MITRE ATT&CK Discovery
The adversary is trying to figure out your environment.
Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what’s around their entry point in order to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective.
Detecting Discovery with Bash History
The challenge becomes finding and detecting the adversary while they are trying to discover your operating system and your environment, while this is very difficult to detect. One possible method is to use .bash_history to look for commands that would indicate adversaries trying to run discovery scripts. Many of the commands could be ran by administrators, so part of the script is going to set a threshold for how often the commands should appear in proximity to each other, as well as a threshold of how many commands must be in a group.
# This script is still in development
# Written by PTFM
# No Warranty or guarantee is included
import os
import sys
commands = ["uname", "hostname", "$USER", "/etc/passwd", "sudo -l ", "ifconfig", "route", "arp -e", "netstat", "crontab -l", "ps ", "lsmod", "timedatectl", "iptables -nvL", "ufw status", "systemctl status ufw", "systemctl status iptables", "dmidecode", "nmap"]
def disc(bash_history):
tolerance = 5 #this is the tolerance of proximity the cmds are to each other ex. 5 would be 5 lines of each other
group_tolerance = 4 #this is the total number of commands that must be inside a cluster to be shown
group = 0
detected=False
prev_detect=False
cmd_group = []
if(os.access(bash_history, os.R_OK)):
print("Reading command history")
with open('.bash_history') as bh:
data = bh.read()
if data:
num_cmd_lines = data.split('\n')
detected_cmd = []
prev_cmd = ""
for i in range(len(num_cmd_lines)):
cmd_line = num_cmd_lines[i].strip(' ')
for command in commands:
if command in cmd_line:
detected=True
if(detected==True and prev_detect==True and temp_tolerance>=0):
temp_tolerance=tolerance
prev_cmd=cmd_line
cmd_group.append(prev_cmd)
detected=False
prev_detect=True
elif(detected==True):
prev_detect=True
temp_tolerance=tolerance
cmd_group.append(cmd_line)
prev_cmd=cmd_line
detected=False
else:
try: temp_tolerance
except NameError: temp_tolerance = None
if(temp_tolerance==None):
temp_tolerance=tolerance
temp_tolerance-=1
if(temp_tolerance==0):
group+=1
if(len(cmd_group)>=group_tolerance):
detected_cmd.append(cmd_group)
cmd_group = []
elif(temp_tolerance<=0):
prev_detect=False
return detected_cmd
br = disc('/home/<user>/.bash_history')
if(br!=None):
for cmd_group in br:
print("Group")
print(cmd_group)