The Splunk Threat Research Team added Linux Privilege Escalation and Linux Persistence Techniques analytic stories to help Security Operations Center (SOC) Analysts and Security Researchers detect adversaries or malware using these techniques within the Linux OS platform. In this blog article, we will do a deep dive on some popular techniques and detections for these two tactics. This article will be the deep dive part of our January 2022 release blog.
Persistence consists of different techniques for adversaries or malware authors to maintain their foothold and access on the targeted or compromised system during boot-up, restart of machine or even during credential change. Privilege Escalation is the tactic where adversaries attempt to gain elevated or higher-level privileges for their malicious code to take advantage of root or admin privileges. These techniques commonly overlap or partner with persistence techniques in elevated context.
The following analytics are designed for the Linux OS platform. We used sysmon linux as the main event logs collection for our detection development. We recommend you to read, install this tool as well as the splunk sysmon TA’s for this analytics.
Analytic stories are full security use cases supported by our threat research team’s pre-built detections and responses. Let’s discuss a high-level overview of this analytic story that introduced 32 new detections.
“At”, cron jobs also known as crontabs are a command-line utility on UNIX OS to schedule a job or task to run specific script or binary periodically, on fixed times or with intervals. This utility is commonly abused by adversaries to execute their malicious code periodically depending on its designed schedule.
If known cron jobs directories are writable, an attacker may drop a malicious script or binaries on those folders to automatically execute their code. This code will successfully execute with cron job privileges, allowing the attackers to escalate privileges.
Another technique is modifying normal cron job scripts by appending malicious script code within it to hide its track from detection and analysis. This can be done with simple echo and stdout pipe technique like in the code block below.
echo "/tmp/evil_cron.sh" >> /etc/cron.daily/logrotate echo "/tmp/evil_cron.sh" >> /etc/cron.hourly/logrotate echo "/tmp/evil_cron.sh" >> /etc/cron.monthly/logrotate echo "/tmp/evil_cron.sh" >> /etc/cron.weekly/logrotate
If an attacker already has reverse shell access, it can also modify these normal tasks by using editor or by using “crontab -e” command to add crontab entry in existing scheduled tasks.
counts |
Name |
Technique ID |
Tactic |
Description |
1 |
T1053.003 |
This analytic detects suspicious file creation (script/binary file) in known cron table directories for persistence or privilege escalation purposes. |
||
2 |
T1053.003 |
This analytic looks for suspicious file creation of /etc/at.allow or /etc/at.deny file. These 2 config files may restrict or allow the user to execute “at” utility tools for scheduling tasks.
|
||
3 |
T1053.001 |
This analytic identifies a suspicious process creation of “At” application. |
||
4 |
T1053.003 |
This analytic identifies a suspicious edit cron jobs using crontab “-e” parameter |
||
5 |
T1053.001 |
This analytic looks for suspicious command line that may use to append user entry to /etc/at.allow or /etc/at.deny |
||
6 |
Linux Possible Append Cronjob Entry on Existing Cronjob File |
T1053.003 |
This analytic looks for possible suspicious command lines that may be used to append a code to any existing crontab files for persistence or privilege escalation. |
|
7 |
T1053.003 |
This analytic looks for possible modification of cron jobs file using editor. |
Linux OS is known to have several directories designed to execute scripts, services or even binaries during boot or restart. And these directories are used by malicious actors to persist and to gain privileges to a target host.
One example is the /etc/init.d folder. This directory contains a bunch of start/stop scripts which are used to control the service daemon while the system is running or during boot. Malware or adversaries may drop malicious scripts in this folder for persistence.
Same thing in the /etc/profile.d folder that contains other scripts which are application-specific startup files, which are also executed at startup time by the shell.
counts |
Name |
Technique ID |
Tactic |
Description |
8 |
T1037.004 |
This analytic looks for suspicious file creation on init system directories for automatic execution of script or file upon boot up |
||
9 |
T1546.004 |
This analytic looks for suspicious file creation in /etc/profile.d directory to automatically execute scripts by shell upon boot up of a linux machine |
Services are applications that run in the background waiting to be used, or carrying out essential tasks. Some services daemon is placed in the /etc/init.d directory and some are in /etc/systemd folder. Like /etc/init.d and other start-up folders in linux OS this folder may give an opportunity for adversaries to gain privilege escalation or persistence.
For example, dropping a “.service” config file pointing to a malicious script or binary in “/etc/systemd” may create a service for its malicious code like the example below. This technique was also seen in a linux golang malware analyzed by intezer.
[Unit] Description=Hello World console application [Service] # systemd will run this executable to start the service ExecStart=/home/ubuntu/hello ExecReload=/home/ubuntu/hello ExecStop=/home/ubuntu/hello Restart=always RestartSec=5 [Install] WantedBy=multi-user.target
Screenshot below shows how the “.service” file was registered or activated as service after executing start service command.
Sometimes, an attacker may modify a writable .service file and do a restart/ re-enable command to that service or stop and start service command.
counts |
Name |
Technique ID |
Tactic |
Description |
10 |
T1053.006 |
This analytic looks for suspicious file creation in systemd timer directory in linux platform |
||
11 |
T1053.006 |
This analytic looks for restarted or re-enable services in linux platform |
||
12 |
T1053.006 |
This analytic looks for created or enable services in linux platform |
Adversaries may also add users to the compromised host to persist and to gain more privileged access. Below are code examples of common commands for adding users like john, atomic_ser2, atomicTest.
sudo useradd -ou 0 -g 0 john useradd atomic_ser2 sudo adduser atomicTest
counts |
Name |
Technique ID |
Tactic |
Description |
13 |
T1136.001 |
This analytic looks for commands to create user accounts on the linux platform. |
Like what we mentioned earlier, privilege escalation tactics consist of different techniques to gain higher-level permissions on a system or network. Attackers may abuse existing utility, misconfiguration or even vulnerabilities to elevate their access. In this section we will not include the exploit part, but we will tackle other techniques to perform this task.
Adversary can execute commands with set suid or setgid bits to run its code in different user’s context. In linux when these bits are set, applications can run elevated privileges contexts. “setcap” utility can set this bit like in the example below.
/usr/bin/setcap cap_net_raw+p /bin/ping
Or using “chmod” utility to set this bit.
chmod u+s /tmp/evilbin chmod g+s /tmp/evilbin
Adversaries can also change the ownership of the file using the “chown” utility or “sudo” or “sudo su” to gain escalated access.
Another common utility that might be abused for this technique is the “doas” utility tool. This tool is developed as a minimalistic alternative to sudo application which is known for elevating privileges. Attackers can create “/etc/doas.conf” that contains a list of allowed users to perform a task as root as the “doas” tool is executed. Below is the example configuration command in doas.conf.
permit nopass larry cmd reboot
And users can execute “doas” to run this configuration.
doas -C /etc/doas.conf
counts |
Name |
Technique ID |
Tactic |
Description |
14 |
T1222.002 |
This analytic looks for a command line that change the file owner to root using chown utility tool |
||
15 |
T1548.001 |
This analytic looks for suspicious chmod utility execution to enable SUID bit. |
||
16 |
T1548.001 |
This analytic looks for suspicious setcap utility execution to enable SUID bit. |
||
17 |
T1548.003 |
This analytic is to detect the creation of doas.conf file in linux host platform. |
||
18 |
T1548.003 |
This analytic is to detect the doas tool execution in linux host platform. |
||
19 |
T1548.003 |
This analytic is to detect the execution of sudo or su command in the linux operating system. |
||
20 |
T1548.001 |
This analytic is to look for possible elevation control access using a common known process in linux platform to change the attribute and file ownership. |
The same in Windows OS, Kernel module is a piece of compiled binary code that is inserted directly into the kernel or at ring 0. This ring is the lowest and has access to everything in the system. Sophisticated adversaries and malware use this technique to gain access to the whole system, to persist and to evade detections.
In Linux you can monitor suspicious kernel module file creation in a known driver folder (“*kernel/drivers/*”) like in the screenshot below.
Another is using “modprobe” or “insmod” to load or insert malicious rootkit or kernel modules into the kernel space. The code block shows how to use this utility tool.
sudo modprobe rootkit.ko
sudo insmod rootkit.ko
You can list all installed kernel drivers or modules within the system by using the “lsmod” utility tool. The screenshot below shows how to verify if the “rootkit” kernel module is inserted or installed in the linux machine.
counts |
Name |
Technique ID |
Tactic |
Description |
---|---|---|---|---|
21 |
T1547.006 |
This analytic looks for suspicious file creation in the kernel/driver directory in the linux platform. |
||
22 |
T1547.006 |
This analytic looks for inserting of linux kernel modules using the insmod utility function. |
||
23 |
T1547.006 |
This analytic looks for possible installing a linux kernel module using modprobe utility function |
Linux has an environment variable that can be used to hijack or hook C standard library functions. This technique was seen in several adversaries or malwares to execute their code. Example, a simple C binary file that checks if “test.txt” exists and if it is, it will print “fopen() succeeded” like in the screenshot below. Complete source code is here.
But by using the LD_PRELOAD environment variable and a “.so” module that will hook the “fopen” function in prog binary to always print “fails” even though the file “test.txt” exists.
myfopen.c module to always print fails during hook.
Result of LD_PRELOAD
counts |
Name |
Technique ID |
Tactic |
Description |
24 |
T1574.006 |
This analytic is to detect a suspicious command that may hijack a library function using the LD_PRELOAD environment variable in linux platform. |
Aside from known startup folders in the linux platform, there are also some known scripts that execute during the reboot of the linux machine. These scripts are also abused by adversaries or threat actors to gain persistence and/or privilege escalation to the targeted system.
One Example is by appending a malicious code on one of the profile script files ("*~/.bashrc", "*~/.bash_profile", "*/etc/profile", "~/.bash_login", "*~/.profile", "~/.bash_logout") to automatically execute it by shell upon reboot of the machine. The code block shows how simply one can append a code using “echo” command” and stdout pipe.
echo “/tmp/hello_evil” >> ~/.bashrc echo “/tmp/hello_evil” >> /etc/profile echo “/tmp/hello_evil” >> ~/.bash_profile
Append result to ~/.bashrc:
Another is by accessing or dumping known user credential or control files
To gain much control on the targeted host. Like by dumping “/etc/sudoers” file to another file that contains controls who can run a command, The “/etc/passwd” and “/etc/shadow” files that store user information and password hash. Code block below shows how an attacker with access to the file can dump it to another file for cracking.
sudo cat /etc/shadow > /tmp/shadow_copy sudo cat /etc/passwd > /tmp/passwd_copy sudo cat /etc/sudoers > /tmp/sudoers_copy
Or by modifying “/etc/sudoers” file using “visudo” or “echo” command to add a control entry to execute a command with root or no password instance. Below is an example code block for this attack.
Add entry to /etc/sudoers:
sudo echo "evil_user ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
counts |
Name |
Technique ID |
Tactic |
Description |
25 |
T1546.004 |
This analytic looks for suspicious command lines that are possibly used to modify profile files to automatically execute scripts/files by shell upon boot of the machine. |
||
26 |
T1003.008 |
This analytic is to detect a possible attempt to dump or access the content of /etc/passwd and /etc/shadow to enable offline credential cracking. |
||
27 |
T1548.003 |
This analytic is to detect a possible access or modification of /etc/sudoers file. |
||
28 |
T1548.003 |
Persistence, Privilege Escalation |
This analytic is to look for suspicious command lines that may add entry to /etc/sudoers with NOPASSWD attribute in linux platform. |
|
29 |
T1548.003 |
Persistence, Privilege Escalation |
This analytic is to looks for file creation of sudoers.tmp file cause by editing /etc/sudoers using visudo or editor in linux platform. |
|
30 |
T1548.003 |
Persistence, Privilege Escalation |
This analytic is to looks for suspicious command-line that add entry to /etc/sudoers by using visudo utility tool in linux platform. |
Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. Threat Actor might also modify or access “/etc/ssh/sshd_config” file to edit the system’s SSH directives PubkeyAuthentication and RSAAuthentication to specific IP address or user.
counts |
Name |
Technique ID |
Tactic |
Description |
31 |
T1098.004 |
Persistence, Privilege Escalation |
This analytic is to look for possible ssh key file creation on ~/.ssh/ folder. |
|
32 |
T1098.004 |
Persistence, Privilege Escalation |
This analytic is to look for suspicious process command-line that might be accessing or modifying sshd_config. |
You can find the latest content about security analytic stories on GitHub and in Splunkbase. Splunk Security Essentials also has all these detections now available via push update. In the upcoming weeks, the Splunk Threat Research team will be releasing a more detailed blog post on this analytic story. Stay tuned!
For a full list of security content, check out the release notes on Splunk Docs.
Any feedback or requests? Feel free to put in an issue on Github and we’ll follow up. Alternatively, join us on the Slack channel #security-research. Follow these instructions If you need an invitation to our Splunk user groups on Slack.
Credit to author Teoderick Contreras and collaborators Bhavin Patel, Michael Haag, Jose Hernandez, Eric McGinnis, and Rod Soto.
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.