Essential Guide to SOAR
Discover the benefits of security orchestration, automation and response solutions
Linux Persistence and Privilege Escalation: Threat Research January 2022 Release
In this January 2022 release, The Splunk Threat Research (STRT) team focused on the recently released Sysmon for Linux technology addition to Splunk. This new add-on opens the door for new ways of monitoring, creating detections, and defending against Linux systems threats. Linux is the most commonly used operating system across the world with approximately 67% of the internet. The possibility of approaching Linux exploitation development provides many blue teamers new opportunities of enhancing their defense capabilities.
This January release contains 32 new detections distributed in 2 Analytics Stories: Linux Privilege Escalation and Linux Persistence Techniques.
Focusing on Linux Privilege Escalation & Linux Persistence Techniques
Analytic stories are security use cases supported by our threat research team’s pre-built detections and responses. The following analytic stories focus on monitoring and investigating items that are related to Linux privilege escalation. Privilege escalation is a necessary post-exploitation step for attackers to complete entrenchment at the targeted host. These items include unusual processes running on endpoints, scheduled tasks, services, setuid, root execution, and more.
It is also important for attackers to maintain access to compromised systems and that’s where persistence techniques come into play. We also crafted several detections to address those post-exploitation vectors.
Detections Used in the Linux Privilege Escalation & Linux Persistence Techniques Analytics Stories
Linux Privilege Escalation & Linux Persistence Techniques
Name |
Technique ID |
Tactic |
Description |
Look for suspicious command lines that may add an entry to /etc/sudoers with NOPASSWD attribute in the Linux platform. |
|||
Look for suspicious process command-line that might be accessing or modifying sshd_config. |
|||
looks for suspicious command lines that can be possibly used to modify user profile files to automatically execute scripts/executables by shell upon reboot of the machine. |
|||
Linux Possible Ssh Key File Creation |
This analytic is to look for possible ssh key file creation on ~/.ssh/ folder |
||
|
|
looks for commands to create user accounts on the Linux platform. |
||
Linux Common Process For Elevation Control |
looks for possible elevation control access using a common known process in the Linux platform to change the attribute and file ownership. |
||
|
|
Detects the creation of doas.conf file in Linux host platform. |
||
|
|
Detects the doas tool execution in the Linux host platform |
||
Linux Possible Access To Credential Files |
Detects a possible attempt to dump or access the content of /etc/passwd and /etc/shadow to enable offline credential cracking. "etc/passwd" stores user information within Linux OS while "etc/shadow" contains the user passwords hash. |
||
This analytic looks for suspicious file creation on init system directories for automatic execution of script or file upon boot up |
|||
This analytic looks for suspicious file creation in /etc/profile.d directory to automatically execute scripts by shell upon boot-up of a Linux machine |
|||
This analytic looks for suspicious file creation in the systemd timer directory in the Linux platform |
|||
This analytic looks for restarted or re-enable services in the Linux platform |
|||
This analysis looks for created or enable services in the Linux platform |
|||
This analysis looks for commands to create user accounts on the Linux platform. |
|||
This analytic looks for a command line that change the file owner to root using chown utility tool |
|||
This analytic looks for suspicious chmod utility execution to enable SUID bit. |
|||
This analytic looks for suspicious setcap utility execution to enable SUID bit. |
|||
This analytic is to detect the creation of doas.conf file in the Linux host platform. |
|||
This analytic is to detect the doas tool execution in the Linux host platform. |
|||
This analytic is to detect the execution of sudo or su command in the Linux operating system. |
|||
This analytic is to look for possible elevation control access using a common known process in the Linux platform to change the attribute and file ownership. |
|||
This analytic looks for suspicious file creation in the kernel/driver directory in the Linux platform. |
|||
This analytic looks for the inserting Linux kernel modules using the insmod utility function. |
|||
This analytic looks for possible installing a Linux kernel module using modprobe utility function |
|||
This analytic is to detect a suspicious command that may hijack a library function using the LD_PRELOAD environment variable in the Linux platform. |
|||
This analytic looks for suspicious command lines that are possibly used to modify profile files to automatically execute scripts/files by shell upon boot of the machine. |
|||
This analytic is to detect a possible attempt to dump or access the content of /etc/passwd and /etc/shadow to enable offline credential cracking. |
|||
This analytic is to detect possible access or modification of /etc/sudoers file. |
|||
Persistence, Privilege Escalation |
This analytic is to look for suspicious command lines that may add an entry to /etc/sudoers with NOPASSWD attribute in the Linux platform. |
||
Persistence, Privilege Escalation |
This analytic is to look for file creation of sudoers.tmp file cause by editing /etc/sudoers using visudo or editor in the Linux platform. |
||
Persistence, Privilege Escalation |
This analytic is to look for suspicious command-line that add an entry to /etc/sudoers by using visudo utility tool in Linux platform. |
||
Persistence, Privilege Escalation |
This analytic is to look for possible ssh key file creation on ~/.ssh/ folder. |
||
Persistence, Privilege Escalation |
This analytic is to look for suspicious process command-line that might be accessing or modifying sshd_config. |
Automating with SOAR Playbooks
The following community Splunk SOAR playbooks mentioned below can be used in conjunction with some of the previously described analytics:
Detection |
Playbook |
Description |
Any |
Investigate an internal unix host using SSH. This pushes a bash script to the endpoint and runs it, collecting generic information about the processes, user activity, and network activity. This includes the process list, login history, cron jobs, and open sockets. The results are zipped up in .csv files and added to the vault for an analyst to review. |
|
Multiple |
This playbook is used to enrich and respond to a CrowdStrike Falcon detection involving a potentially malicious executable on an endpoint. Check for previous sightings of the same executable, hunt across other endpoints for the file, gather details about all processes associated with the file, and collect all the gathered information into a prompt for an analyst to review. Based on the analyst's choice, the file can be added to the custom indicators list in CrowdStrike with a detection policy of "detect" or "none", and the endpoint can be optionally quarantined from the network. |
Why Should You Care about Linux Persistence and Privilege Escalation?
Linux is an extremely popular operating system present in millions of devices and applications. It is the main engine of the internet infrastructure, not only when talking about the backbone type of devices (such as servers, routers) but also at the micro-level as most internet of thing (IoT) devices run some version of it. Linux is exploitable however it is often dismissed as secured by default, which is not true.
For a full list of security content, check out the release notes on Splunk Docs
Learn More
You can find the latest content about security analytic stories on GitHub and in Splunkbase. Splunk Security Essentials also has all these detections now available via push update.
Feedback
Any feedback or requests? Feel free to put in an issue on GitHub, and we’ll follow up. Alternatively, join us on the Slack channel #security-research. Follow these instructions If you need an invitation to our Splunk user groups on Slack.
Contributors
We would like to thank the whole threat research team Jose Hernandez, Teoderick Contreras, Rod Soto, Bhavin Patel, Mauricio Velazco, Michael Haag, Lou Stella, Eric McGinnis, and Patrick Bareiss for their contribution to this release.
Related Articles
About Splunk
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.
Subscribe to our blog
Get the latest articles from Splunk straight to your inbox.
Connect with Splunk on X
Follow @Splunk
