Linux Threat Hunting — Know your Penguins
The attacks on the Linux system are common since decades, but how common are Linux logs collected and processed for better detections?
This blog highlights how open source platform can be leveraged in detecting simple to sophisticated attacks with bunch of rules and configurations on the endpoint.
How interesting it is to say, when Linux logs also can be collected and analyzed similar to Windows-Sysmon logs? Yes! this can be achieved with the secret sauce — Auditbeat.
Let us see below how the collected logs can be utilized to analyze MITRE-mapped attacks.
ART has become already perfect choice to accomplish Emulations which I have demonstrated in my previous blog for Windows machines. In this, Linux system was used to uplift the detection range using Beats module.
The tools used are -
1. Elastic Stack
2. Auditbeat
3. Atomic Red Team (ART)
The key tool here is the usage of Auditbeat on the endpoint for qualitative log collections.
Auditbeat is powerful log shipper component of Beats Family which is ideal to collect Linux audit framework data and monitor file integrity on the hosts.
Auditbeat comes with 3 types of modules –
- Auditd — This module establishes a subscription to the kernel to receive the events as they occur. To capture these events, the specific rules can be written based on the requirements. Well-extracted rulesets can be referred from here [ Florian Roth’s rules :) ]
- File Integrity — It checks integrity of the file systems.
- System — This module is specific for collecting the 5 types of data sets i.e., host, login, process, socket, user. The detailed information can be read here.
Demonstration:
Technique #1: Execution — Command and Scripting Interpreter - Python: T1059.006
To detect the command line activity, infamous lazagne toolkit has been simulated to dump password from memory, browsers, wifi etc., APT 33, APT34, Leafminer had used these credential dumpers in the past.
Technique #2: Persistence — Create or Modify System Process: Systemd Service: T1543.002
Systemd is software belongs to “init” systems which is used to manage services/resources in the background and make sure services are up when the system boots up. Adversaries take advantage of this utility to gain system level persistence.
Technique #3: Persistence — Scheduled Task/Job: Cron: T1053.003
Cron is built-in utilty used for scheduling the scripts or services to run on regular intervals. Adversaries take advantage of this utility to gain system level persistence.
Technique #4: Privilege Escalation — Abuse Elevation Control Mechanism: Setuid and Setgid: T1548.001
setuid and setgid are the two flags which is related to access rights in Linux Systems. These flags allow users to run an executable with the file system permission of the executable’s owner or group respectively. Chmod utlity can be used to set the flags for specific files.
Technique #5: Defense Evasion — Hide Artifacts: Hidden Files and Directories: T1564.001
In the Unix/Linux systems, files/folders can be hidden using “.” prefix. Actually, this is intended to avoid users accidentally modifying the files. To view these hidden files “ls -a” can be used to reveal the hidden files. APTs are fond of using these tricks as defensive mechanism.
Technique #6: Defense Evasion — Indicator Removal on Host: Timestomp: T1070.006
Timestomping is a technique that modifies the timestamps of a file (Modify, Access, Create, Change — MACB) results in mimicking the time attributes.
These are the sample detections to reveal how auditbeat can be brought into play in threat hunting activities. Likewise, many use cases can be created and detected by referring to the MITRE Framework.
References: