In this January 2022 release, The Splunk Threat Research (STRT) team focused on the recently released Sysmon for Linux technology addition to Splunk. This new add-on opens the door for new ways of monitoring, creating detections, and defending against Linux systems threats. Linux is the most commonly used operating system across the world with approximately 67% of the internet. The possibility of approaching Linux exploitation development provides many blue teamers new opportunities of enhancing their defense capabilities.
 
This January release contains 32 new detections distributed in 2 Analytics Stories: Linux Privilege Escalation and Linux Persistence Techniques.
Analytic stories are security use cases supported by our threat research team's pre-built detections and responses. The following analytic stories focus on monitoring and investigating items that are related to Linux privilege escalation. Privilege escalation is a necessary post-exploitation step for attackers to complete entrenchment at the targeted host. These items include unusual processes running on endpoints, scheduled tasks, services, setuid, root execution, and more.
It is also important for attackers to maintain access to compromised systems and that's where persistence techniques come into play. We also crafted several detections to address those post-exploitation vectors.
Detections Used in the Linux Privilege Escalation & Linux Persistence Techniques Analytics StoriesLinux Privilege Escalation & Linux Persistence Techniques
Name | Technique ID | Tactic | Description |
Linux NOPASSWD Entry in Sudoers File | T1548.003 T1548 | Persistence, Privilege Escalation | Look for suspicious command lines that may add an entry to /etc/sudoers with NOPASSWD attribute in the Linux platform. |
Linux Possible Access Or Modification Of sshd Config File | T1098.004 T1098 | Persistence | Look for suspicious process command-line that might be accessing or modifying sshd_config. |
Linux Possible Append Command To Profile Config File | T1546.004 T1546 | Persistence, Privilege Escalation | looks for suspicious command lines that can be possibly used to modify user profile files to automatically execute scripts/executables by shell upon reboot of the machine. |
Linux Possible Ssh Key File Creation | T1098.004 T1098 | Persistence | This analytic is to look for possible ssh key file creation on ~/.ssh/ folder |
Linux Add User Account | T1136.001 T1136 | Persistence | looks for commands to create user accounts on the Linux platform. |
Linux Common Process For Elevation Control | T1548.001 T1548 | Persistence, Privilege Escalation | looks for possible elevation control access using a common known process in the Linux platform to change the attribute and file ownership. |
Linux Doas Conf File Creation | T1548.003 T1548 | Persistence, Privilege Escalation | Detects the creation of doas.conf file in Linux host platform. |
Linux Doas Tool Execution | T1548.003 T1548 | Persistence, Privilege Escalation | Detects the doas tool execution in the Linux host platform |
Linux Possible Access To Credential Files | T1003.008 T1003 | Credential Access | Detects a possible attempt to dump or access the content of /etc/passwd and /etc/shadow to enable offline credential cracking. "etc/passwd" stores user information within Linux OS while "etc/shadow" contains the user passwords hash. |
Linux File Creation In Init Boot Directory | T1037.004 | Persistence, Privilege Escalation | This analytic looks for suspicious file creation on init system directories for automatic execution of script or file upon boot up |
Linux File Creation In Profile Directory | T1546.004 | Persistence, Privilege Escalation | This analytic looks for suspicious file creation in /etc/profile.d directory to automatically execute scripts by shell upon boot-up of a Linux machine |
Linux Service File Created In Systemd Directory | T1053.006 | Persistence, Privilege Escalation | This analytic looks for suspicious file creation in the systemd timer directory in the Linux platform |
Linux Service Restarted | T1053.006 | Persistence, Privilege Escalation | This analytic looks for restarted or re-enable services in the Linux platform |
Linux Service Started Or Enabled | T1053.006 | Persistence, Privilege Escalation | This analysis looks for created or enable services in the Linux platform |
Linux Add User Account | T1136.001 | Persistence, Privilege Escalation | This analysis looks for commands to create user accounts on the Linux platform. |
Linux Change File Owner To Root | T1222.002 | Persistence, Privilege Escalation | This analytic looks for a command line that change the file owner to root using chown utility tool |
Linux Setuid Using Chmod Utility | T1548.001 | Persistence, Privilege Escalation | This analytic looks for suspicious chmod utility execution to enable SUID bit. |
Linux Setuid Using Setcap Utility | T1548.001 | Persistence, Privilege Escalation | This analytic looks for suspicious setcap utility execution to enable SUID bit. |
Linux Doas Conf File Creation | T1548.003 | Persistence, Privilege Escalation | This analytic is to detect the creation of doas.conf file in the Linux host platform. |
Linux Doas Tool Execution | T1548.003 | Persistence, Privilege Escalation | This analytic is to detect the doas tool execution in the Linux host platform. |
Linux Sudo OR Su Execution | T1548.003 | Persistence, Privilege Escalation | This analytic is to detect the execution of sudo or su command in the Linux operating system. |
Linux Common Process For Elevation Control | T1548.001 | Persistence, Privilege Escalation | This analytic is to look for possible elevation control access using a common known process in the Linux platform to change the attribute and file ownership. |
Linux File Created In Kernel Driver Directory | T1547.006 | Persistence, Privilege Escalation | This analytic looks for suspicious file creation in the kernel/driver directory in the Linux platform. |
Linux Insert Kernel Module Using Insmod Utility | T1547.006 | Persistence, Privilege Escalation | This analytic looks for the inserting Linux kernel modules using the insmod utility function. |
Linux Install Kernel Module Using Modprobe Utility | T1547.006 | Persistence, Privilege Escalation | This analytic looks for possible installing a Linux kernel module using modprobe utility function |
Linux Preload Hijack Library Calls | T1574.006 | Persistence, Privilege Escalation | This analytic is to detect a suspicious command that may hijack a library function using the LD_PRELOAD environment variable in the Linux platform. |
Linux Possible Append Command To Profile Config File | T1546.004 | Persistence, Privilege Escalation | This analytic looks for suspicious command lines that are possibly used to modify profile files to automatically execute scripts/files by shell upon boot of the machine. |
Linux Possible Access To Credential Files | T1003.008 | Persistence, Privilege Escalation | This analytic is to detect a possible attempt to dump or access the content of /etc/passwd and /etc/shadow to enable offline credential cracking. |
Linux Possible Access To Sudoers File | T1548.003 | Persistence, Privilege Escalation | This analytic is to detect possible access or modification of /etc/sudoers file. |
Linux NOPASSWD Entry In Sudoers File | T1548.003 | Persistence, Privilege Escalation | This analytic is to look for suspicious command lines that may add an entry to /etc/sudoers with NOPASSWD attribute in the Linux platform. |
Linux Sudoers Tmp File Creation | T1548.003 | Persistence, Privilege Escalation | This analytic is to look for file creation of sudoers.tmp file cause by editing /etc/sudoers using visudo or editor in the Linux platform. |
Linux Visudo Utility Execution | T1548.003 | Persistence, Privilege Escalation | This analytic is to look for suspicious command-line that add an entry to /etc/sudoers by using visudo utility tool in Linux platform. |
Linux Possible Ssh Key File Creation | T1098.004 | Persistence, Privilege Escalation | This analytic is to look for possible ssh key file creation on ~/.ssh/ folder. |
Linux Possible Access Or Modification Of sshd_config File | T1098.004 | Persistence, Privilege Escalation | This analytic is to look for suspicious process command-line that might be accessing or modifying sshd_config. |
Automating with SOAR Playbooks
The following community Splunk SOAR playbooks mentioned below can be used in conjunction with some of the previously described analytics:
Detection | Playbook | Description |
Any | Internal Host SSH Investigate | Investigate an internal unix host using SSH. This pushes a bash script to the endpoint and runs it, collecting generic information about the processes, user activity, and network activity. This includes the process list, login history, cron jobs, and open sockets. The results are zipped up in .csv files and added to the vault for an analyst to review. |
Multiple | Crowdstrike Malware Triage | This playbook is used to enrich and respond to a CrowdStrike Falcon detection involving a potentially malicious executable on an endpoint. Check for previous sightings of the same executable, hunt across other endpoints for the file, gather details about all processes associated with the file, and collect all the gathered information into a prompt for an analyst to review. Based on the analyst's choice, the file can be added to the custom indicators list in CrowdStrike with a detection policy of "detect" or "none", and the endpoint can be optionally quarantined from the network. |
Why Should You Care about Linux Persistence and Privilege Escalation?
Linux is an extremely popular operating system present in millions of devices and applications. It is the main engine of the internet infrastructure, not only when talking about the backbone type of devices (such as servers, routers) but also at the micro-level as most internet of thing (IoT) devices run some version of it. Linux is exploitable however it is often dismissed as secured by default, which is not true.
For a full list of security content, check out the release notes on Splunk Docs
- v3.33.0
-
v3.34.0
You can find the latest content about security analytic stories on GitHub and in Splunkbase. Splunk Security Essentials also has all these detections now available via push update.
FeedbackAny feedback or requests? Feel free to put in an issue on GitHub, and we'll follow up. Alternatively, join us on the Slack channel #security-research. Follow these instructions If you need an invitation to our Splunk user groups on Slack.
ContributorsWe would like to thank the whole threat research team Jose Hernandez, Teoderick Contreras, Rod Soto, Bhavin Patel, Mauricio Velazco, Michael Haag, Lou Stella, Eric McGinnis, and Patrick Bareiss for their contribution to this release.
Attachments
- Original Link
- Original Document
- Permalink
Disclaimer
Splunk Inc. published this content on 24 February 2022 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 25 February 2022 17:57:05 UTC.