompt="Please enter your SSH password")

# Host information
host = "192.168.6.71"
port = 2222
username = "emily.crawford"
password = thePass

# try connecting via ssh using paramiko
try :
    ssh = paramiko.SSHClient()
    ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
    ssh.connect(host,port,username,password)
# if fails from authentication error print that it failed due to authentication failure
except paramiko.AuthenticationException:
    print ("Authentication failed")

## This is a function for running a list of commands and then saving them to a designated output file If the sudo command is used then the password will need to be provided.


In [39]:
def runListOfCommands(commandsLists,password,outputFile):

    for eachCMD in commandsLists:

        # Get the output from the command
        stdin, stdout, stderr = ssh.exec_command(eachCMD)

        # input password for running sudo command
        stdin.write(password + "\n")

        # Get results from stout
        lines = stdout.readlines()

        # Convert the list to a string
        output = ''.join(lines)

        # Header output
        sepHeader = '' + '### BEGIN ' + eachCMD + ' ###\n\n'

        # Footer
        sepFooter = '' + '### END ' + eachCMD  + ' ###\n\n'

        # Concatenates the header, command, footer
        cmd_output = sepHeader + output + sepFooter

        # save the cmd_output to a file
        with open(outputFile, 'a') as f:
            f.write(cmd_output)
        # print the results out to the console as well
        print(cmd_output)

## This function is for downloading remote files to the local system

In [40]:
def downloadFiles (files,download_dir):
    # Loop through the files and download them

    for eachFile in files:

        # Create a list from the filename
        x = eachFile.split("/")

        # -1 is used to pluck the last element in a list.
        filename = x[-1]

        # Local path to store files
        local_path = str(download_dir) +  "/" +str(filename)

        # get the file
        sftp.get(eachFile,local_path)


## For task 2: upload the Kraken binary and run it against /usr/bin/, /usr/sbin, /usr/local/bin, and /usr/local/sbin

In [41]:
# start SFTP session
sftp = ssh.open_sftp()

# the local file on the system to upload
localFile = "kraken"
# the remote path to upload the file to
remotePath = "/home/emily.crawford/kraken"

# push the file to the linux server in the correct path
sftp.put(localFile, remotePath)

# Run a list of commands, these will give the kraken binary executable permissions
command = ['sudo -S chmod +x kraken','sudo -S /home/emily.crawford/kraken --folder /usr/bin --folder  --folder /usr/sbin/   --folder /usr/local/bin  --folder /sbin  --folder /usr/local/sbin  --folder /bin']

# file to save the output in
output = "results/kraken-results.txt"

# Run all the commands, and save the result to the directory results as well as printing them out
runListOfCommands(command,thePass,output)

### BEGIN sudo -S chmod +x kraken ###

### END sudo -S chmod +x kraken ###


### BEGIN sudo -S /home/emily.crawford/kraken --folder /usr/bin --folder  --folder /usr/sbin/   --folder /usr/local/bin  --folder /sbin  --folder /usr/local/sbin  --folder /bin ###

[36mINFO[0m[0000] Looking for configuration file with name config.yaml 
[36mINFO[0m[0000] No configuration file found, generating a default one... 
[36mINFO[0m[0000] Loading Yara rules...                        
[36mINFO[0m[0000] Scanning running processes...                
[33mWARN[0m[0004] DETECTION! Malicious process detected as foundGoBinary  [33mpid[0m=3138 [33mprocess[0m=ls
[33mWARN[0m[0005] DETECTION! Malicious process detected as foundGoBinary  [33mpid[0m=25680 [33mprocess[0m=snapd
[36mINFO[0m[0017] Scanning autoruns...                         
[33mWARN[0m[0017] DETECTION! Malicious autorun detected as foundGoBinary  [33mimage_path[0m=/usr/bin/snap [33mtype[0m=systemd
[33mWARN[0m[0018] DETECTI

## Task 3 look for any malicious process IDs that were running as found by kraken

In [42]:
# suspicious pid to investigate
pid = 3138

# command to run
command = ["sudo -S lsof -p" + str(pid)]

# file to save the output in
output = "results/lsof-pid-results.txt"

runListOfCommands(command,thePass,output)

### BEGIN sudo -S lsof -p3138 ###

COMMAND  PID     USER   FD      TYPE DEVICE SIZE/OFF   NODE NAME
ls      3138 p.dalton  cwd       DIR    8,1     4096 258130 /home/p.dalton/test-lk
ls      3138 p.dalton  rtd       DIR    8,1     4096      2 /
ls      3138 p.dalton  txt       REG    8,1  6597697 258133 /usr/local/bin/ls
ls      3138 p.dalton  DEL       REG    8,1            3453 /usr/lib/x86_64-linux-gnu/libc-2.31.so
ls      3138 p.dalton  DEL       REG    8,1            3466 /usr/lib/x86_64-linux-gnu/libpthread-2.31.so
ls      3138 p.dalton  DEL       REG    8,1            3449 /usr/lib/x86_64-linux-gnu/ld-2.31.so
ls      3138 p.dalton    0r      CHR    1,3      0t0      6 /dev/null
ls      3138 p.dalton    1w      REG    8,1       85 258135 /home/p.dalton/test-lk/.d.log
ls      3138 p.dalton    2w      REG    8,1       85 258135 /home/p.dalton/test-lk/.d.log
ls      3138 p.dalton    3r      CHR    1,3      0t0      6 /dev/null
ls      3138 p.dalton    4u      REG    8,1        4 258

## Task 4: Download any suspicious files, binaries, or log files

In [43]:
# start SFTP session
sftp = ssh.open_sftp()

# List of files to download
files = ['/home/p.dalton/test-lk/.d.log', '/home/p.dalton/test-lk/d.pid']

# directory to download the remote files to
downloadDir = "remote_files"

# download the files
downloadFiles(files,downloadDir)

## Task 5: Check running processes, /etc/passwd, and /var/log/auth.log

In [44]:
# start SFTP session
sftp = ssh.open_sftp()

# Check running processes, then check what was in the suspicious user's directory, and move the file
command = ['sudo -S ps aux','sudo -S cp /var/log/auth.log .', 'sudo -S chmod +r auth.log', 'dir /home/p.dalton/']

# output to save the files
output = "results/check_processes_and_etc_passwd_and_var_log_auth.txt"

# run the commands and print the output
runListOfCommands(command,thePass,output)

# List of files to download
files = ['/etc/passwd', 'auth.log','ps-aux-results.txt', '/home/p.dalton/aqwerpuqwerj']

# directory to download the remote files to
downloadDir = "remote_files"

# download the files
downloadFiles(files,downloadDir)


### BEGIN sudo -S ps aux ###

USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root           1  0.0  0.6 103332 103320 ?       Ss   Feb26   0:27 /sbin/init
root           2  0.0  0.0      0     0 ?        S    Feb26   0:00 [kthreadd]
root           3  0.0  0.0      0     0 ?        I<   Feb26   0:00 [rcu_gp]
root           4  0.0  0.0      0     0 ?        I<   Feb26   0:00 [rcu_par_gp]
root           6  0.0  0.0      0     0 ?        I<   Feb26   0:00 [kworker/0:0H-kblockd]
root           8  0.0  0.0      0     0 ?        I<   Feb26   0:00 [mm_percpu_wq]
root           9  0.0  0.0      0     0 ?        S    Feb26   0:01 [ksoftirqd/0]
root          10  0.0  0.0      0     0 ?        I    Feb26   0:23 [rcu_sched]
root          11  0.0  0.0      0     0 ?        S    Feb26   0:05 [migration/0]
root          12  0.0  0.0      0     0 ?        S    Feb26   0:00 [idle_inject/0]
root          14  0.0  0.0      0     0 ?        S    Feb26   0:00 [cpuhp/0]
root      

In [45]:
# close the ssh session
ssh.close()

## Task 5: Questions

**What is the process name?**
It seemed the process was called `go-daemon sample`, as this was found when running `ps aux`.

**Which user is running the process?**
The user `p.dalton` was running this process.

**Has the user logged in before via SSH?**
User `p.dalton` logged in with ssh before.

**When did the user login?**
The user logged in first on Feb 27 at 04:44:14

**How long was the login session?**
The user was logged in for 10 seconds, was disconnected, before logging back in again.

**What is located in the unauthorized user’s home directory?**

There was the file named aqwerpuqwerj and there was the directory called test-lk which contained two files. One of the files in the test-lk was a log file, and the other contained a file which simply had the pid for the

Download any suspicious files.

## Reflection Questions


**Based on what you discovered and the information in the threat report, what is your conclusion about the host you analyzed?**

After reviewing the information found on the system as well as the threat report it definitely seems that the threat actor ThugStyle was on the system. The account used was `p.dalton` seems to have been what this threat actor used. as this follows the format being a random letter followed by a dot then a real last name. There was also the executable called `aqwerpuqwerj` in the `p.dalton` user. Then finally for system activity it seems the `ls` process had the malicious executable running which was the reason as to why the ls command wouldn't work, and why kraken detected malicious behavior. This fits the threat actor's behaviour as they will try hide malicious files in well known linux command locations. Then in terms of network activity, this threat actor will use a webserver with binaries written in Go. On the system the user ran the command `go-daemon sample` right before there was lots of activity as root, as well the `p.dalton` user had a TCP listener from `*:http-alt (LISTEN)`

**What did you like the most and least about this assignment?**

I thought it was pretty cool to do threat hunting looking for any ThugStyle activity. Also I realized I could have python functions in the notebook which I used to reduce how much I was copying and pasting code. I'm not really sure what I liked least I liked threat-hunting, the only thing I could think of was that I was confused why the `ls` command didn't work, but then after running kraken and realizing there was a malicious Go binary located there, and it all made sense.

**What additional questions do you have?**
I don't really have any other questions for this assignment.
