<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Linux - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/linux/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 14 Nov 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/linux/feed.xml" rel="self" type="application/rss+xml"/><item><title>Potential Persistence via Linux File Modification</title><link>https://feed.craftedsignal.io/briefs/2024-11-linux-persistence-file-modification/</link><pubDate>Thu, 14 Nov 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-11-linux-persistence-file-modification/</guid><description>This rule detects potential persistence attempts on Linux systems by monitoring file modifications of files commonly used for persistence, such as cron jobs, systemd services, message-of-the-day (MOTD), SSH configurations, shell configurations, runtime control, init daemon, passwd/sudoers/shadow files, Systemd udevd, and XDG/KDE autostart entries.</description><content:encoded><![CDATA[<p>This detection rule leverages File Integrity Monitoring (FIM) data to identify potential persistence mechanisms employed on Linux systems. Attackers often modify critical system files to ensure their malicious code persists across reboots or user logons. This rule focuses on detecting unauthorized modifications to files associated with cron jobs, systemd services, SSH configurations, shell profiles, and other persistence-related configurations. By monitoring these files for unexpected changes, defenders can identify potential compromises and prevent attackers from maintaining long-term access. The rule is designed to work with the Elastic FIM integration and requires proper configuration of the FIM policy to monitor the relevant file paths. It is crucial to tune the rule with appropriate exclusions for legitimate administrative activities to minimize false positives.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access:</strong> An attacker gains initial access to a Linux system, potentially through exploiting a vulnerability or using compromised credentials.</li>
<li><strong>Privilege Escalation:</strong> The attacker escalates privileges to root or another highly privileged account using techniques such as exploiting kernel vulnerabilities or misconfigured SUID/SGID binaries.</li>
<li><strong>Cron Job Modification:</strong> The attacker modifies cron job files (e.g., <code>/etc/crontab</code>, <code>/etc/cron.d/*</code>) to schedule malicious scripts or commands to run periodically.</li>
<li><strong>Systemd Service Modification:</strong> The attacker modifies systemd service files (e.g., <code>/etc/systemd/system/*</code>) to create a new service or modify an existing one to execute malicious code upon system startup.</li>
<li><strong>Shell Profile Modification:</strong> The attacker modifies shell profile files (e.g., <code>/etc/profile</code>, <code>~/.bashrc</code>) to execute malicious code when a user logs in.</li>
<li><strong>SSH Configuration Modification:</strong> The attacker modifies SSH configuration files (e.g., <code>/etc/ssh/sshd_config</code>, <code>~/.ssh/authorized_keys</code>) to enable unauthorized access to the system.</li>
<li><strong>LD_PRELOAD Modification:</strong> The attacker modifies <code>/etc/ld.so.preload</code> to inject malicious code into other processes.</li>
<li><strong>Persistence Achieved:</strong> The attacker achieves persistence by ensuring their malicious code is executed automatically at system startup or user logon, allowing them to maintain long-term access to the compromised system.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful persistence attack can allow attackers to maintain unauthorized access to a compromised Linux system indefinitely. This can lead to data theft, system disruption, or further exploitation of the network. The rule aims to detect these persistence attempts early, minimizing the potential damage. The rule can trigger on legitimate admin activity if not tuned properly, so careful whitelisting is needed.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable the Elastic FIM integration and configure it to monitor the file paths specified in the rule query. Refer to the Elastic FIM documentation for detailed instructions.</li>
<li>Deploy the provided Sigma rule to your SIEM and tune it for your environment.</li>
<li>Investigate any alerts generated by the Sigma rule by reviewing the modified file and the user or process responsible for the modification.</li>
<li>Implement appropriate whitelists to exclude legitimate administrative activities from triggering the rule. Pay special attention to temporary files.</li>
<li>Ensure that access controls and permissions on critical system files are properly configured to prevent unauthorized modifications.</li>
<li>Regularly review and update the FIM policy to ensure it covers all relevant file paths.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>persistence</category><category>linux</category><category>file_integrity_monitoring</category></item><item><title>Potential Credential Discovery via Recursive Grep</title><link>https://feed.craftedsignal.io/briefs/2024-01-09-recursive-grep-credential-discovery/</link><pubDate>Tue, 09 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-09-recursive-grep-credential-discovery/</guid><description>Adversaries may use recursive grep commands on Linux or macOS to discover credentials, secrets, keys, or tokens within files, indicating potential credential access and data exfiltration attempts.</description><content:encoded><![CDATA[<p>This detection identifies potential credential access attempts via recursive grep commands on Linux and macOS systems. Attackers and insider threats might employ <code>grep -r</code> (or <code>--recursive</code>, <code>-R</code>) to search directories for sensitive information such as passwords, API keys, private keys, cloud tokens, or repository and environment files. The rule aggregates events per host, user, and parent process within a one-minute window, triggering only when at least three distinct grep command lines match, thereby reducing false positives from occasional searches. This activity is a strong indicator of potential reconnaissance before credential theft or broader system compromise. The rule targets Linux and macOS systems and relies on process execution data.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to a Linux or macOS system, possibly via SSH or other remote access methods.</li>
<li>The attacker executes <code>grep</code> or <code>egrep</code> with recursive options (-r, --recursive, or -R) to search within directories.</li>
<li>The grep command includes patterns related to sensitive information, such as &quot;password,&quot; &quot;secret,&quot; &quot;token,&quot; &quot;api_key,&quot; &quot;.env,&quot; &quot;.git,&quot; or &quot;.aws.&quot;</li>
<li>The system processes multiple distinct grep commands within a short timeframe (one minute), all originating from the same host, user, and parent process.</li>
<li>The attacker identifies files containing sensitive information based on the grep output.</li>
<li>The attacker exfiltrates the discovered credentials or secrets for lateral movement or external use.</li>
<li>The attacker may use the compromised credentials to access sensitive data or systems.</li>
<li>The attacker achieves their objective, such as data theft or unauthorized access to critical resources.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation can lead to unauthorized access to sensitive data, including passwords, API keys, and other confidential information. This can result in data breaches, financial loss, and reputational damage. The scope of impact depends on the permissions associated with the compromised credentials and the sensitivity of the data exposed. Observed activity can indicate targeted attacks with a high probability of resulting in data exfiltration or system compromise.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable process monitoring with command-line argument logging on Linux and macOS systems to capture the necessary data for the rules below (logsource: process_creation).</li>
<li>Deploy the provided Sigma rules to detect suspicious recursive grep commands indicative of credential discovery (rules).</li>
<li>Investigate any alerts generated by the Sigma rules, focusing on the specific command-line arguments and parent processes involved. Review the &quot;Possible investigation steps&quot; in the original rule documentation (references).</li>
<li>Implement stricter file access controls to limit the exposure of sensitive files (references).</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>credential-access</category><category>discovery</category><category>linux</category><category>macos</category></item><item><title>Potential Data Exfiltration via Wget on Linux Systems</title><link>https://feed.craftedsignal.io/briefs/2024-01-09-wget-data-exfiltration/</link><pubDate>Tue, 09 Jan 2024 10:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-09-wget-data-exfiltration/</guid><description>This rule detects the use of wget on Linux systems to upload files to an external server, a tactic commonly used for data exfiltration.</description><content:encoded><![CDATA[<p>This detection identifies the abuse of <code>wget</code> on Linux systems to exfiltrate data to external servers. Attackers may collect sensitive files, compress them, and then use <code>wget</code> with options such as <code>--post-file</code>, <code>--post-data</code>, or <code>--body-file</code> to transmit the data via HTTP/HTTPS. This activity, while not inherently malicious, becomes suspicious when combined with access to sensitive files or when observed in non-interactive sessions (e.g., cron jobs). The rule focuses on detecting unusual <code>wget</code> command-line arguments indicative of data exfiltration. This helps defenders identify potentially compromised systems where data is being stolen.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access:</strong> Attacker gains access to the target Linux system through vulnerabilities, stolen credentials, or other means.</li>
<li><strong>Data Collection:</strong> Attacker identifies and collects sensitive files from various locations on the system, such as <code>/etc/passwd</code>, <code>/etc/shadow</code>, user SSH keys (<code>~/.ssh/*</code>), environment files (<code>*.env*</code>), and temporary directories (<code>/tmp/*</code>, <code>/var/tmp/*</code>).</li>
<li><strong>Staging:</strong> The collected files are often compressed into an archive (e.g., <code>loot.tar.gz</code>) and placed in a temporary directory, like <code>/tmp</code>.</li>
<li><strong>Command Construction:</strong> The attacker crafts a <code>wget</code> command to upload the staged data to a remote server. This command typically includes options like <code>--post-file</code>, <code>--post-data</code>, or <code>--body-file</code> to send the file content via HTTP POST.</li>
<li><strong>Exfiltration:</strong> The <code>wget</code> command is executed, sending the staged data to the attacker's command and control (C2) server.</li>
<li><strong>Cleanup (Optional):</strong> The attacker may attempt to delete the staged archive and any associated scripts to cover their tracks.</li>
<li><strong>Persistence (Optional):</strong> The attacker may schedule the exfiltration process via cron jobs or systemd timers to automate the data theft.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack can result in the exfiltration of sensitive data, including credentials, configuration files, source code, and customer data. The severity of the impact depends on the nature of the exfiltrated data. Compromised credentials can lead to further unauthorized access to internal systems. Leaked source code can expose vulnerabilities. Stolen customer data can result in financial losses and reputational damage.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;Potential Data Exfiltration Through Wget&quot; to your SIEM to detect suspicious <code>wget</code> commands (see <code>rules</code> section).</li>
<li>Enable process creation logging with command-line arguments on Linux systems to capture the full <code>wget</code> command lines (reference: <code>logsource</code>).</li>
<li>Investigate any alerts generated by the Sigma rule by examining the process tree, user context, and destination endpoint to determine legitimacy.</li>
<li>Implement network monitoring to detect unusual outbound HTTP/HTTPS traffic, especially POST requests to unfamiliar destinations.</li>
<li>Harden Linux systems by restricting the use of <code>wget</code> where it is not necessary and enforcing SELinux/AppArmor policies to limit its capabilities (reference: setup section).</li>
<li>Regularly review and audit cron jobs and systemd timers for suspicious entries that could be used for automated data exfiltration.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>exfiltration</category><category>wget</category><category>linux</category><category>data-theft</category></item><item><title>Linux Clipboard Activity Monitoring</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-linux-clipboard-activity/</link><pubDate>Wed, 03 Jan 2024 18:30:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-linux-clipboard-activity/</guid><description>This brief provides detection strategies for monitoring clipboard activity on Linux systems, potentially identifying malicious data exfiltration or command execution attempts.</description><content:encoded><![CDATA[<p>This brief outlines detection methods for monitoring clipboard activity on Linux systems. While the provided source material lacks specific threat actor information or campaign details, monitoring clipboard interaction is essential. Attackers may leverage the clipboard to copy and paste sensitive data, such as credentials, API keys, or command sequences, for exfiltration or execution on compromised systems. The scope of this activity can vary, but defenders need to establish baseline clipboard usage patterns to identify anomalies that may indicate malicious intent.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access:</strong> An attacker gains access to a Linux system through methods like SSH brute-forcing or exploiting a vulnerability in a network service (e.g., web application, database).</li>
<li><strong>Privilege Escalation:</strong> Once inside, the attacker may attempt to elevate privileges using techniques like exploiting kernel vulnerabilities or misconfigured SUID/GUID binaries.</li>
<li><strong>Information Gathering:</strong> The attacker gathers information about the system, user accounts, and network configuration using tools like <code>uname</code>, <code>id</code>, <code>ifconfig</code>, and <code>netstat</code>.</li>
<li><strong>Clipboard Interaction (Copy):</strong> The attacker copies sensitive information from files, terminal output, or other applications to the clipboard using tools like <code>xclip</code>, <code>xsel</code>, or <code>wl-copy</code> (for Wayland). For example, <code>cat /etc/shadow | xclip -selection clipboard</code>.</li>
<li><strong>Clipboard Interaction (Paste):</strong> The attacker pastes the copied information into a different application, potentially for exfiltration to an external server or use in subsequent attack steps. For example, pasting credentials into an SSH client.</li>
<li><strong>Lateral Movement:</strong> The attacker uses the gathered credentials or session tokens to move laterally to other systems within the network.</li>
<li><strong>Data Exfiltration:</strong> The attacker exfiltrates sensitive data to an external server using tools like <code>scp</code>, <code>rsync</code>, or <code>curl</code> via the clipboard.</li>
<li><strong>Persistence:</strong> The attacker establishes persistence on the compromised system using techniques like creating cron jobs or modifying system startup scripts.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation could lead to sensitive data leakage, including credentials, API keys, and internal documents. This can enable unauthorized access to other systems, data breaches, and disruption of services. The number of affected systems and the extent of the damage will depend on the attacker's objectives and the security measures in place.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Monitor process creation events for the execution of clipboard utilities like <code>xclip</code>, <code>xsel</code>, or <code>wl-copy</code> to detect suspicious clipboard activity using the Sigma rules provided.</li>
<li>Enable audit logging on Linux systems to capture process execution events and command-line arguments, providing valuable context for investigating potential clipboard-related attacks.</li>
<li>Implement network monitoring to detect unusual outbound connections originating from systems where clipboard activity is detected, potentially indicating data exfiltration.</li>
<li>Deploy and tune the provided Sigma rules in your SIEM to detect and respond to malicious clipboard activity.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>linux</category><category>clipboard</category><category>data exfiltration</category><category>collection</category></item><item><title>Linux SSH Persistence via Backdoored System User</title><link>https://feed.craftedsignal.io/briefs/2024-01-backdoored-ssh-user/</link><pubDate>Wed, 03 Jan 2024 15:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-backdoored-ssh-user/</guid><description>Attackers can maintain unauthorized access to Linux systems by backdooring system user accounts with SSH keys, allowing persistent access even after password changes.</description><content:encoded><![CDATA[<p>Attackers targeting Linux systems may establish persistence by compromising existing system user accounts and adding unauthorized SSH keys. This method allows them to bypass standard authentication procedures and regain access to the system even after password resets. While the specific campaigns leveraging this technique are currently unclear, the risk is significant, as it grants persistent access and is difficult to detect without specific monitoring in place. The use of backdoored system users circumvents typical multi-factor authentication and account lockout policies, potentially granting long-term access to sensitive data and systems.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Initial Access: Attacker gains initial access through an unstated vector (e.g., exploiting a web application vulnerability, or using stolen credentials).</li>
<li>Privilege Escalation: The attacker escalates privileges to root or a privileged user, potentially using exploits (e.g., Dirty Pipe) or misconfigurations.</li>
<li>Account Discovery: The attacker identifies potential system user accounts to backdoor (e.g., accounts without passwords or with weak passwords).</li>
<li>SSH Key Generation: The attacker generates a new SSH key pair for persistent access using <code>ssh-keygen</code>.</li>
<li>Key Installation: The attacker modifies the authorized_keys file (usually located at <code>/home/[username]/.ssh/authorized_keys</code>) of the targeted user to include the attacker's public key.</li>
<li>Persistence Check: The attacker tests the SSH login using the newly added key to ensure successful access.</li>
<li>Cleanup (Optional): The attacker removes traces of the key generation or modification from logs and command history, though this is not always done thoroughly.</li>
<li>Lateral Movement/Data Exfiltration: With persistent access, the attacker moves laterally within the network, accesses sensitive data, and exfiltrates it.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Compromised system user accounts can grant attackers long-term, stealthy access to critical systems. This can lead to data breaches, system downtime, and reputational damage. The number of victims and targeted sectors are unknown, but any organization relying on Linux systems for critical infrastructure is potentially at risk. Successful exploitation can result in complete system compromise and data exfiltration, causing significant financial and operational losses.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;Detect SSH Key Added to Authorized Keys&quot; to identify suspicious modifications to <code>authorized_keys</code> files.</li>
<li>Monitor system logs for unusual SSH login activity, specifically logins using SSH keys instead of passwords (reference logsource: <code>linux</code> <code>auth.log</code>).</li>
<li>Regularly audit system user accounts for unauthorized SSH keys (using shell commands and scripts).</li>
<li>Enforce strong password policies and multi-factor authentication where possible to prevent initial compromise (related to initial access vector).</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>persistence</category><category>ssh</category><category>linux</category></item><item><title>Linux Shell History Clearing via Environment Variables</title><link>https://feed.craftedsignal.io/briefs/2024-01-linux-shell-history-clearing/</link><pubDate>Wed, 03 Jan 2024 14:30:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-linux-shell-history-clearing/</guid><description>Attackers may clear shell history on Linux systems to evade detection by manipulating environment variables related to shell history, such as HISTSIZE and HISTFILE, to prevent command logging.</description><content:encoded><![CDATA[<p>Attackers on Linux systems may attempt to clear shell history to hide their activities and evade detection. This is achieved by manipulating environment variables that control the shell's history logging behavior. By setting variables like <code>HISTSIZE</code> or <code>HISTFILESIZE</code> to <code>0</code>, <code>HISTCONTROL</code> to <code>ignorespace</code>, or redirecting <code>HISTFILE</code> to <code>/dev/null</code>, attackers can effectively disable or erase the command history, making it difficult for defenders to track their actions. This technique is often employed after gaining initial access to a system to mask subsequent malicious activities, such as privilege escalation, lateral movement, or data exfiltration. This activity can occur on any compromised Linux host, regardless of the specific distribution or kernel version. Detecting this behavior is crucial for identifying potentially compromised systems and uncovering attacker activity.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker gains initial access to a Linux system, potentially through SSH or other remote access methods.</li>
<li>Attacker identifies the current shell and its configuration.</li>
<li>Attacker sets <code>HISTSIZE</code> or <code>HISTFILESIZE</code> environment variables to <code>0</code> to prevent new history entries from being saved.</li>
<li>Attacker sets <code>HISTCONTROL</code> to <code>ignorespace</code> to prevent commands starting with a space from being saved.</li>
<li>Attacker redirects the <code>HISTFILE</code> environment variable to <code>/dev/null</code> to discard the history file.</li>
<li>Attacker executes commands related to enumeration, privilege escalation, or lateral movement.</li>
<li>The executed commands are not recorded in the shell history due to the manipulated environment variables.</li>
<li>Attacker attempts to remove traces of their presence and maintain stealth by avoiding logging their activities.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful clearing of shell history hinders forensic investigations and incident response efforts. By removing command history, attackers make it difficult to reconstruct their actions on the compromised system. This can lead to delayed detection, prolonged dwell time, and increased damage. The number of victims can vary depending on the scope of the attack, but any Linux system where an attacker gains shell access and clears the history is potentially affected. Sectors targeted may include any organization relying on Linux servers for critical infrastructure or data storage.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable Elastic Defend and configure the <code>linux.advanced.capture_env_vars</code> setting to capture <code>HISTSIZE</code>, <code>HISTFILESIZE</code>, <code>HISTCONTROL</code>, and <code>HISTFILE</code> to enable the detection rule to function properly.</li>
<li>Deploy the Sigma rule &quot;Linux Shell History Clearing via Environment Variables&quot; to your SIEM to detect this behavior, and tune it according to your environment.</li>
<li>Investigate any alerts generated by the detection rule &quot;Linux Shell History Clearing via Environment Variables&quot; to determine the scope and impact of the potential compromise.</li>
<li>Monitor for suspicious processes that modify shell environment variables related to history, using the provided Sigma rules as a starting point.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>defense-evasion</category><category>linux</category><category>shell-history</category></item><item><title>Suspicious SUID Binary Execution on Linux</title><link>https://feed.craftedsignal.io/briefs/2024-01-suspicious-suid-execution/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-suspicious-suid-execution/</guid><description>This rule detects the execution of privilege escalation helpers under the root effective user, when initiated by a non-root user with a suspicious parent process, indicating potential privilege escalation attempts.</description><content:encoded><![CDATA[<p>This detection rule identifies suspicious executions of common privilege elevation tools on Linux systems. It focuses on instances where binaries like <code>su</code>, <code>sudo</code>, <code>pkexec</code>, <code>passwd</code>, <code>chsh</code>, and <code>newgrp</code> are executed with root privileges but are initiated by a non-root user. The rule further refines its focus by analyzing the parent process context, specifically looking for interpreters (Python, Perl, Ruby, etc.), commands executed from user-writable directories (/tmp, /var/tmp, /dev/shm, /home, /run/user), or short shell command invocations. The detection is designed to uncover potential privilege escalation attempts that may be indicative of malicious activity. This is important because attackers frequently use SUID binaries to elevate privileges, and detecting unusual usage patterns can help identify compromised systems or insider threats.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>A non-privileged user gains initial access to the system, potentially through compromised credentials or exploiting a vulnerability.</li>
<li>The attacker navigates to a user-writable directory such as <code>/tmp</code> or <code>/home/&lt;user&gt;</code>.</li>
<li>The attacker crafts a malicious script or uses a one-liner command to invoke a SUID binary.</li>
<li>The SUID binary (e.g., <code>sudo</code>, <code>pkexec</code>, <code>su</code>) is executed with minimal arguments.</li>
<li>The system executes the command with root privileges due to the SUID bit being set on the binary.</li>
<li>The attacker leverages the elevated privileges to modify system files, install malicious software, or create new administrative accounts.</li>
<li>The attacker establishes persistence to maintain access to the compromised system.</li>
<li>The attacker achieves their final objective, which could include data exfiltration, system disruption, or further lateral movement within the network.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of SUID binaries can lead to full system compromise. An attacker can gain complete control over the affected Linux system, potentially leading to data breaches, service disruptions, and the installation of persistent malware. This can affect critical infrastructure and sensitive data, causing significant financial and reputational damage. The severity is amplified when multiple systems are compromised, allowing for lateral movement and further exploitation within the network.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable process creation logging and ensure that <code>process.user.id</code>, <code>process.real_user.id</code>, and <code>process.parent.user.id</code> are being captured to activate the rules below.</li>
<li>Deploy the &quot;Suspicious SUID Binary Execution&quot; Sigma rule to your SIEM and tune for your environment.</li>
<li>Review authentication and sudoers policies to identify and remediate any misconfigurations.</li>
<li>Investigate any alerts generated by the Sigma rules to determine the legitimacy of the SUID binary execution and the parent process context.</li>
<li>Implement file integrity monitoring on sensitive system binaries and directories, particularly those related to privilege escalation, to detect unauthorized modifications.</li>
<li>Restrict the use of SUID binaries where possible and enforce strict permissions on those that are necessary.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>privilege-escalation</category><category>suid</category><category>linux</category></item><item><title>Suspicious mkfifo Execution on Linux</title><link>https://feed.craftedsignal.io/briefs/2024-01-suspicious-mkfifo-execution/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-suspicious-mkfifo-execution/</guid><description>This brief covers the suspicious execution of commands following the use of 'mkfifo' on Linux systems, often indicating malicious activity such as establishing named pipes for command and control or data exfiltration.</description><content:encoded><![CDATA[<p>This threat brief addresses suspicious activities on Linux systems involving the <code>mkfifo</code> command. While <code>mkfifo</code> itself is a legitimate utility for creating named pipes, its use followed by command execution can indicate malicious intent. Attackers may use named pipes for inter-process communication, command and control (C2), or data exfiltration. This activity is often seen in post-exploitation scenarios. The use of <code>mkfifo</code> in conjunction with other commands such as <code>nc</code>, <code>bash</code>, or scripting languages like Python warrants close examination. The scope of this brief focuses on Linux-based systems and the detection of command sequences indicating potential abuse of <code>mkfifo</code>. Defenders should monitor for unusual process chains involving <code>mkfifo</code> and subsequent command executions.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains initial access to a Linux system through an exploit or compromised credentials.</li>
<li>The attacker uses <code>mkfifo /tmp/named_pipe</code> to create a named pipe in the /tmp directory.</li>
<li>The attacker uses netcat to listen on a port and write output to the named pipe: <code>nc -l -p 1337 &gt; /tmp/named_pipe</code>.</li>
<li>In a separate process, the attacker executes a command and redirects the output to the named pipe: <code>ls -la &gt; /tmp/named_pipe</code>.</li>
<li>The netcat process receives the output of the <code>ls -la</code> command and forwards it to the attacker's C2 server.</li>
<li>The attacker uses <code>rm /tmp/named_pipe</code> to remove the named pipe, cleaning up evidence.</li>
<li>The attacker may repeat steps 2-5 to execute further commands and exfiltrate data.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation can lead to unauthorized access, data exfiltration, and command execution on the compromised Linux system. The severity of the impact depends on the privileges of the compromised user and the sensitivity of the data accessible on the system. This technique can be used to establish covert communication channels for lateral movement and persistence within the network.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rule to detect suspicious process executions involving <code>mkfifo</code> followed by network activity or command execution (see &quot;Suspicious Mkfifo Followed by Command Execution&quot; and &quot;Suspicious Mkfifo and Netcat Use&quot; rules).</li>
<li>Monitor process creation logs for the execution of <code>mkfifo</code> command, focusing on parent processes and subsequent child processes.</li>
<li>Investigate any instances of <code>mkfifo</code> usage where the created named pipe is used for network communication or data redirection.</li>
<li>Enable process monitoring with command line auditing to capture the full context of <code>mkfifo</code> executions and related commands.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>mkfifo</category><category>named_pipe</category><category>linux</category><category>command_execution</category><category>lateral_movement</category></item><item><title>Linux System Network Discovery via Multiple Utilities</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-linux-network-discovery/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-linux-network-discovery/</guid><description>Adversaries may attempt to enumerate local network configurations on Linux systems using common utilities like arp, ifconfig, ip, netstat, firewall-cmd, ufw, iptables, ss, and route to gather information for reconnaissance and subsequent attacks, leading to network mapping and vulnerability identification.</description><content:encoded><![CDATA[<p>This detection focuses on identifying potential network reconnaissance activity on Linux systems. It monitors for the execution of multiple common network utilities within a short timeframe, specifically processes like &quot;arp,&quot; &quot;ifconfig,&quot; &quot;ip,&quot; &quot;netstat,&quot; &quot;firewall-cmd,&quot; &quot;ufw,&quot; &quot;iptables,&quot; &quot;ss,&quot; and &quot;route.&quot; This behavior, when observed in rapid succession, is indicative of an attacker attempting to map the network, identify potential targets, and gather information for lateral movement or further exploitation. This type of activity is a common precursor to more significant attacks such as data exfiltration or ransomware deployment. The detection leverages process monitoring logs and aggregates process execution events within a 30-minute window.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Initial Access: An attacker gains initial access to a Linux system, potentially through exploiting a vulnerability or using stolen credentials.</li>
<li>Privilege Escalation (Optional): If necessary, the attacker escalates privileges to gain root or administrator access.</li>
<li>Network Enumeration: The attacker executes a series of network enumeration commands using utilities like <code>ip addr</code>, <code>ifconfig</code>, and <code>netstat</code> to discover network interfaces, IP addresses, and routing information.</li>
<li>Firewall Discovery: The attacker uses <code>firewall-cmd</code>, <code>iptables</code>, or <code>ufw</code> to identify firewall rules and configurations, potentially seeking weaknesses or misconfigurations.</li>
<li>ARP Table Examination: The attacker uses the <code>arp</code> command to map IP addresses to MAC addresses on the local network segment.</li>
<li>Port Scanning (Optional): The attacker may use <code>ss</code> or <code>netstat</code> to identify open ports and services running on the local machine or other systems on the network.</li>
<li>Route Table Examination: The attacker uses the <code>route</code> command to understand network routing configurations and identify potential paths for lateral movement.</li>
<li>Lateral Movement/Further Exploitation: Using the gathered network information, the attacker plans and executes further exploitation, lateral movement, or data exfiltration.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful network discovery allows attackers to map the network, identify vulnerable systems, and plan further attacks. This can lead to data breaches, system compromise, and disruption of services. While this detection itself does not indicate a breach, it is a strong indicator of reconnaissance activity preceding a more significant attack. Compromised systems could be leveraged for lateral movement, data exfiltration, or deployment of ransomware, impacting potentially hundreds or thousands of systems, depending on the size of the network.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Detect Multiple Network Discovery Tools</code> to your SIEM and tune it for your environment.</li>
<li>Enable Sysmon for Linux Event ID 1 or equivalent process execution logging to provide the data source for the Sigma rule.</li>
<li>Investigate any alerts generated by the Sigma rule, focusing on the user accounts and processes involved in the network discovery activity.</li>
<li>Review firewall configurations and network segmentation policies to limit the potential impact of lateral movement.</li>
<li>Implement the provided RBA (Risk Based Alerting) configuration in your Splunk environment to prioritize and score incidents based on the involved assets and users.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>network-discovery</category><category>linux</category><category>reconnaissance</category></item><item><title>Linux Privilege Escalation via LD_PRELOAD Shared Object Modification</title><link>https://feed.craftedsignal.io/briefs/2024-01-ld-preload-privilege-escalation/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-ld-preload-privilege-escalation/</guid><description>Attackers can exploit the LD_PRELOAD environment variable on Linux systems to inject malicious shared objects into privileged processes, leading to arbitrary code execution and privilege escalation.</description><content:encoded><![CDATA[<p>The LD_PRELOAD environment variable in Linux allows users to specify shared libraries that should be loaded before others when a program is executed. This functionality, while legitimate, can be abused by attackers to inject malicious code into processes, including those running with elevated privileges (e.g., setuid binaries). By crafting a malicious shared object and setting LD_PRELOAD to point to it, an attacker can hijack the execution flow of a vulnerable program. This technique is effective because the preloaded library's code will be executed before the main program's code. This can lead to complete system compromise if the hijacked process runs as root.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker identifies a setuid binary vulnerable to LD_PRELOAD exploitation.</li>
<li>The attacker creates a malicious shared object (e.g., <code>evil.so</code>) containing code to escalate privileges, such as creating a new setuid root shell.</li>
<li>The attacker sets the <code>LD_PRELOAD</code> environment variable to the path of the malicious shared object: <code>export LD_PRELOAD=/tmp/evil.so</code>.</li>
<li>The attacker executes the vulnerable setuid binary.</li>
<li>The dynamic linker (<code>ld-linux.so</code>) loads the malicious shared object specified by <code>LD_PRELOAD</code> into the process's memory space before the intended libraries.</li>
<li>The malicious shared object's constructor function (e.g., <code>_init()</code>) is executed, which performs actions like creating a new setuid root shell or modifying system files.</li>
<li>The original setuid binary continues execution (if the attacker hasn't completely taken over).</li>
<li>The attacker uses the newly created setuid root shell or modified system to gain complete control over the system.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation via LD_PRELOAD allows an attacker to gain root privileges on the affected Linux system. This allows them to read sensitive data, install malware, modify system configurations, and potentially use the compromised system as a staging point for lateral movement within a network. The scope of the impact depends on the attacker's objectives, but privilege escalation always leads to a severe breach of system security.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Monitor for the execution of setuid/setgid binaries with <code>LD_PRELOAD</code> set (see Sigma rule &quot;Detect LD_PRELOAD Usage with setuid/setgid&quot;).</li>
<li>Implement file integrity monitoring for system binaries and libraries to detect unauthorized modifications (implement using file_event logs).</li>
<li>Restrict the use of <code>LD_PRELOAD</code> where possible, especially for privileged processes.</li>
<li>Audit setuid/setgid binaries for vulnerabilities that could be exploited via <code>LD_PRELOAD</code>.</li>
<li>Deploy the Sigma rule &quot;Detect Suspicious Shared Object Loading via LD_PRELOAD&quot; to identify potential malicious library injections.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>privilege-escalation</category><category>ld_preload</category><category>linux</category></item><item><title>Potential Data Exfiltration Through Curl</title><link>https://feed.craftedsignal.io/briefs/2024-01-potential-curl-data-exfiltration/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-potential-curl-data-exfiltration/</guid><description>This rule detects potential data exfiltration attempts on Linux systems using the curl command-line tool to upload files to external servers, potentially indicating unauthorized data transfer.</description><content:encoded><![CDATA[<p>The rule &quot;Potential Data Exfiltration Through Curl&quot; detects the use of the <code>curl</code> command-line tool on Linux systems to upload files to external servers. Threat actors often use tools like <code>curl</code> to exfiltrate collected data to their command and control (C2) server. While <code>curl</code> has legitimate uses, its use for uploading data to external servers is considered abnormal and suspicious. This activity is monitored by analyzing process execution events for specific command-line arguments and patterns associated with data uploads. The rule focuses on Linux systems and triggers on <code>curl</code> commands using arguments such as <code>-T</code>, <code>--upload-file</code>, <code>-F</code>, <code>-d</code>, or <code>--data*</code> when used in conjunction with file uploads to external network destinations. The rule was last updated on March 13, 2026 and leverages data from Elastic Defend, Crowdstrike, and SentinelOne.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains initial access to the Linux system (e.g., via SSH or exploiting a vulnerability).</li>
<li>The attacker collects sensitive data from the compromised system (e.g., configuration files, databases, logs).</li>
<li>The attacker compresses the collected data into an archive (e.g., using <code>tar</code>, <code>gzip</code>, or <code>zip</code>).</li>
<li>The attacker uses the <code>curl</code> command to upload the compressed archive to an external server. The command includes arguments such as <code>-T</code> or <code>--upload-file</code> to specify the file to upload.</li>
<li>The <code>curl</code> command establishes a network connection to the attacker's C2 server or a controlled exfiltration point.</li>
<li>The compressed data is transmitted over HTTP, HTTPS, FTP, or FTPS protocols to the external server.</li>
<li>The attacker receives the exfiltrated data on the external server.</li>
<li>The attacker may attempt to remove traces of the exfiltration activity from the compromised system (e.g., deleting temporary files, clearing logs).</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation can lead to the exfiltration of sensitive data, including confidential documents, credentials, or proprietary information. The severity depends on the type and volume of data compromised. Data exfiltration can lead to financial losses, reputational damage, legal repercussions, and loss of competitive advantage. This detection is crucial for organizations that need to protect sensitive data residing on Linux systems, and prevent unauthorized access. The rule is designed to detect suspicious <code>curl</code> usage that deviates from normal system behavior.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Potential Data Exfiltration Through Curl</code> to your SIEM and tune for your environment.</li>
<li>Investigate any alerts generated by the Sigma rule by examining the process command line, parent process, and network logs.</li>
<li>Enable Elastic Defend integration as documented in the rule <code>Setup</code> section to provide the necessary data source.</li>
<li>Review and update firewall and network security rules to block unauthorized outbound traffic, especially to suspicious or unknown external servers as mentioned in the rule's <code>Response and remediation</code> section.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>data-exfiltration</category><category>curl</category><category>linux</category></item><item><title>Linux Credential Access via Sensitive File Monitoring</title><link>https://feed.craftedsignal.io/briefs/2024-01-linux-credential-access/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-linux-credential-access/</guid><description>This rule detects potential credential access attempts on Linux systems by monitoring access to sensitive files commonly containing credentials or configuration information.</description><content:encoded><![CDATA[<p>This detection rule, sourced from Elastic's detection-rules repository on GitHub, focuses on identifying credential access attempts on Linux systems. The rule monitors access to a variety of sensitive files that commonly store credentials, configuration details, or other sensitive information that could be leveraged by attackers. While the specific attacker or campaign is not detailed in the provided source, the technique is commonly associated with post-exploitation activity where adversaries attempt to escalate privileges or move laterally within a compromised environment. The rule aims to provide defenders with visibility into unauthorized access to these critical files, allowing for rapid response and mitigation.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Initial Access: An attacker gains initial access to a Linux system through an exploit, vulnerability, or compromised credentials.</li>
<li>Privilege Escalation (Optional): If the initial access is with limited privileges, the attacker may attempt to escalate privileges using kernel exploits, misconfigurations, or other techniques.</li>
<li>Discovery: The attacker performs reconnaissance to identify sensitive files containing credentials or configuration information. This might involve using commands like <code>find</code>, <code>locate</code>, or <code>grep</code>.</li>
<li>Credential Access: The attacker accesses sensitive files such as <code>/etc/passwd</code>, <code>/etc/shadow</code>, <code>/etc/sudoers</code>, <code>/var/log/auth.log</code>, configuration files in <code>/etc</code> related to specific services (e.g., <code>/etc/nginx/nginx.conf</code>, <code>/etc/apache2/apache2.conf</code>), <code>.bash_history</code>, <code>.ssh/id_rsa</code>, and similar files.</li>
<li>Credential Harvesting: The attacker parses the accessed files for usernames, passwords, API keys, or other valuable credentials. Tools like <code>grep</code>, <code>awk</code>, or custom scripts may be used.</li>
<li>Lateral Movement: Using the harvested credentials, the attacker attempts to move laterally to other systems within the network.</li>
<li>Data Exfiltration (Optional): The attacker may exfiltrate the harvested credentials and other sensitive data to an external location.</li>
<li>Persistence (Optional): The attacker may establish persistence using the compromised credentials or by modifying system configuration files.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful credential access can lead to a wide range of negative consequences, including unauthorized access to sensitive data, system compromise, lateral movement within the network, and data exfiltration. Depending on the compromised system and the accessed credentials, the impact could range from minor data breaches to complete network compromise. This type of attack can affect any organization using Linux systems, with the severity depending on the sensitivity of the data stored on the compromised systems.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rules provided to your SIEM and tune them based on your environment to detect suspicious file access patterns.</li>
<li>Implement file integrity monitoring (FIM) on sensitive files to detect unauthorized modifications.</li>
<li>Enable and review audit logging on Linux systems to capture detailed information about file access events.</li>
<li>Regularly review and update user permissions to minimize the risk of unauthorized access.</li>
<li>Implement multi-factor authentication (MFA) to mitigate the impact of compromised credentials.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>credential_access</category><category>linux</category><category>file_monitoring</category></item></channel></rss>