Ideas for additional procfs collection #34
Replies: 3 comments 2 replies
-
|
hi Hal, I will update live_response/process/procfs_information.yaml as you suggested (3 bullets). The last suggestion about deleted binaries (/proc//exe and /proc//fd/*) can also be added. The drawback would be UAC output file being flagged as "malicious" if it is transferred to a workstation running antivirus software. Creating a password-protected zip file could be a solution on systems where zip tool is available. Any suggestions? Thank you for the suggestions! |
Beta Was this translation helpful? Give feedback.
-
|
There are multiple external programs that could be used to encode files: zip, gzip, openssl, "dd conv=swab", "xxd -p", and so on. Maybe UAC could just use whatever is available. An alternative would be to implement a simple XOR encoder in UAC itself. |
Beta Was this translation helpful? Give feedback.
-
|
Yeah, I will check if there is a common tool I can use across all the supported OSs. If there is none, I will implement a simple XOR encoder as you suggested. Thank you! |
Beta Was this translation helpful? Give feedback.
-
|
I have update UAC to collects copies of '/proc//exe' and their related '/proc//fd/*' if they are shown up as being (deleted). They are copied using 'dd conv=swab' tool in order to avoid UAC output file being flagged and quarantined by any antivirus tool. Clone the following branch if you want to test it please -> https://github.com/tclahr/uac/tree/feature/issue-36 |
Beta Was this translation helpful? Give feedback.
-
live_response/process/procfs_information.yaml is a good group of items to collect, but I would suggest adding a few more items-- at least on Linux and Linux-like systems:
Also if /proc/<pid>/exe or any of /proc/<pid>/fd/* show up as being "(deleted)", it would be cool if UAC could have a command-line switch that would enable automatically grabbing copies of these files.
Beta Was this translation helpful? Give feedback.
All reactions