Campaigns
Operation CrackArmor

Operation CrackArmor

AppArmorPrivilege EscalationLinux
Operation CrackArmor involves critical vulnerabilities in AppArmor that allow local privilege escalation to root. The campaign targets Linux systems, exploiting flaws to gain unauthorized access and control.

Indicators of Compromise

No domains found for this campaign

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

DETECTIONS

DET0518 - Behavioral Detection of T1498 – Network Denial of Service Across Platforms, Detection Strategy DET05


Data Component

Name

Channel

Network Connection Creation (DC0082)

WinEventLog:Sysmon

EventCode=3, 22

Process Creation (DC0032)

WinEventLog:Sysmon

EventCode=1

DET0593 - Detecting OS Credential Dumping via /proc Filesystem Access on Linux, Detection Strategy DET0593 | M


Data Component

Name

Channel

File Access (DC0055)

auditd:SYSCALL

open, read

File Modification (DC0061)

auditd:SYSCALL

write

Process Access (DC0035)

auditd:SYSCALL

ptrace or process_vm_readv

Process Creation (DC0032)

linux:Sysmon

EventCode=1

DET0738 - Detection of Exploitation for Privilege Escalation, Detection Strategy DET0738 | MITRE ATT&CK®


Data Component

Name

Channel

Application Log Content (DC0038)

Application Log

None

Observed Countries3

DE (433)
GB (46)
US (298)