Merge pull request #1306 from HackTricks-wiki/update_Patching_for_persistence__How_DripDropper_Linux_ma_20250819_182754

Patching for persistence How DripDropper Linux malware moves...

src/generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.md

@@ -226,6 +226,81 @@ and alert on kernel-service creation from user-writable paths.
 
 ---
 
+## Linux Anti-Forensics: Self-Patching and Cloud C2 (2023–2025)
+
+### Self‑patching compromised services to reduce detection (Linux)
+Adversaries increasingly “self‑patch” a service right after exploiting it to both prevent re‑exploitation and suppress vulnerability‑based detections. The idea is to replace vulnerable components with the latest legitimate upstream binaries/JARs, so scanners report the host as patched while persistence and C2 remain.
+
+Example: Apache ActiveMQ OpenWire RCE (CVE‑2023‑46604)
+- Post‑exploitation, attackers fetched legitimate JARs from Maven Central (repo1.maven.org), deleted vulnerable JARs in the ActiveMQ install, and restarted the broker.
+- This closed the initial RCE while maintaining other footholds (cron, SSH config changes, separate C2 implants).
+
+Operational example (illustrative)
+```bash
+# ActiveMQ install root (adjust as needed)
+AMQ_DIR=/opt/activemq
+cd "$AMQ_DIR"/lib
+
+# Fetch patched JARs from Maven Central (versions as appropriate)
+curl -fsSL -O https://repo1.maven.org/maven2/org/apache/activemq/activemq-client/5.18.3/activemq-client-5.18.3.jar
+curl -fsSL -O https://repo1.maven.org/maven2/org/apache/activemq/activemq-openwire-legacy/5.18.3/activemq-openwire-legacy-5.18.3.jar
+
+# Remove vulnerable files and ensure the service uses the patched ones
+rm -f activemq-client-5.18.2.jar activemq-openwire-legacy-5.18.2.jar || true
+ln -sf activemq-client-5.18.3.jar activemq-client.jar
+ln -sf activemq-openwire-legacy-5.18.3.jar activemq-openwire-legacy.jar
+
+# Apply changes without removing persistence
+systemctl restart activemq || service activemq restart
+```
+
+Forensic/hunting tips
+- Review service directories for unscheduled binary/JAR replacements:
+  - Debian/Ubuntu: `dpkg -V activemq` and compare file hashes/paths with repo mirrors.
+  - RHEL/CentOS: `rpm -Va 'activemq*'`
+  - Look for JAR versions present on disk that are not owned by the package manager, or symbolic links updated out of band.
+- Timeline: `find "$AMQ_DIR" -type f -printf '%TY-%Tm-%Td %TH:%TM %p\n' | sort` to correlate ctime/mtime with compromise window.
+- Shell history/process telemetry: evidence of `curl`/`wget` to `repo1.maven.org` or other artifact CDNs immediately after initial exploitation.
+- Change management: validate who applied the “patch” and why, not only that a patched version is present.
+
+### Cloud‑service C2 with bearer tokens and anti‑analysis stagers
+Observed tradecraft combined multiple long‑haul C2 paths and anti‑analysis packaging:
+- Password‑protected PyInstaller ELF loaders to hinder sandboxing and static analysis (e.g., encrypted PYZ, temporary extraction under `/_MEI*`).
+  - Indicators: `strings` hits such as `PyInstaller`, `pyi-archive`, `PYZ-00.pyz`, `MEIPASS`.
+  - Runtime artifacts: extraction to `/tmp/_MEI*` or custom `--runtime-tmpdir` paths.
+- Dropbox‑backed C2 using hardcoded OAuth Bearer tokens
+  - Network markers: `api.dropboxapi.com` / `content.dropboxapi.com` with `Authorization: Bearer <token>`.
+  - Hunt in proxy/NetFlow/Zeek/Suricata for outbound HTTPS to Dropbox domains from server workloads that do not normally sync files.
+- Parallel/backup C2 via tunneling (e.g., Cloudflare Tunnel `cloudflared`), keeping control if one channel is blocked.
+  - Host IOCs: `cloudflared` processes/units, config at `~/.cloudflared/*.json`, outbound 443 to Cloudflare edges.
+
+### Persistence and “hardening rollback” to maintain access (Linux examples)
+Attackers frequently pair self‑patching with durable access paths:
+- Cron/Anacron: edits to the `0anacron` stub in each `/etc/cron.*/` directory for periodic execution.
+  - Hunt:
+    ```bash
+    for d in /etc/cron.*; do [ -f "$d/0anacron" ] && stat -c '%n %y %s' "$d/0anacron"; done
+    grep -R --line-number -E 'curl|wget|python|/bin/sh' /etc/cron.*/* 2>/dev/null
+    ```
+- SSH configuration hardening rollback: enabling root logins and altering default shells for low‑privileged accounts.
+  - Hunt for root login enablement:
+    ```bash
+    grep -E '^\s*PermitRootLogin' /etc/ssh/sshd_config
+    # flag values like "yes" or overly permissive settings
+    ```
+  - Hunt for suspicious interactive shells on system accounts (e.g., `games`):
+    ```bash
+    awk -F: '($7 ~ /bin\/(sh|bash|zsh)/ && $1 ~ /^(games|lp|sync|shutdown|halt|mail|operator)$/) {print}' /etc/passwd
+    ```
+- Random, short‑named beacon artifacts (8 alphabetical chars) dropped to disk that also contact cloud C2:
+  - Hunt:
+    ```bash
+    find / -maxdepth 3 -type f -regextype posix-extended -regex '.*/[A-Za-z]{8}$' \
+      -exec stat -c '%n %s %y' {} \; 2>/dev/null | sort
+    ```
+
+Defenders should correlate these artifacts with external exposure and service patching events to uncover anti‑forensic self‑remediation used to hide initial exploitation.
+
 ## References
 
 - Sophos X-Ops – “AuKill: A Weaponized Vulnerable Driver for Disabling EDR” (March 2023)  
@@ -233,6 +308,9 @@ and alert on kernel-service creation from user-writable paths.
 - Red Canary – “Patching EtwEventWrite for Stealth: Detection & Hunting” (June 2024)  
   https://redcanary.com/blog/etw-patching-detection
 
+- [Red Canary – Patching for persistence: How DripDropper Linux malware moves through the cloud](https://redcanary.com/blog/threat-intelligence/dripdropper-linux-malware/)
+- [CVE‑2023‑46604 – Apache ActiveMQ OpenWire RCE (NVD)](https://nvd.nist.gov/vuln/detail/CVE-2023-46604)
+
 {{#include ../../banners/hacktricks-training.md}}
 
 

src/generic-methodologies-and-resources/basic-forensic-methodology/linux-forensics.md

@@ -212,6 +212,38 @@ cat /var/spool/cron/crontabs/*  \
 ls -l /usr/lib/cron/tabs/ /Library/LaunchAgents/ /Library/LaunchDaemons/ ~/Library/LaunchAgents/
 ```
 
+#### Hunt: Cron/Anacron abuse via 0anacron and suspicious stubs
+Attackers often edit the 0anacron stub present under each /etc/cron.*/ directory to ensure periodic execution.
+
+```bash
+# List 0anacron files and their timestamps/sizes
+for d in /etc/cron.*; do [ -f "$d/0anacron" ] && stat -c '%n %y %s' "$d/0anacron"; done
+
+# Look for obvious execution of shells or downloaders embedded in cron stubs
+grep -R --line-number -E 'curl|wget|/bin/sh|python|bash -c' /etc/cron.*/* 2>/dev/null
+```
+
+#### Hunt: SSH hardening rollback and backdoor shells
+Changes to sshd_config and system account shells are common post‑exploitation to preserve access.
+
+```bash
+# Root login enablement (flag "yes" or lax values)
+grep -E '^\s*PermitRootLogin' /etc/ssh/sshd_config
+
+# System accounts with interactive shells (e.g., games → /bin/sh)
+awk -F: '($7 ~ /bin\/(sh|bash|zsh)/ && $1 ~ /^(games|lp|sync|shutdown|halt|mail|operator)$/) {print}' /etc/passwd
+```
+
+#### Hunt: Cloud C2 markers (Dropbox/Cloudflare Tunnel)
+- Dropbox API beacons typically use api.dropboxapi.com or content.dropboxapi.com over HTTPS with Authorization: Bearer tokens.
+  - Hunt in proxy/Zeek/NetFlow for unexpected Dropbox egress from servers.
+- Cloudflare Tunnel (`cloudflared`) provides backup C2 over outbound 443.
+
+```bash
+ps aux | grep -E '[c]loudflared|trycloudflare'
+systemctl list-units | grep -i cloudflared
+```
+
 ### Services
 
 Paths where a malware could be installed as a service:
@@ -395,6 +427,8 @@ git diff --no-index --diff-filter=D path/to/old_version/ path/to/new_version/
 - [https://git-scm.com/docs/git-diff#Documentation/git-diff.txt---diff-filterACDMRTUXB82308203](https://git-scm.com/docs/git-diff#Documentation/git-diff.txt---diff-filterACDMRTUXB82308203)
 - **Book: Malware Forensics Field Guide for Linux Systems: Digital Forensics Field Guides**
 
+- [Red Canary – Patching for persistence: How DripDropper Linux malware moves through the cloud](https://redcanary.com/blog/threat-intelligence/dripdropper-linux-malware/)
+
 {{#include ../../banners/hacktricks-training.md}}