Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Intel]: https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ #643

Open
timb-machine opened this issue Apr 20, 2023 · 0 comments
Open

[Intel]: https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/ #643

timb-machine opened this issue Apr 20, 2023 · 0 comments
Assignees
@timb-machine
Labels
confirmed ignore:tag:Auditd ignore:tag:T1005 ignore:tag:T1007 ignore:tag:T1021.002 ignore:tag:T1053.006 ignore:tag:T1057 ignore:tag:T1071.001 ignore:tag:T1083 ignore:tag:T1491 ignore:tag:T1543.002 ignore:tag:T1546.004 ignore:tag:T1562.001 ignore:tag:T1567 missing:tag:T1048 missing:tag:T1574.007

Comments

@timb-machine
Copy link
Owner

timb-machine commented Apr 20, 2023
edited
Loading

Area

Malware reports

Parent threat

Persistence, Defense Evasion, Command and Control

Finding

https://www.countercraftsec.com/blog/a-step-by-step-bpfdoor-compromise/

Industry reference

attack:T1205.002:Socket Filters
attack:T1036:Masquerading
attack:T1070:Indicator Removal on Host
attack:T1205:Traffic Signaling
attack:T1573:Encrypted Channel
attack:T1106:Native API
attack:T1059.004: Unix Shell
attack:T1070.004:File Deletion
attack:T1036.004:Masquerade Task or Service
attack:T1070.006:Timestomp
uses:RedirectionToNull
uses:Non-persistentStorage
attack:T1036.005:Match Legitimate Name or Location
uses:ProcessTreeSpoofing
attack:T1562.004:Disable or Modify System Firewall

Malware reference

BPFDoor
/malware/binaries/BPFDoor
Unix.Backdoor.RedMenshen

Actor reference

No response

Component

Linux
Solaris

Scenario

No response
@timb-machine timb-machine self-assigned this Apr 20, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@timb-machine timb-machine

Labels
confirmed ignore:tag:Auditd ignore:tag:T1005 ignore:tag:T1007 ignore:tag:T1021.002 ignore:tag:T1053.006 ignore:tag:T1057 ignore:tag:T1071.001 ignore:tag:T1083 ignore:tag:T1491 ignore:tag:T1543.002 ignore:tag:T1546.004 ignore:tag:T1562.001 ignore:tag:T1567 missing:tag:T1048 missing:tag:T1574.007
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@timb-machine