|

VulnApp

Welcome to vulnerable.example.com

This web application runs on a Kubernetes cluster utilizing CrowdStrke's Falcon sensor running via DaemonSet or as a Sidecar.

The web application will allow you to execute various exploitation techniques as if it was an attacker exploiting the application. The Falcon sensor will recognize this malicious behavior and report it back to the Falcon Console.

You can view output of ps command to see view process running within the same pod as this application.

Detections

• /ps - ps aux
• /rootkit - This script will change the group owner of /etc/ld.so.preload to 0, indicative of a Jynx Rootkit.
• /masquerading - Creates a copy of /usr/bin/whoami to whoami.rtf and executes it, causing a contradicting file extension.
• /data_exfiltration - Attempts to exfiltrate data using DNS dig requests that contain system data in the hostname.
• /reverse_shell_trojan - ./bin/Reverse_Shell_Trojan.sh
• /deploy_malware - ./bin/evil/Linux_Malware_High
• /reverse_shell - Attempts to connect to a remote IP address and will exit at fork. Falcon Prevent will kill the attempt.
• /reverse_shell-obfuscated - Attempts to connect to a remote IP address and will exit at fork. Falcon Prevent will kill the attempt. (obfuscated version)
• /credentials_dumping - Runs mimipenguin and tries to dump passwords from inside the container environment.
• /credentials_dumping_collection - Attempts to dump credentials from /etc/passwd to /tmp/passwords.
• /suspicious_commands - Emulate malicious activity related to suspicious CLI commands. Runs the command sh -c whoami '[S];pwd;echo [E]'.
• /container_drift - Container Drift via file creation script. Creating a file and then executing it.