SECURITY

Linux Persistence and Privilege Escalation: Threat Research January 2022 Release

In this January 2022 release, The Splunk Threat Research (STRT) team focused on the recently released Sysmon for Linux technology addition to Splunk. This new add-on opens the door for new ways of monitoring, creating detections, and defending against Linux systems threats. Linux is the most commonly used operating system across the world with approximately 67% of the internet. The possibility of approaching Linux exploitation development provides many blue teamers new opportunities of enhancing their defense capabilities. 


This January release contains 32 new detections distributed in 2 Analytics Stories: Linux Privilege Escalation and Linux Persistence Techniques

Focusing on Linux Privilege Escalation & Linux Persistence Techniques

Analytic stories are security use cases supported by our threat research team’s pre-built detections and responses. The following analytic stories focus on monitoring and investigating items that are related to Linux privilege escalation. Privilege escalation is a necessary post-exploitation step for attackers to complete entrenchment at the targeted host. These items include unusual processes running on endpoints, scheduled tasks, services, setuid, root execution, and more. 

It is also important for attackers to maintain access to compromised systems and that’s where persistence techniques come into play. We also crafted several detections to address those post-exploitation vectors. 

Detections Used in the Linux Privilege Escalation & Linux Persistence Techniques Analytics Stories

Linux Privilege Escalation & Linux Persistence Techniques
 

Name

Technique ID 

Tactic 

Description

Linux NOPASSWD Entry in Sudoers File

  T1548.003

   T1548

Persistence, Privilege Escalation

Look for suspicious command lines that may add an entry to /etc/sudoers with NOPASSWD attribute in the Linux platform.

Linux Possible Access Or Modification Of sshd Config File

T1098.004

 T1098

Persistence

Look for suspicious process command-line that might be accessing or modifying sshd_config.

Linux Possible Append Command To Profile Config File

T1546.004

T1546

Persistence, Privilege Escalation

looks for suspicious command lines that can be possibly used to modify user profile files to automatically execute scripts/executables by shell upon reboot of the machine.

Linux Possible Ssh Key File Creation


T1098.004

 T1098

Persistence

This analytic is to look for possible ssh key file creation on ~/.ssh/ folder

Linux Add User Account


T1136.001

T1136

Persistence

looks for commands to create user accounts on the Linux platform.

Linux Common Process For Elevation Control


T1548.001

 T1548

Persistence, Privilege Escalation

looks for possible elevation control access using a common known process in the Linux platform to change the attribute and file ownership.

Linux Doas Conf File Creation


T1548.003

T1548

Persistence, Privilege Escalation

Detects the creation of doas.conf file in Linux host platform.

Linux Doas Tool Execution


T1548.003

 T1548

Persistence, Privilege Escalation

Detects the doas tool execution in the Linux host platform

Linux Possible Access To Credential Files


  T1003.008

 T1003

Credential Access

Detects a possible attempt to dump or access the content of /etc/passwd and /etc/shadow to enable offline credential cracking. "etc/passwd" stores user information within Linux OS while "etc/shadow" contains the user passwords hash.

Linux File Creation In Init Boot Directory

T1037.004

Persistence, Privilege Escalation

This analytic looks for suspicious file creation on init system directories for automatic execution of script or file upon boot up


Linux File Creation In Profile Directory

T1546.004

Persistence, Privilege Escalation

This analytic looks for suspicious file creation in /etc/profile.d directory

 to automatically execute scripts by shell upon boot-up of a Linux machine


Linux Service File Created In Systemd Directory

T1053.006

Persistence, Privilege Escalation

This analytic looks for suspicious file creation in the systemd timer directory in the Linux platform


Linux Service Restarted

T1053.006

Persistence, Privilege Escalation

This analytic looks for restarted or re-enable services in the Linux platform

Linux Service Started Or Enabled

T1053.006

Persistence, Privilege Escalation

This analysis looks for created or enable services in the Linux platform

Linux Add User Account

T1136.001

Persistence, Privilege Escalation

This analysis looks for commands to create user accounts on the Linux platform.

Linux Change File Owner To Root

T1222.002

Persistence, Privilege Escalation

This analytic looks for a command line that change the file owner to root

 using chown utility tool


Linux Setuid Using Chmod Utility

T1548.001

Persistence, Privilege Escalation

This analytic looks for suspicious chmod utility execution to enable SUID bit.


Linux Setuid Using Setcap Utility

T1548.001

Persistence, Privilege Escalation

This analytic looks for suspicious setcap utility execution to enable SUID bit.

Linux Doas Conf File Creation

T1548.003

Persistence, Privilege Escalation

This analytic is to detect the creation of doas.conf file in the Linux host platform.

Linux Doas Tool Execution

T1548.003

Persistence, Privilege Escalation

This analytic is to detect the doas tool execution in the Linux host platform.

Linux Sudo OR Su Execution

T1548.003

Persistence, Privilege Escalation

This analytic is to detect the execution of sudo or su command in the Linux operating system.

Linux Common Process For Elevation Control

T1548.001

Persistence, Privilege Escalation

This analytic is to look for possible elevation control access using a common known process in the Linux platform to change the attribute and file ownership.

Linux File Created In Kernel Driver Directory

T1547.006

Persistence, Privilege Escalation

This analytic looks for suspicious file creation in the kernel/driver directory in the Linux platform.


Linux Insert Kernel Module Using Insmod Utility

T1547.006

Persistence, Privilege Escalation

This analytic looks for the inserting Linux kernel modules using the insmod utility function.

Linux Install Kernel Module Using Modprobe Utility

T1547.006

Persistence, Privilege Escalation

This analytic looks for possible installing a Linux kernel module using modprobe utility function


Linux Preload Hijack Library Calls

T1574.006

Persistence, Privilege Escalation

This analytic is to detect a suspicious command that may hijack a library function using the LD_PRELOAD environment variable in the Linux platform.

Linux Possible Append Command To Profile Config File

T1546.004

Persistence, Privilege Escalation

This analytic looks for suspicious command lines that are possibly used to modify profile files to automatically execute scripts/files by shell upon boot of the machine.

Linux Possible Access To Credential Files

T1003.008

Persistence, Privilege Escalation

This analytic is to detect a possible attempt to dump or access the content of /etc/passwd and /etc/shadow to enable offline credential cracking.

Linux Possible Access To Sudoers File

T1548.003

Persistence, Privilege Escalation

This analytic is to detect possible access or modification of /etc/sudoers file. 

Linux NOPASSWD Entry In Sudoers File

T1548.003

Persistence, Privilege Escalation

This analytic is to look for suspicious command lines that may add an entry to /etc/sudoers with NOPASSWD attribute in the Linux platform.

Linux Sudoers Tmp File Creation

T1548.003

Persistence, Privilege Escalation

This analytic is to look for file creation of sudoers.tmp file cause

  by editing /etc/sudoers using visudo or editor in the Linux platform.


Linux Visudo Utility Execution

T1548.003

Persistence, Privilege Escalation

This analytic is to look for suspicious command-line that add an entry to

  /etc/sudoers by using visudo utility tool in Linux platform.


Linux Possible Ssh Key File Creation

T1098.004

Persistence, Privilege Escalation

This analytic is to look for possible ssh key file creation on ~/.ssh/ folder.

Linux Possible Access Or Modification Of sshd_config File

T1098.004

Persistence, Privilege Escalation

This analytic is to look for suspicious process command-line that might be accessing or modifying sshd_config. 


Automating with SOAR Playbooks

The following community Splunk SOAR playbooks mentioned below can be used in conjunction with some of the previously described analytics:
 

Detection

Playbook

Description

Any

Internal Host SSH Investigate

Investigate an internal unix host using SSH. This pushes a bash script to the endpoint and runs it, collecting generic information about the processes, user activity, and network activity. This includes the process list, login history, cron jobs, and open sockets. The results are zipped up in .csv files and added to the vault for an analyst to review.

Multiple

Crowdstrike Malware Triage

This playbook is used to enrich and respond to a CrowdStrike Falcon detection involving a potentially malicious executable on an endpoint. Check for previous sightings of the same executable, hunt across other endpoints for the file, gather details about all processes associated with the file, and collect all the gathered information into a prompt for an analyst to review. Based on the analyst's choice, the file can be added to the custom indicators list in CrowdStrike with a detection policy of "detect" or "none", and the endpoint can be optionally quarantined from the network.


Why Should You Care about Linux Persistence and Privilege Escalation?

Linux is an extremely popular operating system present in millions of devices and applications. It is the main engine of the internet infrastructure, not only when talking about the backbone type of devices (such as servers, routers) but also at the micro-level as most internet of thing (IoT) devices run some version of it. Linux is exploitable however it is often dismissed as secured by default, which is not true. 

For a full list of security content, check out the release notes on Splunk Docs

Learn More

You can find the latest content about security analytic stories on GitHub and in Splunkbase. Splunk Security Essentials also has all these detections now available via push update. 

Feedback

Any feedback or requests? Feel free to put in an issue on GitHub, and we’ll follow up. Alternatively, join us on the Slack channel #security-research. Follow these instructions If you need an invitation to our Splunk user groups on Slack.

Contributors

We would like to thank the whole threat research team Jose Hernandez, Teoderick Contreras, Rod Soto, Bhavin Patel, Mauricio Velazco, Michael Haag, Lou Stella, Eric McGinnis, and Patrick Bareiss for their contribution to this release.

 

The Splunk Threat Research Team is an active part of a customer’s overall defense strategy by enhancing Splunk security offerings with verified research and security content such as use cases, detection searches, and playbooks. We help security teams around the globe strengthen operations by providing tactical guidance and insights to detect, investigate and respond against the latest threats. The Splunk Threat Research Team focuses on understanding how threats, actors, and vulnerabilities work, and the team replicates attacks which are stored as datasets in the Attack Data repository

Our goal is to provide security teams with research they can leverage in their day to day operations and to become the industry standard for SIEM detections. We are a team of industry-recognized experts who are encouraged to improve the security industry by sharing our work with the community via conference talks, open-sourcing projects, and writing white papers or blogs. You will also find us presenting our research at conferences such as Defcon, Blackhat, RSA, and many more.


Read more Splunk Security Content

TAGS

Linux Persistence and Privilege Escalation: Threat Research January 2022 Release

Show All Tags
Show Less Tags

Join the Discussion