Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Does not clear tracks with bash debug traps #4

Open
ariary opened this issue Jan 4, 2022 · 4 comments
Open

Does not clear tracks with bash debug traps #4

ariary opened this issue Jan 4, 2022 · 4 comments
Labels
enhancement New feature or request
Milestone
v0.2.0

Comments

@ariary
Copy link

ariary commented Jan 4, 2022

moonwalk does not seem to clear track in bash session when it used in bash session which contains trap with DEBUG mode

Step to reproduce

Put the command logger in ~/.bashrc:

#!/bin/sh
debug_poc() {
  echo "$USER($UID:$GROUPS) ran $BASH_COMMAND" >> /tmp/commands.log
}
trap debug_poc DEBUG

And try moonwalk in a bash session:

$ sudo moonwalk start
$ echo "in mw"
$ sudo moonwalk finish

Now let's see if our tracks were cleared:

$ cat /tmp/commands.log
kali(1000:1000) ran sudo moonwalk start
kali(1000:1000) ran echo "in mw"
kali(1000:1000) ran sudo moonwalk finish
@mufeedvh
Copy link
Owner

mufeedvh commented Jan 4, 2022

This is an interesting case. Is this the same behaviour when moonwalk is invoked without sudo? I would guess so because it handles modified files and doesn't track redirection or non listed files.

On a cursory glance, the only way to prevent this is to make moonwalk it's own shell runtime (actively monitoring system events just like trap does). Also I've never seen bash debug traps implemented as a security feature / alternative logging approach. Is it something you've seen commonly implemented? Please let me know, if it is, moonwalk gotta ship as a shell runtime for the next release!

Thanks! 🙌

@ariary
Copy link
Author

ariary commented Jan 4, 2022

In fact, to counter this logging trick just exec trap with no argument => it will clear all trap listener

I don't really know if it is used in real system. But I think it could be interesting for moonwalk to have the widest arsenal possible.

They are several logging "tricks" like this which could be easily detected and avoided (see).For the most common/real ones moonwalk could help to avoid them

@ariary
Copy link
Author

ariary commented Jan 4, 2022

Another point, for stealthiness

Moonwalk aim is to hide/clear tracks after a shell session, but in real world command are logged and send to a SIEM in real time. So clear tracks is not sufficient

As you said having a shell runner to obfuscate command ran is a good point.
I don't know if it is exactly in the scope

I would like to help, but I have zero knowledge in rust

Eventually, I could to try to develop this idea as a sidecar (as It is simple I think)

@ariary
Copy link
Author

ariary commented Jan 13, 2022

Eventually, I could to try to develop this idea as a sidecar (as It is simple I think)

volana is the "sidecar" that I think is a good complement for moonwalk. Don't knwo if it is what you had in mind.

@mufeedvh mufeedvh added this to the v0.2.0 milestone Jan 27, 2022
@mufeedvh mufeedvh added the enhancement New feature or request label Jan 27, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
v0.2.0
Development

No branches or pull requests
2 participants
@ariary @mufeedvh