diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.md index 2b48504d8..393d66750 100644 --- a/src/generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.md +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.md @@ -226,6 +226,81 @@ and alert on kernel-service creation from user-writable paths. --- +## Linux Anti-Forensics: Self-Patching and Cloud C2 (2023–2025) + +### Self‑patching compromised services to reduce detection (Linux) +Adversaries increasingly “self‑patch” a service right after exploiting it to both prevent re‑exploitation and suppress vulnerability‑based detections. The idea is to replace vulnerable components with the latest legitimate upstream binaries/JARs, so scanners report the host as patched while persistence and C2 remain. + +Example: Apache ActiveMQ OpenWire RCE (CVE‑2023‑46604) +- Post‑exploitation, attackers fetched legitimate JARs from Maven Central (repo1.maven.org), deleted vulnerable JARs in the ActiveMQ install, and restarted the broker. +- This closed the initial RCE while maintaining other footholds (cron, SSH config changes, separate C2 implants). + +Operational example (illustrative) +```bash +# ActiveMQ install root (adjust as needed) +AMQ_DIR=/opt/activemq +cd "$AMQ_DIR"/lib + +# Fetch patched JARs from Maven Central (versions as appropriate) +curl -fsSL -O https://repo1.maven.org/maven2/org/apache/activemq/activemq-client/5.18.3/activemq-client-5.18.3.jar +curl -fsSL -O https://repo1.maven.org/maven2/org/apache/activemq/activemq-openwire-legacy/5.18.3/activemq-openwire-legacy-5.18.3.jar + +# Remove vulnerable files and ensure the service uses the patched ones +rm -f activemq-client-5.18.2.jar activemq-openwire-legacy-5.18.2.jar || true +ln -sf activemq-client-5.18.3.jar activemq-client.jar +ln -sf activemq-openwire-legacy-5.18.3.jar activemq-openwire-legacy.jar + +# Apply changes without removing persistence +systemctl restart activemq || service activemq restart +``` + +Forensic/hunting tips +- Review service directories for unscheduled binary/JAR replacements: + - Debian/Ubuntu: `dpkg -V activemq` and compare file hashes/paths with repo mirrors. + - RHEL/CentOS: `rpm -Va 'activemq*'` + - Look for JAR versions present on disk that are not owned by the package manager, or symbolic links updated out of band. +- Timeline: `find "$AMQ_DIR" -type f -printf '%TY-%Tm-%Td %TH:%TM %p\n' | sort` to correlate ctime/mtime with compromise window. +- Shell history/process telemetry: evidence of `curl`/`wget` to `repo1.maven.org` or other artifact CDNs immediately after initial exploitation. +- Change management: validate who applied the “patch” and why, not only that a patched version is present. + +### Cloud‑service C2 with bearer tokens and anti‑analysis stagers +Observed tradecraft combined multiple long‑haul C2 paths and anti‑analysis packaging: +- Password‑protected PyInstaller ELF loaders to hinder sandboxing and static analysis (e.g., encrypted PYZ, temporary extraction under `/_MEI*`). + - Indicators: `strings` hits such as `PyInstaller`, `pyi-archive`, `PYZ-00.pyz`, `MEIPASS`. + - Runtime artifacts: extraction to `/tmp/_MEI*` or custom `--runtime-tmpdir` paths. +- Dropbox‑backed C2 using hardcoded OAuth Bearer tokens + - Network markers: `api.dropboxapi.com` / `content.dropboxapi.com` with `Authorization: Bearer `. + - Hunt in proxy/NetFlow/Zeek/Suricata for outbound HTTPS to Dropbox domains from server workloads that do not normally sync files. +- Parallel/backup C2 via tunneling (e.g., Cloudflare Tunnel `cloudflared`), keeping control if one channel is blocked. + - Host IOCs: `cloudflared` processes/units, config at `~/.cloudflared/*.json`, outbound 443 to Cloudflare edges. + +### Persistence and “hardening rollback” to maintain access (Linux examples) +Attackers frequently pair self‑patching with durable access paths: +- Cron/Anacron: edits to the `0anacron` stub in each `/etc/cron.*/` directory for periodic execution. + - Hunt: + ```bash + for d in /etc/cron.*; do [ -f "$d/0anacron" ] && stat -c '%n %y %s' "$d/0anacron"; done + grep -R --line-number -E 'curl|wget|python|/bin/sh' /etc/cron.*/* 2>/dev/null + ``` +- SSH configuration hardening rollback: enabling root logins and altering default shells for low‑privileged accounts. + - Hunt for root login enablement: + ```bash + grep -E '^\s*PermitRootLogin' /etc/ssh/sshd_config + # flag values like "yes" or overly permissive settings + ``` + - Hunt for suspicious interactive shells on system accounts (e.g., `games`): + ```bash + awk -F: '($7 ~ /bin\/(sh|bash|zsh)/ && $1 ~ /^(games|lp|sync|shutdown|halt|mail|operator)$/) {print}' /etc/passwd + ``` +- Random, short‑named beacon artifacts (8 alphabetical chars) dropped to disk that also contact cloud C2: + - Hunt: + ```bash + find / -maxdepth 3 -type f -regextype posix-extended -regex '.*/[A-Za-z]{8}$' \ + -exec stat -c '%n %s %y' {} \; 2>/dev/null | sort + ``` + +Defenders should correlate these artifacts with external exposure and service patching events to uncover anti‑forensic self‑remediation used to hide initial exploitation. + ## References - Sophos X-Ops – “AuKill: A Weaponized Vulnerable Driver for Disabling EDR” (March 2023) @@ -233,6 +308,9 @@ and alert on kernel-service creation from user-writable paths. - Red Canary – “Patching EtwEventWrite for Stealth: Detection & Hunting” (June 2024) https://redcanary.com/blog/etw-patching-detection +- [Red Canary – Patching for persistence: How DripDropper Linux malware moves through the cloud](https://redcanary.com/blog/threat-intelligence/dripdropper-linux-malware/) +- [CVE‑2023‑46604 – Apache ActiveMQ OpenWire RCE (NVD)](https://nvd.nist.gov/vuln/detail/CVE-2023-46604) + {{#include ../../banners/hacktricks-training.md}} diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/linux-forensics.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/linux-forensics.md index f2d4316c2..79ae8b3e8 100644 --- a/src/generic-methodologies-and-resources/basic-forensic-methodology/linux-forensics.md +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/linux-forensics.md @@ -212,6 +212,38 @@ cat /var/spool/cron/crontabs/* \ ls -l /usr/lib/cron/tabs/ /Library/LaunchAgents/ /Library/LaunchDaemons/ ~/Library/LaunchAgents/ ``` +#### Hunt: Cron/Anacron abuse via 0anacron and suspicious stubs +Attackers often edit the 0anacron stub present under each /etc/cron.*/ directory to ensure periodic execution. + +```bash +# List 0anacron files and their timestamps/sizes +for d in /etc/cron.*; do [ -f "$d/0anacron" ] && stat -c '%n %y %s' "$d/0anacron"; done + +# Look for obvious execution of shells or downloaders embedded in cron stubs +grep -R --line-number -E 'curl|wget|/bin/sh|python|bash -c' /etc/cron.*/* 2>/dev/null +``` + +#### Hunt: SSH hardening rollback and backdoor shells +Changes to sshd_config and system account shells are common post‑exploitation to preserve access. + +```bash +# Root login enablement (flag "yes" or lax values) +grep -E '^\s*PermitRootLogin' /etc/ssh/sshd_config + +# System accounts with interactive shells (e.g., games → /bin/sh) +awk -F: '($7 ~ /bin\/(sh|bash|zsh)/ && $1 ~ /^(games|lp|sync|shutdown|halt|mail|operator)$/) {print}' /etc/passwd +``` + +#### Hunt: Cloud C2 markers (Dropbox/Cloudflare Tunnel) +- Dropbox API beacons typically use api.dropboxapi.com or content.dropboxapi.com over HTTPS with Authorization: Bearer tokens. + - Hunt in proxy/Zeek/NetFlow for unexpected Dropbox egress from servers. +- Cloudflare Tunnel (`cloudflared`) provides backup C2 over outbound 443. + +```bash +ps aux | grep -E '[c]loudflared|trycloudflare' +systemctl list-units | grep -i cloudflared +``` + ### Services Paths where a malware could be installed as a service: @@ -395,6 +427,8 @@ git diff --no-index --diff-filter=D path/to/old_version/ path/to/new_version/ - [https://git-scm.com/docs/git-diff#Documentation/git-diff.txt---diff-filterACDMRTUXB82308203](https://git-scm.com/docs/git-diff#Documentation/git-diff.txt---diff-filterACDMRTUXB82308203) - **Book: Malware Forensics Field Guide for Linux Systems: Digital Forensics Field Guides** +- [Red Canary – Patching for persistence: How DripDropper Linux malware moves through the cloud](https://redcanary.com/blog/threat-intelligence/dripdropper-linux-malware/) + {{#include ../../banners/hacktricks-training.md}}