Threat Hunting and Mitigation in *Nix/macOS Environments. (Please comment and tell me what I'm missing. This is initial work)

Written below are the beginnings of my research into hunting in the Linux environment. This is very high level for the time being and I have not yet gone into specifics as far as behavioral analytics and detections of certain families of malware. Working on it.


Linux/macOS hunting operations. Focusing on suspicious activity tied to the MITRE ATT&CK Framework allows researchers to simulate techniques and search for compromise based on activity observed in a controlled environment. Another technique attackers use is deploying Root Kits on victim machines providing access at either the kernel or user level to continue operations. In August of 2020 an advisory regarding the Drovorub RootKit was issued. This rootkit runs kernel modules allowing full access to the system, installing a file transfer and port forwarding tool. It specifically takes advantage of systems that have yet to update to more current Linux kernel software. There are other readily available rootkits such as Puzek and Reptile which provide interactive control using function hooking and syscall hooking.

  • Command Line: o sc!\^2a o *cs02 o `*/proc/net/tcp , */proc/net/udp , */proc/net/udp6
  • Syslog Entries o mod_security: Access denied
    o ModSecurity: Access denied
    o mod_security-message: Access denied

Recent vulnerabilities within Linux including Kernel 4.18.0-240.el8 and previous versions dating back to 2006 that allow for post-exploitation root access. These vulnerabilities were shown to be easily exploited in the current Red Hat Linux distributions and other platforms that utilize RHEL structure. Debian-based systems are vulnerable as well utilizing a different set of command-line arguments in the POC provided. The SCSI subsystem and the RDMA/RDMA-Core package use as a dependency is the focus of these CVE’s and is present on RHEL, CentOS, and Fedora distributions. They are also commonly installed on Ubuntu and Debian systems as a dependency.

While kernel exploits vary and do not necessarily indicate a need for immediate response, CVE- 2021-27363 , CVE-2021-27364, and CVE-2021-27365 may be utilized as part of post-exploitation to assist threat actors in movement through the killchain.

  • CVE-2021-27363 - Access Denial and Information Disclosure
    o RHEL 7 and 8 and all previous versions running the package Kernel or Kernel-rt.
    • :black_small_square: show_transport_handle() in drivers/scsi/scsi_transport_iscsi.c
    • :black_small_square: LIBISCSI kernel module loads couple with system restart within focused timeframe. If not required by default this may indicate malicious behavior
  • CVE-2021-27364 - Out-of-Bounds Read
    o RHEL 6, 7, 8 and all previous versions running the package Kernel, Kernel-rt, or Kernel-alt
    :black_small_square: show_transport_handle() in drivers/scsi/scsi_transport_iscsi.c :black_small_square: Specific user netlink message.
  • CVE-2021-27365 - Heap Buffer Overflow
    o RHEL 6, 7, 8 and all previous versions tunning the package Kernel, Kernel-rt, or Kernel-alt
    :black_small_square: Specific user netlink to iSCSI, kstrdup/sprintf pattern.

GTFOBins is a well-known resource for defenders similar to Windows LOLBAS identify processes and command-line arguments with the potential for malicious use hidden behind normal activity. Queries for Linux machines are crafted to identify baseline and anomalous behavior on these clusters. Rootkits are another tool employed by adversaries accomplishing goals like dropping payloads, establishing C2 communications, and/or acting as a proxy for botnets. In particular, I’ve focused one of the more recent rootkits distributed called Drovorub. Among the capabilities above it employs embedded file transfer for exfiltration and operations. An open avenue of approach for any rootkit takes advantage of outdated an outdated kernel and modules.

**Carbon Black Response
cmdline:history or cmdline:‘rm ~/.bash_history’ or cmdline:‘echo " " > ~/.bash_history’ or cmdline:"cat /dev/null > ~/.bash_history’ or cmdline:‘ln -sf /dev/null ~/.bash_history’ or cmdline:‘truncate -s0 ~/.bash_history’ or cmdline:‘unset HISTFILE’ or cmdline:‘export HISTFILESIZE=0’ or cmdline:‘history -c’

**Chronicle YARA-L 2.0

Usage of SU or SUDO

rule usage_of_sudo_or_su {
meta: 
description = "Looks for usage of sudo or su command"
author = "@is_henderson"
date = "2021-02-15"
reference = "reference"

events: 
(
$e1.metadata.event_type = "PROCESS_LAUNCH" and
(
re.regex($e1.principal.process.command_line, `.*sudo\s`) nocase or
re.regex($e1.principal.process.command_line, `.*su\s`) nocase
)
)

condition:
$e1
}

Usage of Package Manager

While usage is not inherently malicious, actors may use the package manager to install various tools needed during the campaign.

rule usage_of_yum_rpm {
meta:
author = "@is_henderson"
description = "Rule to detect package installation" 
date = "2021-02-15"

events:
(
$e1.metadata.event_type = "PROCESS_LAUNCH" and
(
re.regex($e1.principal.process.command_line, `.*sudo yum install\s.*`) nocase or
re.regex($e1.principal.process.command_line, `.*su bash yum install\s.*`) nocase or
re.regex($e1.principal.process.command_line, `.*sudo rpm install\s.*`) nocase or
re.regex($e1.principal.process.command_line, `.*su bash rpm install\s.*`) nocase
)
)
condition:
$e1
}
3 Likes