<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Command_execution - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/command_execution/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/command_execution/feed.xml" rel="self" type="application/rss+xml"/><item><title>Suspicious mkfifo Execution on Linux</title><link>https://feed.craftedsignal.io/briefs/2024-01-suspicious-mkfifo-execution/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-suspicious-mkfifo-execution/</guid><description>This brief covers the suspicious execution of commands following the use of 'mkfifo' on Linux systems, often indicating malicious activity such as establishing named pipes for command and control or data exfiltration.</description><content:encoded><![CDATA[<p>This threat brief addresses suspicious activities on Linux systems involving the <code>mkfifo</code> command. While <code>mkfifo</code> itself is a legitimate utility for creating named pipes, its use followed by command execution can indicate malicious intent. Attackers may use named pipes for inter-process communication, command and control (C2), or data exfiltration. This activity is often seen in post-exploitation scenarios. The use of <code>mkfifo</code> in conjunction with other commands such as <code>nc</code>, <code>bash</code>, or scripting languages like Python warrants close examination. The scope of this brief focuses on Linux-based systems and the detection of command sequences indicating potential abuse of <code>mkfifo</code>. Defenders should monitor for unusual process chains involving <code>mkfifo</code> and subsequent command executions.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains initial access to a Linux system through an exploit or compromised credentials.</li>
<li>The attacker uses <code>mkfifo /tmp/named_pipe</code> to create a named pipe in the /tmp directory.</li>
<li>The attacker uses netcat to listen on a port and write output to the named pipe: <code>nc -l -p 1337 &gt; /tmp/named_pipe</code>.</li>
<li>In a separate process, the attacker executes a command and redirects the output to the named pipe: <code>ls -la &gt; /tmp/named_pipe</code>.</li>
<li>The netcat process receives the output of the <code>ls -la</code> command and forwards it to the attacker's C2 server.</li>
<li>The attacker uses <code>rm /tmp/named_pipe</code> to remove the named pipe, cleaning up evidence.</li>
<li>The attacker may repeat steps 2-5 to execute further commands and exfiltrate data.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation can lead to unauthorized access, data exfiltration, and command execution on the compromised Linux system. The severity of the impact depends on the privileges of the compromised user and the sensitivity of the data accessible on the system. This technique can be used to establish covert communication channels for lateral movement and persistence within the network.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rule to detect suspicious process executions involving <code>mkfifo</code> followed by network activity or command execution (see &quot;Suspicious Mkfifo Followed by Command Execution&quot; and &quot;Suspicious Mkfifo and Netcat Use&quot; rules).</li>
<li>Monitor process creation logs for the execution of <code>mkfifo</code> command, focusing on parent processes and subsequent child processes.</li>
<li>Investigate any instances of <code>mkfifo</code> usage where the created named pipe is used for network communication or data redirection.</li>
<li>Enable process monitoring with command line auditing to capture the full context of <code>mkfifo</code> executions and related commands.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>mkfifo</category><category>named_pipe</category><category>linux</category><category>command_execution</category><category>lateral_movement</category></item></channel></rss>