New tool: immutable.py, (Sat, Jan 18th)

[New tool: immutable.py](/forums/diary/New+tool+immutablepy/31598/)===================================================================* * [](http://www.facebook.com/sharer.php?u=https%3A%2F%2Fisc.sans.edu%2Fforums%2Fdiary%2F31598 ‘Share on Facebook’)* [](http://twitter.com/share?text=New%20tool%3A%20immutable.py&url=https%3A%2F%2Fisc.sans.edu%2Fforums%2Fdiary%2F31598&via=SANS_ISC ‘Share on Twitter’) **Published** : 2025-01-18. **Last Updated** : 2025-01-18 04:51:13 UTC **by** [Tools](/handler_list.html#tools) (Version: 1) [0 comment(s)](/diary/New+tool+immutablepy/31598/#comments) When performing triage on a Linux system you suspect might be compromised, there are many aspects of the system that you may want to look at. In [SANS FOR577](https://www.sans.org/cyber-security-courses/linux-threat-hunting-incident-response/), we talk about some existing tools and even writing your own bash script to collect triage data. In a case I worked a year or so ago, the attacker installed an LD_PRELOAD rootkit, which was itself pretty interesting, but one aspect that was a little unusual in this case was that they also set the immutable bit on /etc/ld.so.preload. I’ve used the find command to find suid and guid binaries and scripts, but it is a bit more of a pain to find files with the immutable bit. So, I wrote by a Python [script](https://raw.githubusercontent.com/clausing/scripts/refs/heads/master/immutable.py) that takes one or more file or directory names and returns the names of any that have the immutable bit. You can also add a switch to search recursively and another to return full path rather than relative (the default). I figured I can’t be the only person who ever needed a tool like this, so I’ve added it to my [GitHub script repo](https://github.com/clausing/scripts).![](https://isc.sans.edu/diaryimages/images/2025-01-17%2023_34_20-leibnitz-ovpn%20-%20SecureCRT.png)![](https://isc.sans.edu/diaryimages/images/2025-01-17%2023_33_08-leibnitz-ovpn%20-%20SecureCRT.png)As with all of my tools/scripts, if you have have questions or suggestions you can e-mail me at my address below or on the handlers list.References:————— Jim Clausing, GIAC GSE #26 jclausing –at– isc -[dot-] sans (dot) edu Keywords: [linux](/tag.html?tag=linux) [python](/tag.html?tag=python) [tools](/tag.html?tag=tools)[0 comment(s)](/diary/New+tool+immutablepy/31598/#comments)

Related Tags:
NAICS: 81 – Other Services (except Public Administration)

NAICS: 33 – Manufacturing – Metal

Electronics And Other

NAICS: 813 – Religious

Grantmaking

Civic

Professional Services

Similar Services

Blog: SANS Internet Storm Center

File and Directory Discovery

System Information Discovery

Rootkit

Associated Indicators:
https://raw.githubusercontent.com/clausing/scripts/refs/heads/master/immutable.py

Threat Intel Solutions

New tool: immutable.py, (Sat, Jan 18th)

Search

Popular Posts

2024 macOS Malware Review | Infostealers, Backdoors, and APT Campaigns Targeting the Enterprise

The great Google Ads heist: criminals ransack advertiser accounts via fake Google ads

MintsLoader: StealC and BOINC Delivery

Categories

Archives

Tags

Follow Us