Here's how to recover a #Linux binary from a malicious process that has deleted itself from the disk.

cp /proc/<PID>/exe /tmp/recovered_bin

Let's see how this works. #DFIR #threathunting #forensics

Often, malware deletes itself after it starts so file scanners and integrity checks won't find it. It can make analysis harder if you can't get to the binary easily.

But if you remember /proc/<PID>/exe you can recover any deleted binary.

#DFIR #threathunting #forensics

Use the sleep command to simulate a deleted process:

cd /tmp
cp /bin/sleep x
./x 3600 &
[1] 32031
rm x

This copies the sleep command as "x" under /tmp and runs for 3600 seconds. Then, delete "x" so the binary appears removed. Practice on it.

#DFIR #threathunting #forensics

Let's look at the /proc directory. The system flagged the binary as deleted.

ls -al /proc/32031/exe
lrwxrwxrwx 1 root root 0 May 23 19:39 /proc/32031/exe -> /tmp/x (deleted)

But, #Linux will not delete the file as long as a process still has it open.

#DFIR #threathunting

This /proc/32031/exe link will easily get you the binary that started the process even though it says it's deleted. Copy it to where you want and the binary that was deleted is now yours:

cp /proc/32031/exe /tmp/recovered_bin

#DFIR #threathunting #forensics #sandflysecurity

The above is reason #4387 to never kill a suspicious process you find until you have investigated what it is doing. If you kill the process, you'd lose the binary as it would be released by the filesystem and likely destroyed.

#DFIR #threathunting #forensics #sandflysecurity

Here's a video where I walk through recovering a process binary that has been deleted on Linux.



#DFIR #threathunting #forensics #sandflysecurity