Linux Persistence and Privilege Escalation: Threat Research January 2022 Release

In this January 2022 release, The Splunk Threat Research (STRT) team focused on the recently released Sysmon for Linux technology addition to Splunk. This new add-on opens the door for new ways of monitoring, creating detections, and defending against Linux systems threats. Linux is the most commonly used operating system across the world with approximately 67% of the internet. The possibility of approaching Linux exploitation development provides many blue teamers new opportunities of enhancing their defense capabilities.

This January release contains 32 new detections distributed in 2 Analytics Stories: Linux Privilege Escalation and Linux Persistence Techniques.

Focusing on Linux Privilege Escalation & Linux Persistence Techniques

Analytic stories are security use cases supported by our threat research team’s pre-built detections and responses. The following analytic stories focus on monitoring and investigating items that are related to Linux privilege escalation. Privilege escalation is a necessary post-exploitation step for attackers to complete entrenchment at the targeted host. These items include unusual processes running on endpoints, scheduled tasks, services, setuid, root execution, and more.

It is also important for attackers to maintain access to compromised systems and that’s where persistence techniques come into play. We also crafted several detections to address those post-exploitation vectors.

Detections Used in the Linux Privilege Escalation & Linux Persistence Techniques Analytics Stories

Linux Privilege Escalation & Linux Persistence Techniques

Automating with SOAR Playbooks

The following community Splunk SOAR playbooks mentioned below can be used in conjunction with some of the previously described analytics:

Why Should You Care about Linux Persistence and Privilege Escalation?

Linux is an extremely popular operating system present in millions of devices and applications. It is the main engine of the internet infrastructure, not only when talking about the backbone type of devices (such as servers, routers) but also at the micro-level as most internet of thing (IoT) devices run some version of it. Linux is exploitable however it is often dismissed as secured by default, which is not true.

For a full list of security content, check out the release notes on Splunk Docs

• v3.33.0
• v3.34.0

Learn More

You can find the latest content about security analytic stories on GitHub and in Splunkbase. Splunk Security Essentials also has all these detections now available via push update.

Feedback

Any feedback or requests? Feel free to put in an issue on GitHub, and we’ll follow up. Alternatively, join us on the Slack channel #security-research. Follow these instructions If you need an invitation to our Splunk user groups on Slack.

Contributors

We would like to thank the whole threat research team Jose Hernandez, Teoderick Contreras, Rod Soto, Bhavin Patel, Mauricio Velazco, Michael Haag, Lou Stella, Eric McGinnis, and Patrick Bareiss for their contribution to this release.