{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/apparmor/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AppArmor"],"_cs_severities":["medium"],"_cs_tags":["apparmor","defense-evasion","linux"],"_cs_type":"advisory","_cs_vendors":["Linux"],"content_html":"\u003cp\u003eThis threat brief focuses on detecting attempts to tamper with AppArmor policies on Linux systems. AppArmor is a security module that provides mandatory access control, limiting the actions that processes can take. Attackers may try to modify or disable AppArmor policies to evade detection and execute malicious code with fewer restrictions. This is achieved by directly interacting with the AppArmor kernel policy control interfaces, specifically the \u003ccode\u003e.load\u003c/code\u003e, \u003ccode\u003e.replace\u003c/code\u003e, and \u003ccode\u003e.remove\u003c/code\u003e files located under \u003ccode\u003e/sys/kernel/security/apparmor/\u003c/code\u003e. These files are used to load, modify, or remove AppArmor profiles. The rule published on 2026-03-23 identifies abnormal access to these interfaces which could indicate unauthorized policy changes, defense evasion, or the installation of attacker-controlled profiles. This type of activity is particularly concerning in environments where AppArmor policy changes are uncommon or strictly controlled.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains initial access to the system, potentially through exploiting a vulnerability or using compromised credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker escalates privileges to root or another account with sufficient permissions to modify AppArmor policies. This may involve exploiting a kernel vulnerability or misconfigured sudo permissions.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion:\u003c/strong\u003e The attacker attempts to modify or disable AppArmor policies to evade detection and allow the execution of malicious code.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePolicy Modification:\u003c/strong\u003e The attacker writes to \u003ccode\u003e/sys/kernel/security/apparmor/.load\u003c/code\u003e, \u003ccode\u003e/sys/kernel/security/apparmor/.replace\u003c/code\u003e, or \u003ccode\u003e/sys/kernel/security/apparmor/.remove\u003c/code\u003e to load a malicious AppArmor profile, replace an existing one with a weakened version, or remove a profile entirely.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker establishes persistence by creating or modifying systemd units, cron jobs, or startup scripts that execute malicious code after the AppArmor policy is altered.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious Code Execution:\u003c/strong\u003e The attacker executes malicious code that was previously blocked by AppArmor policies, now allowed due to the modified policies.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement/Data Exfiltration:\u003c/strong\u003e The attacker moves laterally within the network, accessing sensitive data or systems, and exfiltrates data to an external location.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The attacker achieves their final objective, which may include data theft, system compromise, or disruption of services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful tampering with AppArmor policies can have severe consequences. Attackers can bypass security controls, install malicious software, and gain unauthorized access to sensitive data. This can lead to data breaches, financial losses, and reputational damage. The impact is amplified if the compromised system is critical to business operations or contains valuable data. The referenced Qualys advisory \u0026quot;CrackArmor\u0026quot; highlights critical AppArmor flaws enabling local privilege escalation to root, further emphasizing the potential damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided EQL rule to your SIEM to detect access to AppArmor policy interfaces and tune it for your specific environment.\u003c/li\u003e\n\u003cli\u003eEnable the \u003ccode\u003eauditd_manager\u003c/code\u003e integration and configure the recommended audit rules to monitor access to the AppArmor policy files: \u003ccode\u003e-w /sys/kernel/security/apparmor/.load -p rw -k apparmor_policy_change\u003c/code\u003e, \u003ccode\u003e-w /sys/kernel/security/apparmor/.replace -p rw -k apparmor_policy_change\u003c/code\u003e, \u003ccode\u003e-w /sys/kernel/security/apparmor/.remove -p rw -k apparmor_policy_change\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eRegularly review AppArmor policies for unauthorized modifications and ensure that critical services are running with the expected policies.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls to limit who can administer AppArmor policies.\u003c/li\u003e\n\u003cli\u003eMonitor for privilege escalation attempts and unauthorized use of \u003ccode\u003esudo\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T10:00:00Z","date_published":"2024-01-09T10:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-apparmor-policy-tampering/","summary":"Detection of unauthorized access to AppArmor kernel policy control interfaces, specifically the `.load`, `.replace`, or `.remove` files, indicating potential defense evasion or policy tampering on Linux systems.","title":"AppArmor Policy Interface Tampering","url":"https://feed.craftedsignal.io/briefs/2024-01-apparmor-policy-tampering/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AppArmor"],"_cs_severities":["medium"],"_cs_tags":["apparmor","defense-evasion","linux"],"_cs_type":"advisory","_cs_vendors":["Linux"],"content_html":"\u003cp\u003eThe \u003ccode\u003eapparmor_parser\u003c/code\u003e tool is used to compile AppArmor profiles on Linux systems. While typically used by system administrators and package installation scripts, adversaries can abuse this tool to compile malicious AppArmor profiles. These profiles can then be loaded into the kernel, potentially weakening security controls, altering the behavior of privileged programs, or assisting in exploitation chains. Detecting the use of \u003ccode\u003eapparmor_parser\u003c/code\u003e with output redirection flags such as \u003ccode\u003e-o\u003c/code\u003e is crucial for identifying potential attempts to manipulate AppArmor policies for malicious purposes. This activity is a component of defense evasion, enabling attackers to potentially disable security tools.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Linux system, often through methods outside the scope of this specific detection (e.g., exploiting a vulnerability, compromised credentials).\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to root, which is typically required to modify or load AppArmor profiles.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a malicious AppArmor profile. This profile might weaken restrictions on specific processes or grant excessive permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003eapparmor_parser\u003c/code\u003e with the \u003ccode\u003e-o\u003c/code\u003e option (or similar variants) to compile the malicious AppArmor profile to a file.\u003c/li\u003e\n\u003cli\u003eThe attacker loads the compiled profile into the AppArmor kernel module using tools like \u003ccode\u003eapparmor_status\u003c/code\u003e or other policy management interfaces, replacing an existing policy or adding a new one.\u003c/li\u003e\n\u003cli\u003eThe attacker restarts the service targeted by the malicious AppArmor profile, or triggers a reload of AppArmor policies, to activate the new profile.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the weakened security controls to execute malicious code, escalate privileges further, or maintain persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration, system compromise, or denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack using a maliciously compiled AppArmor profile can lead to significant compromise of a Linux system. Weakening AppArmor policies can allow attackers to bypass security restrictions, escalate privileges, and execute arbitrary code with elevated permissions. This can result in data breaches, system instability, or complete system takeover. The impact is amplified if critical services like \u003ccode\u003esshd\u003c/code\u003e, \u003ccode\u003esudo\u003c/code\u003e, or container runtimes are targeted.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eAppArmor Profile Compilation via apparmor_parser\u003c/code\u003e to detect the execution of \u003ccode\u003eapparmor_parser\u003c/code\u003e with output options.\u003c/li\u003e\n\u003cli\u003eEnable process monitoring and audit logging on Linux systems to capture command-line arguments for process executions.\u003c/li\u003e\n\u003cli\u003eMonitor for modifications to AppArmor policy directories (e.g., \u003ccode\u003e/etc/apparmor.d/\u003c/code\u003e) and policy loading events.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls on AppArmor policy files and restrict who can load or modify policies.\u003c/li\u003e\n\u003cli\u003eInvestigate any unexpected executions of \u003ccode\u003eapparmor_parser\u003c/code\u003e or modifications to AppArmor policies, especially when originating from unknown or untrusted sources.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-apparmor-profile-compilation/","summary":"Adversaries may abuse `apparmor_parser` to compile custom AppArmor profiles, potentially weakening security controls and facilitating privilege escalation on Linux systems.","title":"AppArmor Profile Compilation via apparmor_parser","url":"https://feed.craftedsignal.io/briefs/2024-01-apparmor-profile-compilation/"}],"language":"en","title":"CraftedSignal Threat Feed - AppArmor","version":"https://jsonfeed.org/version/1.1"}