Potential Defense Evasion via Symbolic Link of Common Linux Binaries to Writable Directories
An adversary may create symbolic links of legitimate system binaries in world-writable directories to potentially bypass security restrictions or execute malicious code with elevated privileges by masquerading as a trusted process.
This threat brief addresses a potential defense evasion technique observed on Linux systems. An attacker may create symbolic links (symlinks) of commonly used system binaries, such as sh, bash, or vi, into world-writable directories like /tmp or /var/tmp. This allows the attacker to execute commands with the permissions of the linked binary or use them to bypass security restrictions. The goal is to execute code by masquerading as a trusted process, potentially evading detection by security tools relying on path-based whitelisting or integrity checks. This technique can be used to achieve persistence or escalate privileges. While the original source is a detection rule repository, this brief focuses on detecting the symlink creation itself.
Attack Chain
- The attacker gains initial access to the system via an exploit or compromised credentials (not detailed in source).
- The attacker identifies world-writable directories such as
/tmp,/var/tmp, or/dev/shm. - The attacker identifies commonly used system binaries such as
/bin/sh,/bin/bash, or/usr/bin/vi. - The attacker creates a symbolic link of a system binary in a world-writable directory using the
ln -scommand. For example:ln -s /bin/sh /tmp/sh. - The attacker executes the symlink in the writable directory. For example:
/tmp/sh -c "malicious_command". - The command executes with the privileges of the linked binary, potentially bypassing security restrictions or whitelisting rules.
- The attacker uses this foothold to further compromise the system, escalate privileges, or establish persistence.
Impact
A successful attack using this technique can lead to privilege escalation, persistence, and potentially complete system compromise. By creating symbolic links to system binaries in world-writable directories, attackers can bypass security measures and execute malicious code with elevated privileges. While the number of affected systems is not specified in the source, the technique is applicable to any Linux system with world-writable directories and standard system binaries.
Recommendation
- Deploy the "Detect Suspicious Symlink Creation in Writable Directories" Sigma rule to your SIEM and tune for your environment to detect the initial creation of malicious symlinks.
- Enable file integrity monitoring (FIM) on system binaries and world-writable directories to detect unauthorized modifications, including the creation of symbolic links.
- Implement access controls to restrict write access to critical system directories and binaries.
- Investigate any alerts generated by the Sigma rules and FIM regarding symlink creation in world-writable directories.
Detection coverage 2
Detect Suspicious Symlink Creation in Writable Directories
mediumDetects the creation of symbolic links to common binaries in world-writable directories.
Detect Execution of Symlinked Binary from Writable Directory
highDetects execution of a binary located within a writable directory that is also a symbolic link.
Detection queries are available on the platform. Get full rules →