You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is an interesting case. Is this the same behaviour when moonwalk is invoked without sudo? I would guess so because it handles modified files and doesn't track redirection or non listed files.
On a cursory glance, the only way to prevent this is to make moonwalk it's own shell runtime (actively monitoring system events just like trap does). Also I've never seen bash debug traps implemented as a security feature / alternative logging approach. Is it something you've seen commonly implemented? Please let me know, if it is, moonwalk gotta ship as a shell runtime for the next release!
In fact, to counter this logging trick just exec trap with no argument => it will clear all trap listener
I don't really know if it is used in real system. But I think it could be interesting for moonwalk to have the widest arsenal possible.
They are several logging "tricks" like this which could be easily detected and avoided (see).For the most common/real ones moonwalk could help to avoid them
Moonwalk aim is to hide/clear tracks after a shell session, but in real world command are logged and send to a SIEM in real time. So clear tracks is not sufficient
As you said having a shell runner to obfuscate command ran is a good point.
I don't know if it is exactly in the scope
I would like to help, but I have zero knowledge in rust
Eventually, I could to try to develop this idea as a sidecar (as It is simple I think)
moonwalk
does not seem to clear track in bash session when it used in bash session which contains trap with DEBUG modeStep to reproduce
Put the command logger in ~/.bashrc:
And try
moonwalk
in a bash session:Now let's see if our tracks were cleared:
The text was updated successfully, but these errors were encountered: