Linux C2 Agent Activity: Suspicious Network Connection and File Creation
Threat actors leverage C2 agents like Poseidon and Athena, operating from suspicious Linux writable directories, to establish network connections with C2 frameworks such as Mythic, subsequently creating files to stage further malicious activities.
This brief describes a common pattern of sophisticated command-and-control (C2) activity on Linux systems, often associated with C2 agents like Poseidon and Athena, which are known to integrate with C2 frameworks such as Mythic. The attack typically begins with the deployment and execution of a malicious loader or C2 agent into suspicious, writable Linux directories such as /dev/shm, /tmp, or /var/tmp. From these locations, the malicious process establishes an outbound network connection to its C2 server, continuously polling for commands via web requests. Upon receiving instructions, the agent proceeds to create new files on the system. These files can include staging scripts or additional payloads for subsequent execution, persistence mechanisms, or further post-exploitation activities, signaling an active and tasked implant.
Attack Chain
- Initial Access: An attacker gains initial access to a Linux system through various means, including exploiting vulnerabilities in public-facing applications, phishing, or compromised credentials.
- Loader Deployment & Execution: A malicious loader or C2 agent, such as Poseidon or Athena, is deployed to and executed from a suspicious, writable directory like
/dev/shm,/tmp,/var/tmp, or/var/log. - Command and Control (C2) Connection: The executed agent initiates an outbound network connection from its precarious location to a remote command-and-control server, potentially part of a framework like Mythic.
- C2 Polling for Commands: The C2 agent continuously polls the remote server, typically using web protocols (e.g., HTTP/S GET/POST requests), to retrieve new commands or instructions.
- File Creation for Staging: Upon receiving commands from the C2, the agent creates a new file on the local filesystem within a suspicious writable directory (e.g.,
/tmp/payload.shor a renamed binary) to stage a subsequent payload or script. - Execution or Persistence: The newly created file is then executed by the C2 agent or configured for persistence, allowing the attacker to establish a more durable foothold, elevate privileges, or perform further malicious actions.
- Post-Exploitation Activity: With established control and persistence, the attacker proceeds with their objectives, which may include data exfiltration, lateral movement, or system disruption.
Impact
If successful, this attack pattern can lead to complete compromise of the affected Linux system, enabling attackers to maintain persistence, execute arbitrary commands, and exfiltrate sensitive data. Victims may experience unauthorized access, data breaches, and disruption of critical services. While specific victim counts are not available for this general pattern, the impact can range from isolated system compromise to widespread network infiltration if lateral movement is achieved. The presence of such C2 agents indicates a significant security breach that requires immediate containment and remediation to prevent further damage.
Recommendation
- Deploy the Sigma rules in this brief to your SIEM and correlate
Linux Suspicious Outbound Network from Writable DirectoryandLinux Suspicious File Creation by Process in Writable Directoryevents within a short time window (e.g., 5 seconds) for high-fidelity detection of this C2 pattern. - Ensure Elastic Defend is properly configured on all Linux endpoints to collect
network_connectionandfile_eventlogs, which are essential for activating the rules above. - Implement stringent network egress filtering to limit outbound connections from Linux servers to only known, legitimate destinations, reducing the effectiveness of C2 beaconing.
- Harden Linux systems by restricting execution permissions in commonly writable directories such as
/tmp,/dev/shm, and/var/tmp, and enforce application allowlisting where feasible. - Review the process ancestry and launch context for any binaries observed connecting outbound or creating files from suspicious writable directories to identify the initial access vector.
Detection coverage 2
Linux Suspicious Outbound Network from Writable Directory
mediumDetects outbound network connections originating from processes running in commonly writable and suspicious directories (e.g., /tmp, /dev/shm) on Linux systems, which is characteristic of C2 agents. Correlate with file creation events for higher fidelity.
Linux Suspicious File Creation by Process in Writable Directory
mediumDetects file creation events by processes running from commonly writable and suspicious directories (e.g., /tmp, /dev/shm) on Linux systems, indicative of C2 agents staging payloads or scripts. Correlate with outbound network connections for higher fidelity.
Detection queries are available on the platform. Get full rules →