Skip to content

Commit 776e6c8

Browse files
committed
feat: add auto detect scripts and add support for additional scenarios
1 parent acd3749 commit 776e6c8

19 files changed

Lines changed: 304 additions & 51 deletions

.github/workflows/lint-scripts.yml

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,7 @@ jobs:
2828
line1=$(sed -n '1p' "$script")
2929
line2=$(sed -n '2p' "$script")
3030
line3=$(sed -n '3p' "$script")
31+
line4=$(sed -n '4p' "$script")
3132
3233
if ! echo "$line1" | grep -qE '^#!'; then
3334
echo "FAIL: $name: line 1 is not a shebang (got: $line1)"
@@ -38,8 +39,12 @@ jobs:
3839
echo "FAIL: $name: line 2 missing '# Shortname: <name>' (got: $line2)"
3940
failed=1
4041
fi
41-
if ! echo "$line3" | grep -qE '^# Description: .+'; then
42-
echo "FAIL: $name: line 3 missing '# Description: <text>' (got: $line3)"
42+
if ! echo "$line3" | grep -qE '^# Severity: (Critical|High|Medium|Low)$'; then
43+
echo "FAIL: $name: line 3 missing '# Severity: <Critical|High|Medium|Low>' (got: $line3)"
44+
failed=1
45+
fi
46+
if ! echo "$line4" | grep -qE '^# Description: .+'; then
47+
echo "FAIL: $name: line 4 missing '# Description: <text>' (got: $line4)"
4348
failed=1
4449
fi
4550
done

README.md

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -86,7 +86,11 @@ For Docker, use the following command to run the detection container interactive
8686
sudo docker run --rm -it quay.io/crowdstrike/detection-container
8787
```
8888

89-
For Kubernetes environments, refer to the [vulnapp project](https://github.com/CrowdStrike/vulnapp) for running the detection container interactively.
89+
For a graphical, browser-based experience, see [Web Frontend (VulnApp)](#web-frontend-vulnapp) below.
90+
91+
### Web Frontend (VulnApp)
92+
93+
[VulnApp](https://github.com/CrowdStrike/vulnapp) wraps this detection container in a Go web application, giving you a graphical, browser-based way to trigger detections instead of the TUI. It ships deployment manifests for both generic Kubernetes and OpenShift. See the [vulnapp project](https://github.com/CrowdStrike/vulnapp) for setup and deployment instructions.
9094

9195
### Non-interactive Mode
9296

bin/Collection_via_Automated_Collection.sh

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
#!/bin/sh
22
# Shortname: credentials_dumping_collection
3+
# Severity: High
34
# Description: Attempts to dump credentials from /etc/passwd to /tmp/passwords.
45

56
echo -e "\e[92mExecuting Collection via Automated Collection script. Trying to dump information from etc/passwd"

bin/Command_Control_via_Remote_Access-obfuscated.sh

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
#!/bin/sh
22
# Shortname: reverse_shell-obfuscated
3+
# Severity: High
34
# Description: Attempts to connect to a remote IP address and will exit at
45
# fork. Falcon Prevent will kill the attempt. (obfuscated version)
56

bin/Command_Control_via_Remote_Access.sh

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
#!/bin/sh
22
# Shortname: reverse_shell
3+
# Severity: High
34
# Description: Attempts to connect to a remote IP address and will exit at fork. Falcon Prevent will kill the attempt.
45

56
echo -e "\e[92mExecuting Command and Control via Remote Access Tools using Ruby script. This script will try to connect to 192.168.1.222 and will exit at fork. A Falcon Prevent action can kill the attempt"

bin/ContainerDrift_Via_File_Creation_and_Execution.sh

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
#!/bin/sh
22
# Shortname: container_drift
3+
# Severity: Medium
34
# Description: Container Drift via file creation script. Creating a file and then executing it.
45

56
echo -e "\e[92mExecuting Container Drift via file creation script. Creating a file and then executing it."

bin/Credential_Access_via_Credential_Dumping.sh

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
#!/bin/sh
22
# Shortname: credentials_dumping
3+
# Severity: High
34
# Description: Runs mimipenguin and tries to dump passwords from inside the container environment.
45

56
SCRIPT_DIR=$(cd "$(dirname "$0")" && pwd)

bin/Defense_Evasion_via_Rootkit.sh

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
#!/bin/sh
22
# Shortname: rootkit
3+
# Severity: Critical
34
# Description: This script will change the group owner of /etc/ld.so.preload to 0, indicative of a Jynx Rootkit.
45

56
echo -e "\e[92mExecuting Defense Evasion via Rootkit. This script will change the group owner to '0' of /etc/ld.so.preload indicative for a Jynx Rootkit"

bin/Execution_via_Command-Line_Interface.sh

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
#!/bin/sh
22
# Shortname: suspicious_commands
3+
# Severity: High
34
# Description: Emulate malicious activity related to suspicious CLI commands. Runs the command sh -c whoami '[S];pwd;echo [E]'.
45

56
echo -e "\e[92mExecuting Execution via Command-Line Interface. This script is causing malicious activity related suspicious CLI commands."

bin/Exfiltration_via_Exfiltration_Over_Alternative_Protocol.sh

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
#!/bin/bash
22
# Shortname: data_exfiltration-alternate_protocol
3+
# Severity: High
34
# Description: Attempts to exfiltrate data using DNS dig requests that contain system data in the hostname.
45

56
echo -e "\e[92mExecuting Exfiltration Over Alternative Protocol using a DNS tool sending requests to large domain names. This will take a moment to execute..."

0 commit comments

Comments
 (0)