https://feed.craftedsignal.io/products/splunk-add-on-for-unix-and-linux/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 12:00:00 +0000https://feed.craftedsignal.io/briefs/2024-01-linux-auditd-daemon-abort/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-linux-auditd-daemon-abort/Detection of abnormal Linux audit daemon (auditd) termination via DAEMON_ABORT events, indicating potential auditing subsystem failure due to resource exhaustion, corruption, or malicious interference.This detection identifies abnormal terminations of the Linux audit daemon (auditd) by monitoring for DAEMON_ABORT events within audit logs. Such terminations suggest a critical failure in the auditing subsystem, potentially stemming from resource exhaustion, data corruption, or malicious actions aimed at disrupting the logging process. Unlike a graceful shutdown, a DAEMON_ABORT event implies that audit logging may have been disabled unexpectedly, compromising system observability and security monitoring. Defenders should prioritize investigating these events, correlating them with DAEMON_START, DAEMON_END, and overall system logs to pinpoint the root cause. Recurring aborts or the absence of a subsequent DAEMON_START signal indicate a high-severity issue requiring immediate attention to ensure continued log integrity and security posture.

Attack Chain

1. Attacker gains initial access to the system (e.g., through exploiting a vulnerability or using stolen credentials).
2. Attacker escalates privileges to a level where they can interact with system services.
3. Attacker attempts to corrupt auditd’s configuration or data files, causing it to fail.
4. The auditd daemon encounters an unrecoverable error and generates a DAEMON_ABORT event in the audit logs.
5. The system administrator may not immediately notice the auditd failure, leaving a gap in security monitoring.
6. Attacker performs malicious activities without being properly logged by auditd.
7. Attacker attempts to remove evidence of the auditd failure from system logs.
8. The attacker achieves their objective, such as data theft or system compromise, with reduced risk of detection.

Impact

A successful attack leading to auditd daemon aborts can severely compromise an organization’s security monitoring capabilities. With audit logging disabled or unreliable, malicious activities can go undetected, leading to data breaches, system compromise, and other security incidents. The absence of reliable audit logs can also hinder incident response efforts and forensic investigations, making it difficult to determine the scope and impact of an attack. Organizations in regulated industries may also face compliance issues due to the lack of complete audit trails.

Recommendation

• Enable Linux auditd logging to capture DAEMON_ABORT events (see data_source in search definition).
• Deploy the provided Sigma rule to your SIEM to detect DAEMON_ABORT events and tune the rule based on your environment.
• Investigate any detected DAEMON_ABORT events by correlating them with DAEMON_START, DAEMON_END, and system logs to determine the root cause.
• Monitor the time between DAEMON_ABORT and DAEMON_START events to identify potential issues requiring further investigation.
• Use Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833) to ensure proper parsing and categorization of auditd data.

]]>mediumadvisoryauditdlinuxanomalyendpointhttps://feed.craftedsignal.io/briefs/2024-01-linux-firewall-modification/Wed, 03 Jan 2024 10:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-linux-firewall-modification/The analytic detects suspicious disabling or modification of the system firewall on Linux systems, which can indicate unauthorized access or attempts to maintain control over a system by disabling host protections.This detection identifies attempts to disable or modify system firewalls on Linux systems, a common tactic used by attackers to weaken defenses and maintain unauthorized access. The detection focuses on monitoring auditd logs for SERVICE_STOP events targeting firewalld and ufw, two popular Linux firewall management tools. Successful exploitation can lead to a compromised system, unauthorized access to sensitive data, or a wider breach affecting the entire network. The rule is based on research from Splunk and is intended to identify living-off-the-land techniques used for privilege escalation and persistence within a compromised Linux environment. The affected product is the Splunk platform using the Splunk Add-on for Unix and Linux.

Attack Chain

1. Attacker gains initial access to a Linux system (e.g., via compromised credentials or vulnerability exploitation).
2. Attacker attempts to disable the firewalld service using a command-line utility such as systemctl stop firewalld.
3. The auditd daemon logs the SERVICE_STOP event with unit=firewalld.
4. Alternatively, the attacker attempts to disable the ufw service using ufw disable.
5. The auditd daemon logs the SERVICE_STOP event with unit=ufw.
6. The attacker modifies firewall rules to allow unauthorized access, potentially using iptables or nftables directly.
7. These rule modifications further weaken the host defenses.
8. The attacker establishes persistence and maintains unauthorized access to the system, potentially escalating privileges and exfiltrating sensitive data.

Impact

Compromising the system firewall allows attackers to bypass network segmentation and access other systems. A successful attack can result in complete system compromise, data theft, and further lateral movement within the network. Systems that are critical to business operations, such as database servers or application servers, could be severely impacted. This could lead to significant financial losses, reputational damage, and regulatory fines.

Recommendation

• Ensure auditd is properly configured and ingesting events related to service management on Linux endpoints.
• Install and configure the Splunk Add-on for Unix and Linux to properly parse auditd logs as described in the “How to Implement” section.
• Deploy the Sigma rule “Linux Auditd Disable Or Modify System Firewall” to your SIEM and tune based on the filter macros for your environment.
• Investigate any alerts generated by the Sigma rule to determine the legitimacy of the service stop events.
• Review and harden Linux firewall configurations across the environment to prevent unauthorized modifications.

]]>highadvisorydefense-evasionpersistenceprivilege-escalationfirewallhttps://feed.craftedsignal.io/briefs/2024-01-02-linux-auditd-daemon-start/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-02-linux-auditd-daemon-start/Detection of Linux audit daemon (auditd) re-initialization events, which can indicate attempts to re-enable audit logging after evasion or restarts with modified rule sets.This analytic detects the (re)initialization of the Linux audit daemon (auditd) by identifying log entries of type DAEMON_START. This event indicates that the audit subsystem has resumed logging after being stopped or has started during system boot. While DAEMON_START may be expected during reboots or legitimate configuration changes, it can also signal attempts to re-enable audit logging after evasion, or restarts with modified or reduced rule sets. Monitoring this event in correlation with DAEMON_END, DAEMON_ABORT, and auditctl activity provides visibility into the continuity and integrity of audit logs. Frequent or unexplained DAEMON_START events should be investigated, especially if they are not accompanied by valid administrative or system activity. This detection is relevant for environments utilizing auditd for security monitoring and compliance.

Attack Chain

1. An attacker gains initial access to a Linux system.
2. The attacker identifies that auditd is enabled and logging events.
3. The attacker attempts to disable auditd to evade detection, possibly using auditctl -s disable or similar commands.
4. After performing malicious actions, the attacker may attempt to re-enable auditd, potentially with a modified configuration to avoid logging their activities, triggering a DAEMON_START event.
5. The attacker modifies the audit rules to exclude specific users, processes, or file paths from being logged.
6. The attacker restarts the auditd service using systemctl restart auditd or a similar command, generating a DAEMON_START event.
7. The system resumes logging with the modified audit rules, potentially missing critical security events.

Impact

A successful attack can lead to a compromised Linux host where malicious activities are not properly logged, hindering incident response and forensic investigations. Attackers could manipulate audit logs by stopping and restarting the service with altered configurations, reducing the effectiveness of security monitoring. The impact includes a loss of visibility into attacker actions, potentially leading to prolonged compromise and data breaches.

Recommendation

• Deploy the Sigma rule Linux Auditd Daemon Start to your SIEM and tune for your environment to detect unexpected auditd restarts.
• Correlate DAEMON_START events with DAEMON_END and DAEMON_ABORT events to identify anomalies in auditd service management.
• Monitor auditctl activity for unauthorized modifications to audit rules.
• Investigate frequent or unexplained DAEMON_START events, especially those not accompanied by valid administrative or system activity, as highlighted in the overview.
• Ensure proper ingestion and normalization of auditd logs using the Splunk Add-on for Unix and Linux, as mentioned in the “How to Implement” section.

]]>mediumadvisorylinuxauditdanomaly