
Millions of Linux Servers at Risk: Perfctl's Covert Campaign Exploiting Servers for Cryptocurrency Mining and Proxyjacking
Indicators of Compromise
No domains found for this campaign
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
REMEDIATION
T1014 - Rootkit
ID | Data Source | Data Component | Detects |
Monitor for changes made to drive letters or mount points of data storage devices for unexpected modifications that may be used by rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. | |||
Monitor for changes and the existence of unrecognized DLLs, drivers, devices, services, and to the MBR. [2] | |||
Monitor for changes made to firmware for unexpected modifications to settings and/or data that may be used by rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Some rootkit protections may be built into anti-virus or operating system software. There are dedicated rootkit detection tools that look for specific types of rootkit behavior. |
T1543 - Create or Modify System Process
ID | Data Source | Data Component | Detects |
Monitor for suspicious uses of the docker or podman command, such as attempts to mount the root filesystem of the host. | |||
Monitor for newly constructed containers that repeatedly execute malicious payloads as part of persistence or privilege escalation. |
T1082 - System Information Discovery
ID | Data Source | Data Component | Detects |
Monitor executed commands and arguments that may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users. | |||
Monitor for API calls that may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. In cloud-based systems, native logging can be used to identify access to certain APIs and dashboards that may contain system information. Depending on how the environment is used, that data alone may not be useful due to benign use during normal operations. | |||
Monitor newly executed processes that may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. |
T1071 - Application Layer Protocol
ID | Data Source | Data Component | Detects |
Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). | |||
Monitor and analyze traffic flows that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, or gratuitous or anomalous traffic patterns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). |
T1562 - Impair Defenses
ID | Data Source | Data Component | Detects |
Monitor logs for API calls to disable logging. In AWS, monitor for: StopLogging and DeleteTrail.[5] In GCP, monitor for: google.logging.v2.ConfigServiceV2.UpdateSink.[6] In Azure, monitor for az monitor diagnostic-settings delete.[7] Additionally, a sudden loss of a log source may indicate that it has been disabled. | |||
Monitor changes made to cloud services for unexpected modifications to settings and/or data. | |||
Monitor executed commands and arguments that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. | |||
Monitor for unusual/suspicious driver activity, especially regarding EDR and drivers associated with security tools as well as those that may be abused to disable security products. | |||
Monitor for missing log files hosts and services with known active periods. | |||
Monitor changes made to configuration files that contain settings for logging and defensive tools. | |||
Monitor for changes in the status of the system firewall such as Windows Security Auditing events 5025 (The Windows firewall service has been stopped) and 5034 (The Windows firewall driver was stopped). | |||
Monitor for changes made to firewall rules for unexpected modifications to allow/block specific network traffic that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. | |||
Monitor for the abnormal execution of API functions associated with system logging. | |||
Monitor newly executed processes that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. | |||
Using another process or third-party tools, monitor for modifications or access to system processes associated with logging. | |||
Monitor for unexpected deletions of a running process (ex: Sysmon EID 5 or Windows EID 4689) that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. | |||
Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. | |||
Monitor logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications) that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. Lack of log events may be suspicious. | |||
Monitor contextual data about a service/daemon, which may include information such as name, service executable, start type that that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. | |||
Monitor for changes to account settings associated with users/tenants that may impact defensive logging capabilities, such as the Update User and Change User License events in the Azure AD audit log.[8] | |||
Monitor for unexpected deletion of windows registry keys that that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. | |||
Monitor Registry edits for modifications to services and startup programs that correspond to security tools. |
T1036 - Masquerading
ID | Data Source | Data Component | Detects |
Monitor executed commands and arguments that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. [52] Note: For Windows, Event ID 4104 (from the Microsoft-Windows-Powershell/Operational log) captures Powershell script blocks, which can be analyzed and used to detect on potential Masquerading. | |||
Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Look for indications of common characters that may indicate an attempt to trick users into misidentifying the file type, such as a space as the last character of a file name or the right-to-left override characters"\u202E", "[U+202E]", and "%E2%80%AE". Check and ensure that file headers/signature and extensions match using magic bytes detection and/or file signature validation.[53] In Linux, the file command may be used to check the file signature.[54] | |||
Monitor for changes made to files outside of an update or patch that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Windows Event ID 4663 (An Attempt Was Made to Access An Object) can be used to alert on attempted file accesses that may be associate with Masquerading. | |||
Collecting disk and resource filenames for binaries, comparing that the InternalName, OriginalFilename, and/or ProductName match what is expected, could provide useful leads but may not always be indicative of malicious activity. [55] | |||
Monitor for API calls such as fork() which can be abused to masquerade or manipulate process metadata. | |||
Monitor for newly executed processes that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. The RECYCLER and SystemVolumeInformation directories will be present on every drive. Replace %systemroot% and %windir% with the actual paths as configured by the endpoints. Analytic 1 - Suspicious Run Locations (source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND ( Image=":\RECYCLER*" OR Image=":\SystemVolumeInformation*" OR Image="%windir%\Tasks*" OR Image="%systemroot%\debug*") | |||
Monitor for file names that are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled. | |||
Monitor for contextual data about a scheduled job, which may include information such as name, timing, command(s), etc. On Windows, Event ID 4698 (Security Log - A scheduled task was created) can be used to alert on the creation of scheduled tasks and provides metadata including the task name and task content (as XML). On Linux, auditing frameworks such as the Linux Auditing System (auditd) can be used to alert on invocations of cron, and provides the metadata included when executing the command. | |||
Monitor for changes made to scheduled jobs that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. | |||
Monitor for newly constructed services/daemons that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. | |||
Monitor for contextual data about a service/daemon, which may include information such as name, service executable, start type, etc. |
T1055 - Process Injection
ID | Data Source | Data Component | Detects |
Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc. | |||
Monitor for changes made to files that may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. | |||
Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process. | |||
Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, QueueUserAPC/NtQueueApcThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.[86] Monitoring for Linux specific calls such as the ptrace system call should not generate large amounts of data due to their specialized nature, and can be a very effective method to detect some of the common process injection methods.[87] [88] [89] [90] | |||
Monitor for processes being viewed that may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. | |||
Monitor for process memory inconsistencies, such as checking memory ranges against a known copy of the legitimate module.[91] | |||
Monitor for changes made to processes that may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. |
T1021 - Remote Services
ID | Data Source | Data Component | Detects |
Monitor executed commands and arguments that may use Valid Accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user. | |||
Monitor for user accounts logged into systems they would not normally access or abnormal access patterns, such as multiple systems over a relatively short period of time. Correlate use of login activity related to remote services with unusual behavior or other malicious or suspicious activity. Adversaries will likely need to learn about an environment and the relationships between systems through Discovery techniques prior to attempting Lateral Movement. For example, in macOS you can review logs for "screensharingd" and "Authentication" event messages. [7][13] Note: When using Security event id 4624, %$ means user names that do not end with $ character. Usually, computer accounts or local system accounts names end with the $ character. When using Security event 4624, UserName and UserLogonId correspond to TargetUserName and TargetLogonId respectively. When using Security event 4624, LogonType 3 corresponds to a Network Logon Analytic 1 - New services being created under network logon sessions by non-system users(source="WinEventLog:Security" EventCode="4624") AND LogonType="3" AND UserName NOT '$' | rename UserLogonId AS LogonID| join type=inner LogonID[| search (source="*WinEventLog:Security" EventCode="4697") | rename UserLogonId as LogonID] | |||
Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes, that may use Valid Accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user. Note: On Windows, Sysmon Event ID 7 (Image loaded) can be used to monitor the loading of DLLs into processes, including those designed to accept remote connections. This is a particularly noisy event and can generate a large volume of data, so we recommend baselining and filtering out any known benign processes and module to help reduce the number of events that are produced. | |||
Monitor interactions with network shares, such as reads or file transfers, using remote services such as Server Message Block (SMB). | |||
Monitor for newly constructed network connections that may use Valid Accounts to log into a service specifically designed to accept remote connections, such as RDP, telnet, SSH, and VNC. Monitor network connections involving common remote management protocols, such as ports tcp:3283 and tcp:5900, as well as ports tcp: 3389 and tcp:22 for remote login. | |||
Monitor network data for uncommon data flows that may be related to abuse of Valid Accounts to log into a service specifically designed to accept remote connections, such as RDP, telnet, SSH, and VNC. Note: Network Analysis frameworks such as Zeek can be used to capture, decode, and alert on network service protocols such as SSH and RDP. #Protocol 6 = TCP #Protocol 17 = UDP Analytic 1 - Suspicious Protocolssource="Zeek:" AND (port="636" AND protocol="6") OR (port="389" AND protocol="17") | |||
Monitor for newly executed processes that may use Valid Accounts to log into a service specifically designed to accept remote connections, such as RDP, telnet, SSH, and VNC. The adversary may then perform actions that spawn additional processes as the logged-on user. Malicious actors may rename built-in commands or external tools, such as those provided by SysInternals, to better blend in with the environment. In those cases, the file path name is arbitrary and may blend in well with the background. If the arguments are closely inspected, it may be possible to infer what tools are running and understand what an adversary is doing. When any legitimate software shares the same command lines, it must be whitelisted according to the expected parameters. Any tool of interest with commonly known command line usage can be detecting by command line analysis. Known substrings of command lines include
Analytic 1 - Suspicious Arguments (source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND CommandLine="-R . -pw" OR CommandLine="-pw . . .@." OR CommandLine="sekurlsa" OR CommandLine=" -hp " OR CommandLine=". a .*" | |||
Monitor for newly constructed WMI objects that is often used to log into a service that accepts remote connects. |
T1548 - Abuse Elevation Control Mechanism
ID | Data Source | Data Component | Detects |
Monitor executed commands and arguments that may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. | |||
Monitor the file system for files that have the setuid or setgid bits set. On Linux, auditd can alert every time a user's actual ID and effective ID are different (this is what happens when you sudo). | |||
On Linux, auditd can alert every time a user's actual ID and effective ID are different (this is what happens when you sudo). This technique is abusing normal functionality in macOS and Linux systems, but sudo has the ability to log all input and output based on the LOG_INPUT and LOG_OUTPUT directives in the /etc/sudoers file. Consider monitoring for /usr/libexec/security_authtrampoline executions which may indicate that AuthorizationExecuteWithPrivileges is being executed. MacOS system logs may also indicate when AuthorizationExecuteWithPrivileges is being called. | |||
Also look for any process API calls for behavior that may be indicative of Process Injection. Monitoring OS API callbacks for the execution can also be a way to detect this behavior but requires specialized security tooling. | |||
Monitor for newly executed processes that may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Cyber actors frequently escalate to the SYSTEM account after gaining entry to a Windows host, to enable them to carry out various attacks more effectively. Tools such as Meterpreter, Cobalt Strike, and Empire carry out automated steps to "Get System", which is the same as switching over to the System user account. Most of these tools utilize multiple techniques to try and attain SYSTEM: in the first technique, they create a named pipe and connects an instance of cmd.exe to it, which allows them to impersonate the security context of cmd.exe, which is SYSTEM. In the second technique, a malicious DLL is injected into a process that is running as SYSTEM; the injected DLL steals the SYSTEM token and applies it where necessary to escalate privileges. This analytic looks for both of these techniques. Analytic 1 - Get System Elevation (source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688")(ParentImage="C:\Windows\System32\services.exe" Image="C:\Windows\System32\cmd.exe" CommandLine="echo" CommandLine="\pipe*") OR (Image="C:\Windows\System32\rundll32.exe" CommandLine=",a /p:*") | |||
Monitor contextual data about a running process, which may include information such as environment variables, image name, user/owner that may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. | |||
Log cloud API calls to assume, create, or impersonate additional roles, policies, and permissions. Review uses of just-in-time access to ensure that any justifications provided are valid and only expected actions were taken. | |||
There are many ways to perform UAC bypasses when a user is in the local administrator group on a system, so it may be difficult to target detection on all variations. Efforts should likely be placed on mitigation and collecting enough information on process launches and actions that could be performed before and after a UAC bypass is performed. Some UAC bypass methods rely on modifying specific, user-accessible Registry settings. Analysts should monitor Registry settings for unauthorized changes. |