Skip to content
Threat Feed
medium advisory

Linux Stdout Redirection to /dev/null Indicates Potential Malware Activity

The redirection of standard output to /dev/null on Linux systems, particularly when observed in conjunction with other suspicious activities, can indicate attempts to hide malicious command execution, as seen in malware like Cyclops Blink, potentially leading to unauthorized system modifications and persistent access.

This brief addresses the detection of command-line activity that redirects standard output (stdout) or standard error (stderr) to the /dev/null file on Linux systems. This behavior is often used to suppress output from commands, which can be a legitimate administrative practice. However, when used maliciously, it can conceal the actions of malware or attackers. The analysis is based on process execution logs typically collected by Endpoint Detection and Response (EDR) agents. The Cyclops Blink malware has been observed using this technique to hide modifications to iptables firewall settings. This activity can allow an attacker to stealthily alter system configurations, potentially leading to unauthorized access or persistent control over the compromised machine. The detection focuses on identifying command lines containing patterns like *&>/dev/null*.

Attack Chain

  1. The attacker gains initial access to the Linux system (potentially via an exploit or compromised credentials).
  2. The attacker executes a malicious script or binary on the system.
  3. The script or binary contains commands to modify system configurations (e.g., iptables rules).
  4. The output of these commands is redirected to /dev/null using &>/dev/null to hide the changes from standard logging and user observation.
  5. The modified system configurations allow the attacker to establish persistence or gain unauthorized access.
  6. The attacker may further deploy additional malicious tools or scripts while continuing to redirect output to /dev/null to evade detection.
  7. The attacker maintains covert access to the system, using the modified configurations for ongoing malicious activities.

Impact

Successful exploitation can lead to unauthorized access to the compromised Linux system, allowing attackers to perform a variety of malicious activities undetected. This includes installing backdoors, exfiltrating sensitive data, or disrupting services. In the case of Cyclops Blink, the malware modifies firewall rules, which can open up the system to further attacks. The number of affected systems and the severity of the impact will vary depending on the attacker’s objectives and the compromised system’s role within the network.

Recommendation

  • Deploy the Sigma rule Linux Stdout Redirection To Dev Null File to your SIEM and tune it to your environment to detect suspicious command-line activity.
  • Investigate any alerts generated by the Sigma rule, focusing on processes that are not normally associated with /dev/null redirection.
  • Enable Sysmon for Linux Event ID 1 to ensure the necessary process execution logs are available (see data_source in the rule).
  • Review the references to understand the Cyclops Blink malware and its use of this technique.

Detection coverage 2

Linux Stdout Redirection To Dev Null File

medium

Detects command-line activities that redirect stdout or stderr to the /dev/null file, which may indicate attempts to hide command outputs by malware like Cyclops Blink.

sigma tactics: defense_evasion sources: process_creation, linux

Linux Stdout Redirection To Dev Null File - Parent Process

low

Detects command-line activities that redirect stdout or stderr to the /dev/null file, focusing on parent processes that are not typically associated with this behavior.

sigma tactics: defense_evasion sources: process_creation, linux

Detection queries are kept inside the platform. Get full rules →