A sigma rule for file permission setting using chmod

https://github.com/exeronn/Linux-Detection/blob/main/Sigma/Defense%20Evasion/chmod_file_executable.yml

#SysmonforLinux #SIGMA

The decompiled interpretation from ghidra of the main function.
This is a link to the sample executed - https://bazaar.abuse.ch/sample/990628a2402ee9d0c66f52bd4ce24f039dc01b30fb1146df741d93a396a07cac/

#SysmonforLinux

A few bits from this one, using echo directly into crontab & attempting to mount /tmp over the PID in /proc/ as likely a stealth method. Not running as root prevented the mount command so I ran it as root to test it.

Sigma rule for mount - https://github.com/exeronn/Linux-Detection/blob/main/Sigma/suspicious_mount_against_proc.yml

#Sigma #Sysmonforlinux

Another compiled python sample, with better stealth than the previous one. Its files are located in /dev/shm/.p/, it uses a process hider to change the name for ps and similar output and the compiled python code isn't listed in objdump.

#SysmonforLinux

A fairly crude, yet relatively well functioned perl implant. Supports Scanning, log cleanup, DOS and arbitary command execution. Whilst it was simple it was good for 8 new sigma rules!

#Sigma #SysmonforLinux #Perl #Malware

1/

I also created a Sysmon config with the required sections that can be merged with a current config to record the specific event types

https://github.com/exeronn/Linux-Detection/blob/main/Sysmon/Execution/T1059-006_sysmon_pyInstaller.xml

#SysmonforLinux #Sigma #PyInstaller #Python

Analysis of a multi platform coin miner & generic RAT. Has persistence via crontab & systemctl, can execute shell commands & DOS certain protocols.

#SysmonforLinux #RAT #CoinMiner

1/

Running a sample which is a pyInstaller compiled ELF. The Python code is multi OS (Linux & Windows). Will post more detail on it after I've some time to look at it properly. #SysmonforLinux #PyInstaller #malware

As I forgot - #SysmonforLinux #LinuxMalware #Coinminer

An attempt to visualise the process tree using Networkx & Pyvis in Jupyter, keyed on ProcessGuid & ParentProcessGuid. #Python #Jupyter #SysmonforLinux

Still need to do some work to show process graphs. This was interesting, several GTFOBins & utilises a tool to rename the binary so tools such as "ps" show something else. Also sets up a cronjob to run every 5 minutes. It uses a pid file to deduplicate runs. #sysmonforlinux

Sysmon for Linux setup to start testing running payloads from the honeypots and other public sources.

Currently collecting & processing;
*process start/stop
*network connections
*file create/delete
#Linux #Sysmonforlinux

We often use Sysmon to log system activity on Windows, but what if we are using Linux?

You can use:
1. SysmonForLinux: https://github.com/Sysinternals/SysmonForLinux
2. Audiod: https://linux.die.net/man/8/auditd

Unfortunately, SysmonForLinux is still limited to a few events and they can not log all activities such as DNSEvent (EventID 22).
Let me know what you're using for Linux.

#Sysmon #SysmonForLinux #cybersecurity

I think I got bored waiting after #SysmonForLinux so I decided to start my own BPF based #linux monitoring project. Roadmap:
- shared object loading
- driver loading
- dns queries
- network connections
Tell me if you want other stuffs for a first #opensource release !
#threathunting