Skip to content

Detect Discovery on Linux

    MITRE ATT&CK Discovery

    The adversary is trying to figure out your environment.

    Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what’s around their entry point in order to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective.

    Detecting Discovery with Bash History

    The challenge becomes finding and detecting the adversary while they are trying to discover your operating system and your environment, while this is very difficult to detect. One possible method is to use .bash_history to look for commands that would indicate adversaries trying to run discovery scripts. Many of the commands could be ran by administrators, so part of the script is going to set a threshold for how often the commands should appear in proximity to each other, as well as a threshold of how many commands must be in a group.

    # This script is still in development
    # Written by PTFM
    # No Warranty or guarantee is included
    import os
    import sys
    commands = ["uname", "hostname", "$USER", "/etc/passwd", "sudo -l ", "ifconfig", "route", "arp -e", "netstat", "crontab -l", "ps ", "lsmod", "timedatectl", "iptables -nvL", "ufw status", "systemctl status ufw", "systemctl status iptables", "dmidecode", "nmap"]
    def disc(bash_history): 
        tolerance = 5 #this is the tolerance of proximity the cmds are to each other ex. 5 would be 5 lines of each other
        group_tolerance = 4 #this is the total number of commands that must be inside a cluster to be shown
        group = 0
        detected=False
        prev_detect=False
        cmd_group = []
        if(os.access(bash_history, os.R_OK)):
            print("Reading command history")
            with open('.bash_history') as bh:
                data = bh.read() 
                if data:
                    num_cmd_lines = data.split('\n')
                    detected_cmd = []
                    prev_cmd = ""
                    for i in range(len(num_cmd_lines)):
                        cmd_line = num_cmd_lines[i].strip(' ')
                        for command in commands:
                            if command in cmd_line:
                                detected=True
                        if(detected==True and prev_detect==True and temp_tolerance>=0):
                            temp_tolerance=tolerance
                            prev_cmd=cmd_line
                            cmd_group.append(prev_cmd)
                            detected=False
                            prev_detect=True
                        elif(detected==True):
                            prev_detect=True
                            temp_tolerance=tolerance
                            cmd_group.append(cmd_line)
                            prev_cmd=cmd_line
                            detected=False
                        else:
                            try: temp_tolerance
                            except NameError: temp_tolerance = None
                            if(temp_tolerance==None):
                                temp_tolerance=tolerance 
                            temp_tolerance-=1
                            if(temp_tolerance==0):
                                group+=1
                                if(len(cmd_group)>=group_tolerance):
                                    detected_cmd.append(cmd_group)
                                cmd_group = []
                            elif(temp_tolerance<=0):
                                prev_detect=False
                    return detected_cmd
    br = disc('/home/<user>/.bash_history')
    if(br!=None):
        for cmd_group in br:
            print("Group")
            print(cmd_group)
                    

    Optimized by Optimole