Previously, when the sandcat agent detects that a link command has timed out, the only output that the agent provides is a message indicating that it terminated the process (or failed to terminate the process). This would leave operators in the dark as to what exactly the command accomplished prior to timing out. By providing stdout and stderr output for the timed out process, operators will have more insight into why the process took longer than expected, as well as what the process was able to perform. Note that this only applies for shell executors, such as psh, sh, and cmd. Executors such as donut and proc remain unaffected by these changes.
Type of change
[-] New feature (non-breaking change which adds functionality)
How Has This Been Tested?
To test timed-out process output, I used the following basic shell script:
I then created a testing ability and used two different timeout values (10 seconds and 20 seconds) to test different amounts of output. The 10-second timeout should only see one line of output for stdout and stderr, whereas the 20-second timeout should see both lines of output for each. The testing ability yaml is as follows:
---
- id: 371ec8a2-7298-4ee1-a7b3-73622f2a789d
name: Test Output with Timeout
description: Test getting cmd output with timed out link
tactic: execution
technique:
attack_id: T1059.004
name: "Command and Scripting Interpreter: Unix Shell"
platforms:
darwin:
sh:
command: |
./testtimeout.sh
timeout: 20
payloads:
- testtimeout.sh
I ran the ability on an agent and verified that the link timed out as expected, and that we received expected output for various timeout durations.
To test instances where the agent fails to kill the timed-out process, I changed the ability command to run the shell script under sudo, and made sure that the agent was under a non-elevated context for a user that could run sudo commands without a password. This allows the agent to spawn an elevated process but attempt to terminate it as a non-elevated user, thus causing the process termination attempt to fail. We still get the stdout and stderr output, along with the appropriate message notifying the operator that the agent could not terminate the process.
Checklist:
[x] My code follows the style guidelines of this project
[x] I have performed a self-review of my own code
[ ] I have made corresponding changes to the documentation
[ ] I have added tests that prove my fix is effective or that my feature works
Description
Previously, when the sandcat agent detects that a link command has timed out, the only output that the agent provides is a message indicating that it terminated the process (or failed to terminate the process). This would leave operators in the dark as to what exactly the command accomplished prior to timing out. By providing stdout and stderr output for the timed out process, operators will have more insight into why the process took longer than expected, as well as what the process was able to perform. Note that this only applies for shell executors, such as
psh
,sh
, andcmd
. Executors such asdonut
andproc
remain unaffected by these changes.Type of change
How Has This Been Tested?
To test timed-out process output, I used the following basic shell script:
I then created a testing ability and used two different timeout values (10 seconds and 20 seconds) to test different amounts of output. The 10-second timeout should only see one line of output for stdout and stderr, whereas the 20-second timeout should see both lines of output for each. The testing ability yaml is as follows:
I ran the ability on an agent and verified that the link timed out as expected, and that we received expected output for various timeout durations.
To test instances where the agent fails to kill the timed-out process, I changed the ability command to run the shell script under
sudo
, and made sure that the agent was under a non-elevated context for a user that could run sudo commands without a password. This allows the agent to spawn an elevated process but attempt to terminate it as a non-elevated user, thus causing the process termination attempt to fail. We still get the stdout and stderr output, along with the appropriate message notifying the operator that the agent could not terminate the process.Checklist: