Auditd, Linux’s access monitoring and accounting subsystem, will be used by several Linux rules. In comparison to Windows, Linux is statistically less targeted by malicious attackers. However, we must continue to keep an eye on these systems for security threats. Here we will be going through a few techniques to use a SIEM to monitor for malicious Linux behavior.
TECHNIQUE 1: FILE OR FOLDER PERMISSIONS CHANGE
Changes in file or folder permissions could indicate that an attacker is attempting to get access to files or folders on a network. This query will require the addition of whitelists for valid users who are authorized to change these rights.
Log Source = Linux
Service = auditd
Type of auditd = EXECVE
Detection method:
Create a rule based on the query that matches any of “chmod or chown”
Also Read: Linux Audit Logs cheatsheet – Detect & Respond Faster
TECHNIQUE 2: POTENTIALLY MALICIOUS SSHD ERRORS
Examine SSH / SHHD error messages for indications of exploit attempts.
Log Source = Linux
Service = sshd
Detection method:
Create a SIEM rule by parsing out and indexing the field where the below value appears within the sshd log.
” ‘unexpected internal error‘, ‘unknown or unsupported key type‘, ‘invalid certificate signing key‘, ‘invalid elliptic curve value‘,’ incorrect signature‘, ‘error in libcrypto‘, ‘unexpected bytes remain after decoding‘, ‘fatal: buffer_get_string: bad string‘, ‘Local: crc32 compensation attack‘, ‘bad client public DH value‘, ‘Corrupted MAC on input‘ ”
TECHNIQUE 3: POTENTIALLY MALICIOUS VSFTPD ERRORS
Errors in VSFTPD could be malicious, indicating that an exploit is being attempted.
Log Source = Linux
Service = vsftpd
Detection method:
Create a SIEM rule which matches any of the below:
” ‘Connection refused: too many sessions for this address.’, ‘Connection refused: tcp_wrappers denial.’, ‘Bad HTTP verb.’, ‘port and pasv both active’, ‘pasv and port both active’, ‘Transfer did (but failed to open directory).’, ‘Could not set file modification time.’, ‘bug: PID active in ptrace_sandbox_free’, ‘PTRACE_SETOPTIONS failure’, ‘weird status:’, “couldn’t handle sandbox event”, ‘syscall * out of bounds’, ‘syscall not permitted:’, ‘syscall validate failed:’, ‘Input line too long.’, ‘poor buffer accounting in str_netfd_alloc’, ‘vsf_sysutil_read_loop’ “
Also Read: Latest IOCs – Threat Actor URLs , IP’s & Malware Hashes
TECHNIQUE 4: FAILED LOGINS ON A SINGLE SOURCE WITH MANY USERS
This might indicate a brute-force effort by an attacker using many accounts.
Log Source = Linux
Service = Auth Pam
Message = Authentication Failure Detection method:
Detection method:
Create a rule based on the failure of several accounts to log into the same source within a specific amount of time. Within 10 minutes, keep a threshold of 20 accounts. Exclusions will need to be added for regularly used Terminal Servers, Jump Servers, and Work Stations. Depending on your environment, you may need to raise the threshold.
TECHNIQUE 5: OVERWRITING FILES WITH DEV 0 OR NULL
Many threat actors will try and hide their actions once they have carried out attacks. They may potentially remove files, resulting in a variety of problems. This method can be used to detect it.
Log Source = Linux
Service = auditd
Type of auditd = EXECVE
Detection method:
Create a rule which matches the query: ‘dd’ THEN Query matches = ‘if=/dev/null’ OR ‘if=/dev/zero’
TECHNIQUE 6: BUFFER OVERFLOW ATTEMPTS
During attacks, attackers may attempt buffer overflows. This rule checks for four common indicators.
Log Source = Unix
Detection method:
Create a SIEM rule which matches any of the following:
” ‘attempt to execute code on stack by’, ‘FTP LOGIN FROM .* 0bin0sh’, ‘rpc.statd[\d+]: gethostbyname error for’, ‘AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA’ “
TECHNIQUE 7: REMOVE IMMUTABLE FILE ATTRIBUTE
Hackers may also try to modify immutable files on a Linux system. Immutable files are created with the intention of not being erased, however, this can be changed. The rule that follows looks for this to happen.
Log Source = Linux
Service = auditd
Type of auditd = EXECVE
Detection method:
Create a SIEM rule where the query matches ‘chattr’ THEN ‘-i’
TECHNIQUE 8: SYSTEMD SERVICE RELOADED OR STARTED
This rule looks at when a service starts or reloads. For legitimate services, whitelists will need to be established.
Log Source = Linux
Service = auditd
Type of auditd = EXECVE
Detection method:
Create a SIEM rule based on the query matches “systemctl” THEN query matches “daemon-reload OR start”
Also Read: Latest Ransomware CVEs – Vulnerabilities Abused by Ransomware Actors
TECHNIQUE 9: CLEARING COMMAND HISTORY
After completing an attack on a Linux system, attackers will attempt to delete the command history. We may look at the commands that were used to do this.
Log Source = Linux
Detection method:
Create a rule based on query matches any of the following:
“rm *bash_history, echo “” > *bash_history, cat /dev/null > *bash_history, ln -sf /dev/null *bash_history, truncate -s0 *bash_history, export HISTFILESIZE=0, history -c, history -w, shred *bash_history”
Conclusion:
The above rules can be implemented if your environment has linux servers/machines and Auditd log is enabled.