Detect Most Common Malicious Actions in the Linux Environment

0
Detect Most Common Malicious Actions in the Linux Environment

Auditd, Linux’s access monitoring and accounting subsystem, will be used by several Linux rules. In comparison to Windows, Linux is statistically less targeted by malicious attackers. However, we must continue to keep an eye on these systems for security threats. Here we will be going through a few techniques to use a SIEM to monitor for malicious Linux behavior. 

TECHNIQUE 1: FILE OR FOLDER PERMISSIONS CHANGE

Changes in file or folder permissions could indicate that an attacker is attempting to get access to files or folders on a network. This query will require the addition of whitelists for valid users who are authorized to change these rights.

Log Source = Linux

Service = auditd

Type of auditd = EXECVE

Detection method:

Create a rule based on the query that matches any of “chmod or chown”

Also Read: Linux Audit Logs cheatsheet – Detect & Respond Faster

TECHNIQUE 2: POTENTIALLY MALICIOUS SSHD ERRORS

Examine SSH / SHHD error messages for indications of exploit attempts.

Log Source = Linux

Service = sshd

Detection method:

Create a SIEM rule by parsing out and indexing the field where the below value appears within the sshd log.

 ” ‘unexpected internal error‘, ‘unknown or unsupported key type‘, ‘invalid certificate signing key‘, ‘invalid elliptic curve value‘,’ incorrect signature‘, ‘error in libcrypto‘, ‘unexpected bytes remain after decoding‘, ‘fatal: buffer_get_string: bad string‘, ‘Local: crc32 compensation attack‘, ‘bad client public DH value‘, ‘Corrupted MAC on input‘ ”

TECHNIQUE 3: POTENTIALLY MALICIOUS VSFTPD ERRORS

Errors in VSFTPD could be malicious, indicating that an exploit is being attempted.

Log Source = Linux

Service = vsftpd

Detection method:

Create a SIEM rule which matches any of the below:

 ” ‘Connection refused: too many sessions for this address.’, ‘Connection refused: tcp_wrappers denial.’, ‘Bad HTTP verb.’, ‘port and pasv both active’, ‘pasv and port both active’, ‘Transfer did (but failed to open directory).’, ‘Could not set file modification time.’, ‘bug: PID active in ptrace_sandbox_free’, ‘PTRACE_SETOPTIONS failure’, ‘weird status:’, “couldn’t handle sandbox event”, ‘syscall * out of bounds’, ‘syscall not permitted:’, ‘syscall validate failed:’, ‘Input line too long.’, ‘poor buffer accounting in str_netfd_alloc’, ‘vsf_sysutil_read_loop’ “

Also Read: Latest IOCs – Threat Actor URLs , IP’s & Malware Hashes

TECHNIQUE 4: FAILED LOGINS ON A SINGLE SOURCE WITH MANY USERS

This might indicate a brute-force effort by an attacker using many accounts.

Log Source = Linux

Service = Auth Pam

Message = Authentication Failure Detection method:

Detection method:

Create a rule based on the failure of several accounts to log into the same source within a specific amount of time. Within 10 minutes, keep a threshold of 20 accounts. Exclusions will need to be added for regularly used Terminal Servers, Jump Servers, and Work Stations. Depending on your environment, you may need to raise the threshold.

TECHNIQUE 5: OVERWRITING FILES WITH DEV 0 OR NULL

Many threat actors will try and hide their actions once they have carried out attacks. They may potentially remove files, resulting in a variety of problems. This method can be used to detect it.

Log Source = Linux

Service = auditd

Type of auditd = EXECVE

Detection method:

Create a rule which matches the query: ‘dd’ THEN Query matches = ‘if=/dev/null’ OR ‘if=/dev/zero’

TECHNIQUE 6: BUFFER OVERFLOW ATTEMPTS

During attacks, attackers may attempt buffer overflows. This rule checks for four common indicators.

Log Source = Unix

Detection method:

Create a SIEM rule which matches any of the following:

 ” ‘attempt to execute code on stack by’, ‘FTP LOGIN FROM .* 0bin0sh’, ‘rpc.statd[\d+]: gethostbyname error for’, ‘AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA’ “

TECHNIQUE 7: REMOVE IMMUTABLE FILE ATTRIBUTE

Hackers may also try to modify immutable files on a Linux system. Immutable files are created with the intention of not being erased, however, this can be changed. The rule that follows looks for this to happen. 

Log Source = Linux

Service = auditd

Type of auditd = EXECVE

Detection method:

Create a SIEM rule where the query matches ‘chattr’ THEN ‘-i’

TECHNIQUE 8: SYSTEMD SERVICE RELOADED OR STARTED

This rule looks at when a service starts or reloads. For legitimate services, whitelists will need to be established.

Log Source = Linux

Service = auditd

Type of auditd = EXECVE

Detection method:

Create a SIEM rule based on the query matches “systemctl” THEN query matches “daemon-reload OR start”

Also Read: Latest Ransomware CVEs – Vulnerabilities Abused by Ransomware Actors

TECHNIQUE 9: CLEARING COMMAND HISTORY

After completing an attack on a Linux system, attackers will attempt to delete the command history. We may look at the commands that were used to do this.

Log Source = Linux

 Detection method:

Create a rule based on query matches any of the following:

“rm *bash_history, echo “” > *bash_history, cat /dev/null > *bash_history, ln -sf /dev/null *bash_history, truncate -s0 *bash_history, export HISTFILESIZE=0, history -c, history -w, shred *bash_history”

Conclusion:

The above rules can be implemented if your environment has linux servers/machines and Auditd log is enabled.

Previous articleHow DNS Tunneling works – Detection & Response
Next articleWhispergate Malware – Destructive Malware Targeting Ukrainian Organizations
Anusthika Jeyashankar
Ambitious Blue Teamer; Enthused Security Analyst

LEAVE A REPLY

Please enter your comment!
Please enter your name here