Ideas for additional procfs collection #34

halpomeranz · 2022-02-28T17:20:35Z

halpomeranz
Feb 28, 2022

live_response/process/procfs_information.yaml is a good group of items to collect, but I would suggest adding a few more items-- at least on Linux and Linux-like systems:

"ls -l /proc/[0-9]*/cwd" is one of my go-to items for detecting suspicious processes-- when the CWD is /tmp/.ICEd-unix/fooTWUX67 you know you have a problem
"cat /proc/%line%/stack" can sometimes reveal details of process behavior-- e.g., waiting on a socket, etc
"cat /proc/%line%/status" has lots of extra process detail, including PPID etc

Also if /proc/<pid>/exe or any of /proc/<pid>/fd/* show up as being "(deleted)", it would be cool if UAC could have a command-line switch that would enable automatically grabbing copies of these files.

tclahr · 2022-03-01T21:44:15Z

tclahr
Mar 1, 2022
Maintainer

hi Hal,

I will update live_response/process/procfs_information.yaml as you suggested (3 bullets).

The last suggestion about deleted binaries (/proc//exe and /proc//fd/*) can also be added. The drawback would be UAC output file being flagged as "malicious" if it is transferred to a workstation running antivirus software.

Creating a password-protected zip file could be a solution on systems where zip tool is available. Any suggestions?

Thank you for the suggestions!

2 replies

halpomeranz Mar 2, 2022
Author

There are multiple external programs that could be used to encode files: zip, gzip, openssl, "dd conv=swab", "xxd -p", and so on. Maybe UAC could just use whatever is available.

An alternative would be to implement a simple XOR encoder in UAC itself.

tclahr Mar 5, 2022
Maintainer

Yeah, I will check if there is a common tool I can use across all the supported OSs. If there is none, I will implement a simple XOR encoder as you suggested.

Thank you!

tclahr · 2022-03-05T12:02:48Z

tclahr
Mar 5, 2022
Maintainer

Please refer to issues #35 and #36

0 replies

tclahr · 2022-03-18T21:06:55Z

tclahr
Mar 18, 2022
Maintainer

I have update UAC to collects copies of '/proc//exe' and their related '/proc//fd/*' if they are shown up as being (deleted). They are copied using 'dd conv=swab' tool in order to avoid UAC output file being flagged and quarantined by any antivirus tool.

Clone the following branch if you want to test it please -> https://github.com/tclahr/uac/tree/feature/issue-36

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Ideas for additional procfs collection #34

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 3 comments 2 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Ideas for additional procfs collection #34

Uh oh!

Uh oh!

halpomeranz Feb 28, 2022

Replies: 3 comments · 2 replies

Uh oh!

tclahr Mar 1, 2022 Maintainer

Uh oh!

halpomeranz Mar 2, 2022 Author

Uh oh!

tclahr Mar 5, 2022 Maintainer

Uh oh!

tclahr Mar 5, 2022 Maintainer

Uh oh!

tclahr Mar 18, 2022 Maintainer

halpomeranz
Feb 28, 2022

Replies: 3 comments 2 replies

tclahr
Mar 1, 2022
Maintainer

halpomeranz Mar 2, 2022
Author

tclahr Mar 5, 2022
Maintainer

tclahr
Mar 5, 2022
Maintainer

tclahr
Mar 18, 2022
Maintainer