README
¶
Code for the talk "A Lazy Programmer's Tips For Avoiding The SOC"
The code in this repository was used for the talk "A Lazy Programmer's Tips for Avoiding The SOC," presented at BSides Belfast on 12 September 2024.
Slides: https://docs.google.com/presentation/d/1yUaalv-a_5oI9qYMUC7VCRqgkwIQFtlJcRWxI5TaAaE
Contents
Each subdirectory of src in this repository corresponds to one of
the tips presented in the talk. They are as follows, listed in the order
presented:
| Subdirectory | Description |
|---|---|
shello_world |
Hello, World!, shell-style |
argv_from_source |
shello_world, but with baked-in arguments |
argv_from_environment |
argv_from_source but taking config from the environment |
argv_from_stdin |
argv_from_environment but taking config from standard input |
argv_from_file_descriptor |
argv_from_stdin but taking config from file descriptor 7 |
argv_from_argv0 |
argv_from_file_descriptor but taking config from argv[0] |
letsencryptshellcatcher |
Catches TLS/HTTPS reverse shells, using certs from Let's Encrypt |
comms_over_tls |
argv_from_file_descriptor but with TLS comms |
comms_over_https |
comms_over_tls but using HTTPS |
comms_without_dns |
comms_over_https but without a DNS lookup |
read_from_file_descriptor |
comms_without_dns but reads from a file descriptor |
map_and_regex_file_descriptor |
read_from_file_descriptor but maps the file from the file descriptor into memory and exfils regex matches |
change_own_timestamp |
map_and_regex_file_descriptor but sets the timestamp of argv[0] back a week |
injecty_lib |
Simpler shell than shello_world, but injectable |
fake_edr |
A process which exists only to be an injection target |
Building
On OpenBSD, make should do the trick.
On other platforms, BSD make might work. Failing that,
build.sh should be sufficient to build the binaries.
In either case, LINKFLAGS may be set to pass variables to the Go compiler
via -linkflags. Due to shell quoting issues, single-quotesgT
Useful Makefile Targets
| Target | Description |
|---|---|
all |
Build ALL the things |
diffs |
Assume sources are correct, rebuild diffs |
fromdiffs |
Assume diffs are correct, rebuild sources |
clean |
Delete everything which can't be rebuilt |
cleanbins |
Delete binaries, leave sources |
test |
Runs testish things, but there's no proper tests |
Directories
¶
| Path | Synopsis |
|---|---|
|
src
|
|
|
argv_from_argv0
Program argv_from_argv0 - argv_from_file_descriptor but parses argv[0] into the config.
|
Program argv_from_argv0 - argv_from_file_descriptor but parses argv[0] into the config. |
|
argv_from_environment
Program argv_from_environment - argv_from_source with optional environment variables
|
Program argv_from_environment - argv_from_source with optional environment variables |
|
argv_from_file_descriptor
Program argv_from_file_descriptor - argv_from_stdin but reads config from a different file descriptor number.
|
Program argv_from_file_descriptor - argv_from_stdin but reads config from a different file descriptor number. |
|
argv_from_source
Program argv_from_source - shello_world with baked-in config
|
Program argv_from_source - shello_world with baked-in config |
|
argv_from_stdin
Program argv_from_stdin - argv_from_environment which also tries to read config from stdin.
|
Program argv_from_stdin - argv_from_environment which also tries to read config from stdin. |
|
change_own_timestamp
Program change_own_timestamp - map_and_regex_file_descriptor but changes argv[0]'s timestamp to a week earlier.
|
Program change_own_timestamp - map_and_regex_file_descriptor but changes argv[0]'s timestamp to a week earlier. |
|
comms_over_https
Program comms_over_https - coms_over_tls but uses HTTPS
|
Program comms_over_https - coms_over_tls but uses HTTPS |
|
comms_over_tls
Program comms_over_tls - argv_from_file_descriptor but uses TLS
|
Program comms_over_tls - argv_from_file_descriptor but uses TLS |
|
comms_without_dns
Program comms_without_dns - coms_over_https but without a DNS lookup
|
Program comms_without_dns - coms_over_https but without a DNS lookup |
|
injecty_lib
Program injecty_lib - injectable shello_world with TLS and a baked-in config
|
Program injecty_lib - injectable shello_world with TLS and a baked-in config |
|
letsencryptshellcatcher
Program letsencryptshellcatcher - Catches a TLSified reverse shell with a cert from Let's Encrypt
|
Program letsencryptshellcatcher - Catches a TLSified reverse shell with a cert from Let's Encrypt |
|
map_and_regex_file_descriptor
Program map_and_regex_file_descriptor - read_from_file_descriptor but maps the file into memory and exfills regex matches
|
Program map_and_regex_file_descriptor - read_from_file_descriptor but maps the file into memory and exfills regex matches |
|
read_from_file_descriptor
Program read_from_file_descriptor - comms_without_dns but reads from a file descriptor
|
Program read_from_file_descriptor - comms_without_dns but reads from a file descriptor |
|
shello_world
Program shello_world - The shell equivalent of Hello, World!
|
Program shello_world - The shell equivalent of Hello, World! |
Click to show internal directories.
Click to hide internal directories.