From 801a04c20ca6fd67b8216beacc88714bbf22179e Mon Sep 17 00:00:00 2001 From: Thiago Canozzo Lahr Date: Tue, 21 May 2024 09:04:38 -0300 Subject: [PATCH] artif: new artifacts --- CHANGELOG.md | 6 ++++ .../process/procfs_information.yaml | 29 +++++++++++++++++-- artifacts/live_response/system/ebpf.yaml | 11 +++++++ .../live_response/system/kernel_modules.yaml | 19 ++++++++++++ 4 files changed, 63 insertions(+), 2 deletions(-) create mode 100644 artifacts/live_response/system/ebpf.yaml create mode 100644 artifacts/live_response/system/kernel_modules.yaml diff --git a/CHANGELOG.md b/CHANGELOG.md index 76f06b11..d6006f19 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -26,4 +26,10 @@ - live_response/packages/pkg.yaml: Updated collection support for information about installed packages [solaris] (by [sec-hbaer](https://github.com/sec-hbaer)). - live_response/packages/xbps.yaml: Added collection support for packages installed through XBPS package manager [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)). - live_response/packages/yay.yaml: Added collection support for packages installed through Yay [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)). +- live_response/process/procfs_information.yaml: Added collection support for entries corresponding to memory-mapped files [linux]. +- live_response/process/procfs_information.yaml: Added collection support for listing the contents of /proc/modules [linux]. +- live_response/process/procfs_information.yaml: Added collection support for listing Unix sockets [linux]. +- live_response/system/ebpf.yaml: Added collection support for listing pinned eBPF progs [linux]. +- live_response/system/kernel_modules.yaml: Added collection support for listing available parameters per kernel module [linux]. +- live_response/system/kernel_modules.yaml: Added collection support for listing loaded kernel modules to compare with /proc/modules [linux]. - live_response/system/modinfo.yaml: Added collection support for information about loaded kernel modules [linux, solaris] (by [sanderu](https://github.com/sanderu)). diff --git a/artifacts/live_response/process/procfs_information.yaml b/artifacts/live_response/process/procfs_information.yaml index aa1ca66f..d5638d67 100644 --- a/artifacts/live_response/process/procfs_information.yaml +++ b/artifacts/live_response/process/procfs_information.yaml @@ -1,4 +1,4 @@ -version: 1.0 +version: 2.0 artifacts: - description: Collect current running processes information. @@ -42,6 +42,12 @@ artifacts: collector: command command: ls -l /proc/[0-9]*/cwd output_file: ls_-l_proc_pid_cwd.txt + - + description: Display the list of all modules loaded into the kernel. + supported_os: [linux] + collector: command + command: cat /proc/modules + output_file: cat_proc_modules.txt - description: Collect the command name associated with a process. supported_os: [android, linux] @@ -98,6 +104,14 @@ artifacts: command: ls -la /proc/%line%/fd output_directory: proc/%line% output_file: fd.txt + - + description: Collect information about entries corresponding to memory-mapped files. + supported_os: [linux] + collector: command + foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done + command: ls -la /proc/%line%/map_files + output_directory: proc/%line% + output_file: map_files.txt - description: Collect the initial process' stack trace. supported_os: [android, linux] @@ -114,6 +128,14 @@ artifacts: command: cat /proc/%line%/status output_directory: proc/%line% output_file: status.txt + - + description: Display the list of UNIX sockets. + supported_os: [linux] + collector: command + foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done + command: cat /proc/%line%/net/unix + output_directory: proc/%line%/net + output_file: unix.txt - description: Collect running process information. supported_os: [aix, solaris] @@ -137,4 +159,7 @@ artifacts: foreach: for pid in /proc/[0-9]*; do echo ${pid} | sed -e 's:/proc/::'; done command: procfiles -n -c %line% output_directory: proc/%line% - output_file: procfiles.txt \ No newline at end of file + output_file: procfiles.txt + +# References: +# https://www.defensive-security.com/storage/uploads/Advanced%20Linux%20Detection%20and%20Forensics%20Cheatsheet%20by%20Defensive%20Security.pdf diff --git a/artifacts/live_response/system/ebpf.yaml b/artifacts/live_response/system/ebpf.yaml new file mode 100644 index 00000000..88a1398e --- /dev/null +++ b/artifacts/live_response/system/ebpf.yaml @@ -0,0 +1,11 @@ +version: 1.0 +artifacts: + - + description: List pinned eBPF progs. + supported_os: [linux] + collector: command + command: ls -la /sys/fs/bpf + output_file: ls_-la_sys_fs_bpf.txt + +# References: +# https://www.defensive-security.com/storage/uploads/Advanced%20Linux%20Detection%20and%20Forensics%20Cheatsheet%20by%20Defensive%20Security.pdf \ No newline at end of file diff --git a/artifacts/live_response/system/kernel_modules.yaml b/artifacts/live_response/system/kernel_modules.yaml new file mode 100644 index 00000000..a1d60d40 --- /dev/null +++ b/artifacts/live_response/system/kernel_modules.yaml @@ -0,0 +1,19 @@ +version: 1.0 +artifacts: + - + description: Display the loaded kernel modules (compare with /proc/modules). + supported_os: [linux] + collector: command + command: ls -la /sys/module + output_file: ls_-la_sys_module.txt + - + description: Display available parameters per kernel module. + supported_os: [linux] + collector: command + foreach: for module in /sys/module/* ; do echo ${module} | sed -e 's:/sys/module/::'; done + command: ls -la /sys/module/%line%/parameters + output_directory: module/%line% + output_file: parameters.txt + +# References: +# https://www.defensive-security.com/storage/uploads/Advanced%20Linux%20Detection%20and%20Forensics%20Cheatsheet%20by%20Defensive%20Security.pdf \ No newline at end of file