Attack Chain

1. Attacker gains initial access to a Linux server, potentially through exploiting a vulnerability or using compromised credentials.
2. Attacker executes a malicious script or binary on the server.
3. The malicious process is assigned a cgroup by the system, depending on whether it’s managed by systemd, Docker, or Kubernetes.
4. If the process is a systemd service, it will be associated with a cgroup under /system.slice/, which reveals the service name.
5. If the process is running within a Docker container, it will be assigned a cgroup under /docker/$CONTAINER_ID, allowing for grouping of all container processes.
6. In a Kubernetes environment, the cgroup path will include the pod ID and Quality-of-Service class, such as /kubepods/$CLASS/pod$POD_ID/$CONTAINER_ID (cgroupfs driver) or /kubepods.slice/kubepods-$CLASS.slice/$POD_ID.slice/$CONTAINER_ID (systemd driver).
7. The attacker attempts lateral movement or persistence, spawning additional processes that inherit the same cgroup, which can be used to correlate attacker activity.
8. The attacker achieves their objective, such as deploying a coinminer or exfiltrating sensitive data, leaving behind processes that can be identified and grouped via their cgroup assignment.

Impact

Compromised Linux servers can lead to data breaches, service disruptions, and resource hijacking. If an attacker successfully establishes persistence, they can maintain unauthorized access for extended periods. The presence of coinminers can degrade system performance and increase energy consumption. Understanding the cgroup assignments of malicious processes can aid in identifying the scope of the compromise, the attacker’s objectives, and the affected systems.

Recommendation

• Monitor process creation events and collect the associated cgroup path to establish baselines of normal system behavior, especially within containerized environments.
• Deploy the provided Sigma rule to detect unexpected processes running within Docker containers based on the cgroup path.
• Use the provided Sigma rule to detect processes running under user-level systemd services, correlating with user login sessions to identify anomalous behavior.
• Investigate processes with unusual cgroup assignments, particularly those lacking expected container or systemd associations.
• Correlate cgroup information with other telemetry, such as network connections and file modifications, to gain a more comprehensive understanding of attacker activity.
• Utilize the systemd-cgls command on Linux systems to list all active cgroups and their associated processes for manual investigation and validation of detection rules.