[New Rules] DDExec Analysis #3408
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Aegrah
added
OS: Linux
Rule: New
This reverts commit c58595b.
…c/detection-rules into new-rules-ddexec-analysis
Aegrah
requested review from
w0rk3r,
DefSecSentinel,
imays11 and
terrancedejesus
Samirbous
approved these changes
Feb 5, 2024
|
@Samirbous ++, added endgame + audit_manager support. |
|
When adding auditd_manager support, I noticed I must supply the |
protectionsmachine
pushed a commit
that referenced
this pull request
Feb 6, 2024
* [New Rules] DDExec Analysis * Increased rule scope * [New Rule] Dynamic Linker Discovery via od * Revert "[New Rule] Dynamic Linker Discovery via od" This reverts commit c58595b. * [New Rule] Dynamic Linker Discovery via od * [New Rule] Potential Memory Seeking Activity * [New BBR] Suspicious Memory grep Activity * Added endgame + auditd_manager support * Removed auditd_manager support for now * Removed auditd_manager support for now * Update discovery_suspicious_memory_grep_activity.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> (cherry picked from commit d41855a)
protectionsmachine
pushed a commit
that referenced
this pull request
Feb 6, 2024
* [New Rules] DDExec Analysis * Increased rule scope * [New Rule] Dynamic Linker Discovery via od * Revert "[New Rule] Dynamic Linker Discovery via od" This reverts commit c58595b. * [New Rule] Dynamic Linker Discovery via od * [New Rule] Potential Memory Seeking Activity * [New BBR] Suspicious Memory grep Activity * Added endgame + auditd_manager support * Removed auditd_manager support for now * Removed auditd_manager support for now * Update discovery_suspicious_memory_grep_activity.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> (cherry picked from commit d41855a)
protectionsmachine
pushed a commit
that referenced
this pull request
Feb 6, 2024
* [New Rules] DDExec Analysis * Increased rule scope * [New Rule] Dynamic Linker Discovery via od * Revert "[New Rule] Dynamic Linker Discovery via od" This reverts commit c58595b. * [New Rule] Dynamic Linker Discovery via od * [New Rule] Potential Memory Seeking Activity * [New BBR] Suspicious Memory grep Activity * Added endgame + auditd_manager support * Removed auditd_manager support for now * Removed auditd_manager support for now * Update discovery_suspicious_memory_grep_activity.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> (cherry picked from commit d41855a)
protectionsmachine
pushed a commit
that referenced
this pull request
Feb 6, 2024
* [New Rules] DDExec Analysis * Increased rule scope * [New Rule] Dynamic Linker Discovery via od * Revert "[New Rule] Dynamic Linker Discovery via od" This reverts commit c58595b. * [New Rule] Dynamic Linker Discovery via od * [New Rule] Potential Memory Seeking Activity * [New BBR] Suspicious Memory grep Activity * Added endgame + auditd_manager support * Removed auditd_manager support for now * Removed auditd_manager support for now * Update discovery_suspicious_memory_grep_activity.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> (cherry picked from commit d41855a)
protectionsmachine
pushed a commit
that referenced
this pull request
Feb 6, 2024
* [New Rules] DDExec Analysis * Increased rule scope * [New Rule] Dynamic Linker Discovery via od * Revert "[New Rule] Dynamic Linker Discovery via od" This reverts commit c58595b. * [New Rule] Dynamic Linker Discovery via od * [New Rule] Potential Memory Seeking Activity * [New BBR] Suspicious Memory grep Activity * Added endgame + auditd_manager support * Removed auditd_manager support for now * Removed auditd_manager support for now * Update discovery_suspicious_memory_grep_activity.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> (cherry picked from commit d41855a)
protectionsmachine
pushed a commit
that referenced
this pull request
Feb 6, 2024
* [New Rules] DDExec Analysis * Increased rule scope * [New Rule] Dynamic Linker Discovery via od * Revert "[New Rule] Dynamic Linker Discovery via od" This reverts commit c58595b. * [New Rule] Dynamic Linker Discovery via od * [New Rule] Potential Memory Seeking Activity * [New BBR] Suspicious Memory grep Activity * Added endgame + auditd_manager support * Removed auditd_manager support for now * Removed auditd_manager support for now * Update discovery_suspicious_memory_grep_activity.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> (cherry picked from commit d41855a)
protectionsmachine
pushed a commit
that referenced
this pull request
Feb 6, 2024
* [New Rules] DDExec Analysis * Increased rule scope * [New Rule] Dynamic Linker Discovery via od * Revert "[New Rule] Dynamic Linker Discovery via od" This reverts commit c58595b. * [New Rule] Dynamic Linker Discovery via od * [New Rule] Potential Memory Seeking Activity * [New BBR] Suspicious Memory grep Activity * Added endgame + auditd_manager support * Removed auditd_manager support for now * Removed auditd_manager support for now * Update discovery_suspicious_memory_grep_activity.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> (cherry picked from commit d41855a)
protectionsmachine
pushed a commit
that referenced
this pull request
Feb 6, 2024
* [New Rules] DDExec Analysis * Increased rule scope * [New Rule] Dynamic Linker Discovery via od * Revert "[New Rule] Dynamic Linker Discovery via od" This reverts commit c58595b. * [New Rule] Dynamic Linker Discovery via od * [New Rule] Potential Memory Seeking Activity * [New BBR] Suspicious Memory grep Activity * Added endgame + auditd_manager support * Removed auditd_manager support for now * Removed auditd_manager support for now * Update discovery_suspicious_memory_grep_activity.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> (cherry picked from commit d41855a)
protectionsmachine
pushed a commit
that referenced
this pull request
Feb 6, 2024
* [New Rules] DDExec Analysis * Increased rule scope * [New Rule] Dynamic Linker Discovery via od * Revert "[New Rule] Dynamic Linker Discovery via od" This reverts commit c58595b. * [New Rule] Dynamic Linker Discovery via od * [New Rule] Potential Memory Seeking Activity * [New BBR] Suspicious Memory grep Activity * Added endgame + auditd_manager support * Removed auditd_manager support for now * Removed auditd_manager support for now * Update discovery_suspicious_memory_grep_activity.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> (cherry picked from commit d41855a)
protectionsmachine
pushed a commit
that referenced
this pull request
Feb 6, 2024
* [New Rules] DDExec Analysis * Increased rule scope * [New Rule] Dynamic Linker Discovery via od * Revert "[New Rule] Dynamic Linker Discovery via od" This reverts commit c58595b. * [New Rule] Dynamic Linker Discovery via od * [New Rule] Potential Memory Seeking Activity * [New BBR] Suspicious Memory grep Activity * Added endgame + auditd_manager support * Removed auditd_manager support for now * Removed auditd_manager support for now * Update discovery_suspicious_memory_grep_activity.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> (cherry picked from commit d41855a)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR proposes several new Linux DRs, originating from the analysis of the DDExec tool, which allows you to load shellcodes and binaries in memory abusing the dd binary (installed everywhere) from a regular sh/bash shell.
The following new rules are proposed:
Suspicious /proc/maps Discovery
Monitors for /proc/*/maps file reads. The /proc/*/maps file in Linux provides a memory map for a specific process, detailing the memory segments, permissions, and what files are mapped to these segments. Attackers may read a process's memory map to identify memory addresses for code injection or process hijacking.
Detection
0 FPs in telemetry and my testing stack over the last 365 days
Several TPs originating from DDExec, SSH injection and truffleproc/bash memory dump testing.
Suspicious Dynamic Linker Discovery via od
Monitors for dynamic linker discovery via the od utility. od (octal dump) is a command-line utility in Unix operating systems used for displaying data in various formats, including octal, hexadecimal, decimal, and ASCII, primarily used for examining and debugging binary files or data streams. Attackers can leverage od to analyze the dynamic linker by identifying injection points and craft exploits based on the observed behaviors and structures within these files.
Detection
0 FPs in telemetry and my testing stack over last 365 days
BBR - Potential Memory Seeking Activity
Monitors for the execution of Unix utilities that may be leveraged as memory address seekers. Attackers may leverage built-in utilities to seek specific memory addresses, allowing for potential future manipulation/exploitation.
Detection
There are several FPs in telemetry, and those FPs were related to development and therefore difficult to tune. Chose to add this as a BBR, so I can gather additional telemetry and potentially promote to DR in the future.
BBR - Memory grep Activity
Monitors for grep activity related to memory mapping. The /proc/*/maps file in Linux provides a memory map for a specific process, detailing the memory segments, permissions, and what files are mapped to these segments. Attackers may read a process's memory map to identify memory addresses for code injection or process hijacking.
Detection
0 FPs in telemetry nor my stack, however, given that I chose to go the process event category route, I am unable to specifically match the "/proc/pid/maps" file, therefore I created room for potential FPs by grepping random files. A workaround for this would be to use auditd_manager, and chain this with a /proc/pid/maps file read by grep. I chose not to do this for now as auditd_manager is not (yet) widely implemented, so this method will be more useful. Might be a way to tune in the future.