Full Report
Context, context, context; Alright, imagine this – you’re on an engagement, find a few vulnerabilities, run a few exploits and next thing you know you have Remote Code Execution (RCE).
Analysis Summary
# Tool/Technique: shellnot
## Overview
`shellnot` is a custom-developed, primitive C-based utility designed to establish a pseudo-interactive shell session in environments where an attacker has achieved Remote Code Execution (RCE) but lacks traditional outbound network egress (i.e., no standard TCP/IP connection for a conventional shell). It achieves persistence and interaction by utilizing a Unix domain socket for command input and output.
## Technical Details
- Type: Tool
- Platform: Unix-like systems (implied by use of `forkpty`, `nohup`, Unix domain sockets)
- Capabilities: Creates a daemon that manages persistent pseudo-terminal sessions via a Unix socket, allowing interactive command execution despite network restrictions.
- First Seen: Context implies recent development by the author/article writer.
## MITRE ATT&CK Mapping
Based on the functionality (gaining an interactive shell/persistence when egress is blocked):
- **TA0008 - Lateral Movement**
- T1090 - Proxy
- T1090.003 - Named Pipe Proxy (Analogous use of non-standard communication channel)
- **TA0007 - Discovery**
- T1082 - System Information Discovery (Interaction allows running discovery commands like `id`)
- **TA0003 - Persistence**
- T1543.003 - Create or Modify System Process: Cron Job (Mentioned as an option for persistence alongside `nohup`)
## Functionality
### Core Capabilities
- **Pseudo-Interactive Shell:** Maintains a persistent shell session using `forkpty()`, creating a new process operating within a pseudo-terminal.
- **File-Based Communication:** Communicates input and output entirely through a specified Unix domain socket, bypassing egress restrictions.
- **Session Management:** Stores active sessions in a static array and manages interaction using session IDs.
- **Command Execution:** Takes input via command-line arguments (`--input`) and retrieves buffered output from the shell session (`--output`).
### Advanced Features
- **Evasion of Egress Filtering:** The fundamental "advanced feature" is its ability to establish interactivity in environments explicitly blocking common outbound TCP/UDP connections, relying solely on local inter-process communication (IPC) via Unix sockets.
- **File Staging:** The setup process involves staging a Base64 encoded file contents onto the remote system via chained `echo` commands and then decoding them (`base64 -d`) to reconstruct the C source code (`shellnot.c`).
## Indicators of Compromise
- File Hashes: [Not provided in context]
- File Names: `shellnot.c`, `shellnot` (compiled binary)
- Registry Keys: [N/A - Linux/Unix focus]
- Network Indicators:
- Unix Socket Path: `/tmp/koreanfont.sock`
- Behavioral Indicators:
- Execution of the binary with the `--daemon` flag, often coupled with `nohup` or backgrounded (`&`) to maintain the shell process.
- System processes running `./shellnot --daemon` visible via `ps aux`.
- Use of `forkpty()` to create a pseudo-terminal session.
## Associated Threat Actors
- [Implied use by penetration testers or actors operating in highly restricted egress environments. The tool is published publicly on GitHub.]
- Associated with the tool's original author/publisher: SensePost (via the provided GitHub link: `https://github.com/sensepost/shellnot`)
## Detection Methods
- Signature-based detection: [Not specified, likely requires detection based on the binary's compiled hash or string signatures within the executable.]
- Behavioral detection: Monitoring for processes utilizing `forkpty()` followed by file-based I/O operations on specific Unix socket locations (e.g., `/tmp/koreanfont.sock`).
- YARA rules: [Not provided in context]
## Mitigation Strategies
- Prevention measures: Restricting privileges such that an attacker cannot write or compile code in temporary directories (`/tmp`). If RCE is achieved, mitigating the ability to execute `gcc` or stage files.
- Hardening recommendations: Implementing strong egress filtering rules. While `shellnot` bypasses standard TCP/UDP egress filtering, network segmentation and strict firewall policies reduce the likelihood of critical systems being exploitable in the first place.
## Related Tools/Techniques
- dnscat2 (Mentioned as inspiration for C2 capability when traditional egress is blocked, relying on DNS tunneling instead of local IPC).
- Standard reverse shells (`sh -i >& /dev/tcp/...`)