Boot or Logon Autostart Execution: Kernel Modules and Extensions.Modify Authentication Process: Pluggable Authentication Modules.(WIP) Hunting for Persistence in Linux (Part 6): Rootkits, Compromised Software, and Others.12 - Boot or Logon Initialization Scripts: systemd-generators.Hunting for Persistence in Linux (Part 5): Systemd Generators. 11 - Event Triggered Execution: Unix Shell Configuration Modification.10 - Boot or Logon Initialization Scripts: motd.9 - Boot or Logon Initialization Scripts: init.d.8 - Boot or Logon Initialization Scripts: RC Scripts.Hunting for Persistence in Linux (Part 4): Initialization Scripts and Shell Configuration.5 - Create or Modify System Process: Systemd Service.Hunting for Persistence in Linux (Part 3): Systemd, Timers, and Cron.4 - Account Manipulation: SSH Authorized Keys.Hunting for Persistence in Linux (Part 2): Account Creation and Manipulation.1 - Server Software Component: Web Shell.Hunting for Persistence in Linux (Part 1): Auditing, Logging and Webshells.The diagram above gives an overview of what will be discussed in this series. The rest of the techniques will discuss other techniques in succeeding posts. In this blog post, we will be focusing more on logging and monitoring, and simply use web shells as an initial example. How to monitor and detect persistence techniques.How to deploy the persistence techniques.Show how a defender might monitor and detect these installationsīy giving concrete implementations of these persistence techniques, I hope to give defenders a better appreciation of what exactly they are trying to detect, and some clear examples of how they can test their own alerting.Įach persistence technique has two main parts:.Give examples of how an attacker might deploy one of these backdoors.To do this, we will take an “ offense informs defense” approach by going through techniques listed in the MITRE ATT&CK Matrix for Linux. Welcome to this blog series “Hunting for Persistence in Linux”! This is a series that explores methods attackers might use to maintain persistent access to a compromised linux system. A02 Setup auditbeats and auditd for linux.1.7 Hunting for web shells using osquery.1.6 Detection: Looking for initiated connections by www-data.1.5 Detection: Looking for command execution for www-data using sysmon.1.4 Detection: Looking for command execution for www-data using auditd.1.3 Detection: Creation or modification of php files. To avoid such problems, use a prefix when naming the parsed values, for example, prefix(my-parsed-data.)īy default, cisco-parser() uses the cisco. If you use such a macro name as the name of a parsed value, it will attempt to replace the original value of the macro (note that only soft macros can be overwritten, see Hard vs. example) are reserved for use by syslog-ng OSE. If you forward the parsed messages using the IETF-syslog protocol, you can insert all the parsed data into the SDATA part of the message using the prefix(.SDATA.my-parsed-data.) option. By default, the parser will process the $. To parse the log messages of the Linux Audit subsystem, define a parser that has the linux-audit-parser() option. It automatically decodes the following fields: The syslog-ng OSE application extracts every field into name-value pairs. The syslog-ng OSE application automatically decodes these fields (for example, the c000003e value becomes x86_64). Type=PROCTITLE msg=audit(1441988805.991:239): proctitle=64756D7065326673002D68002F6465762F73646131Ĭertain fields of the audit log can be encoded in hexadecimal format, for example, the arch field, or the a fields in the previous example. For details on using value-pairs in syslog-ng OSE see Structuring macros, metadata, and other value-pairs. The syslog-ng OSE application can separate these log messages to name-value pairs. The Linux audit parser can parse the log messages of the Linux Audit subsystem ( auditd). Parser: Parse and segment structured messages > Linux audit parser
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |