Linux Threat Hunting — Know your Penguins

The attacks on the Linux system are common since decades, but how common are Linux logs collected and processed for better detections?

Penguin awareness :)

This blog highlights how open source platform can be leveraged in detecting simple to sophisticated attacks with bunch of rules and configurations on the endpoint.

How interesting it is to say, when Linux logs also can be collected and analyzed similar to Windows-Sysmon logs? Yes! this can be achieved with the secret sauce — Auditbeat.

Let us see below how the collected logs can be utilized to analyze MITRE-mapped attacks.

The tools used are -

1. Elastic Stack

2. Auditbeat

3. Atomic Red Team (ART)

The key tool here is the usage of Auditbeat on the endpoint for qualitative log collections.

Auditbeat is powerful log shipper component of Beats Family which is ideal to collect Linux audit framework data and monitor file integrity on the hosts.

Auditbeat comes with 3 types of modules –

  1. Auditd — This module establishes a subscription to the kernel to receive the events as they occur. To capture these events, the specific rules can be written based on the requirements. Well-extracted rulesets can be referred from here [ Florian Roth’s rules :) ]
  2. File Integrity — It checks integrity of the file systems.
  3. System — This module is specific for collecting the 5 types of data sets i.e., host, login, process, socket, user. The detailed information can be read here.


Technique #1: Execution — Command and Scripting Interpreter - Python: T1059.006

To detect the command line activity, infamous lazagne toolkit has been simulated to dump password from memory, browsers, wifi etc., APT 33, APT34, Leafminer had used these credential dumpers in the past.

lazagne executed on endpoint for password dumping
python utility is used to dump password from memory

Technique #2: PersistenceCreate or Modify System Process: Systemd Service: T1543.002

Systemd is software belongs to “init” systems which is used to manage services/resources in the background and make sure services are up when the system boots up. Adversaries take advantage of this utility to gain system level persistence.

systemctl utility is used to “initialize” auditbeat service

Technique #3: PersistenceScheduled Task/Job: Cron: T1053.003

Cron is built-in utilty used for scheduling the scripts or services to run on regular intervals. Adversaries take advantage of this utility to gain system level persistence.

nano editor is used to create cron jobs

Technique #4: Privilege EscalationAbuse Elevation Control Mechanism: Setuid and Setgid: T1548.001

setuid and setgid are the two flags which is related to access rights in Linux Systems. These flags allow users to run an executable with the file system permission of the executable’s owner or group respectively. Chmod utlity can be used to set the flags for specific files.

chmod utility is used to set those two flags

Technique #5: Defense Evasion Hide Artifacts: Hidden Files and Directories: T1564.001

In the Unix/Linux systems, files/folders can be hidden using “.” prefix. Actually, this is intended to avoid users accidentally modifying the files. To view these hidden files “ls -a” can be used to reveal the hidden files. APTs are fond of using these tricks as defensive mechanism.

mkdir utility is used to create hidden directories

Technique #6: Defense EvasionIndicator Removal on Host: Timestomp: T1070.006

Timestomping is a technique that modifies the timestamps of a file (Modify, Access, Create, Change — MACB) results in mimicking the time attributes.

touch utility is used for timestomping

These are the sample detections to reveal how auditbeat can be brought into play in threat hunting activities. Likewise, many use cases can be created and detected by referring to the MITRE Framework.




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store