Profile picture
Craig H. Rowland
@CraigHRowland
, 13 tweets, 9 min read Read on Twitter
Let's go step-by-step and do some basic live process forensics for #Linux. Today's contestant is a bindshell backdoor waiting for a connection on Ubuntu. We saw something odd when we ran:

netstat -nalp

#DFIR #threathunting #forensics
netstat -nalp shows a process named "x7" PID with a listening port that we don't recognize. #DFIR
First thing we'll do is list out /proc/<PID> to see what is going on. Our PID is 5805:

ls -al /proc/5805

The current working directory is /tmp. The binary was in /tmp, but was deleted. A lot of exploits work out of /tmp and /dev/shm on Linux. This is a major red flag. #DFIR
Before we do anything else, we'll recover the deleted binary. As long as the process is still running, it is very easy to recover a deleted process binary on Linux:

cp /proc/<PID>/exe /destination_dir/recovered_bin

#DFIR
Now that we've saved the Linux binary somewhere off the system, we can recover the hashes easily. #DFIR
Let's go into our friendly /proc directory on Linux. For the PID we want to investigate we'll go to /proc/<PID> to dig around. Look at the cmdline that was used to start the malware. Some malware will cloak this data:

cat /proc/<PID>/comm
cat /proc/<PID>/cmdline

#DFIR
Now let's take a look at the environment. This can often reveal information about who or what started the process. Here we see the process was started with sudo by another user.

strings /proc/<PID>/environ

#DFIR
Now let's look at the file descriptors it has open. This can often show you hidden files and directories that the malware is using to stash things along with open sockets:

ls -al /proc/<PID>/fd

#DFIR #Linux
Another area to look into is the Linux process maps. This shows libraries the malware is using and again can show links to malicious files it is using as well.

cat /proc/<PID>/maps

#DFIR #forensics
The /proc/<PID>/stack area can sometimes reveal more details. We'll look at that like this:

cat /proc/<PID>/stack

In this case we see some network accept() calls indicating again this is a network server waiting for a connection.

#linux #DFIR
Finally for now, let's look at /proc/<PID>/status for overall process details. This can reveal parent PIDs, etc.

cat /proc/<PID>/status

#DFIR
Those are some basics of Linux live process analysis. The big thing is this: Don't kill a suspicious process until you have investigated what it is doing. If you kill it out of panic, then you can lose and destroy a lot of useful information.

#DFIR #Linux #malware
I have created a Linux command line cheatsheet to help you look for these and other artifacts here:

sandflysecurity.com/blog/compromis…

#DFIR #threathunting #linux #malware
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Craig H. Rowland
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related hashtags

#linux #DFIR #threathunting #forensics #malware

More from @CraigHRowland see all

Profile picture
Craig H. Rowland
@CraigHRowland
Here's how to recover a #Linux binary from a malicious process that has deleted itself from the disk.

cp /proc/<PID>/exe /tmp/recovered_bin

Let's see how this works. #DFIR #threathunting #forensics
Often, malware deletes itself after it starts so file scanners and integrity checks won't find it. It can make analysis harder if you can't get to the binary easily.

But if you remember /proc/<PID>/exe you can recover any deleted binary.

#DFIR #threathunting #forensics
Use the sleep command to simulate a deleted process:

cd /tmp
cp /bin/sleep x
./x 3600 &
[1] 32031
rm x

This copies the sleep command as "x" under /tmp and runs for 3600 seconds. Then, delete "x" so the binary appears removed. Practice on it.

#DFIR #threathunting #forensics
Read 7 tweets

Related threads

Profile picture
Unicorn Riot
@UR_Ninja
#LIVE: Direct Actions Disrupt #DC to Demand Climate Action - #ShutDownDC periscope.tv/UR_Ninja/1dRKZ…
More info on todays #ClimateStrikedc actions:

unicornriot.ninja/2019/direct-ac…
#BREAKING: Activists w Extinction Rebellion shut down intersection of 16th & K in Washington, DC by parking a sailboat in the street.

This is part of several disruptive #ClimateStrike actions working to #ShutDownDC this AM.
Read 24 tweets
Profile picture
Harsh
@harsh6363
Since it's been really bothering me, I think it's better I write about it.

Yesterday I went to assist one visually impaired candidate, as his scribe. This is the first time I was doing so and I didn't know how the process worked.
I didn't anticipate I was in for a shocker.
1/n
This was for SBI clerk prelim exam, which was scheduled for 4:30-6 PM on Powai.
People with disability and without disability were taking the exam together at the same centre. 2/n
As the candidate I was assisting arrived, we entered the centre. First shock was here, when I realised apart from having just a separate entrance, there was nothing done to assist these folks.
What I mean is, no was ensuring that a proper queue is maintained. 3/n
Read 25 tweets
Profile picture
Filomena Rocha, President European Commission
@Filomen03258997
18. - Attempted coup in Venezuela with support from the US - 2019

#Venezuela #AttemptCoupInVenezuela #War #Warlords2019 #TheWorldWithVenezuela #ElMundoEstaConVenezuela #ElMundoEstaConVzla #Democracy #HumanRights #dignity #Peace #Love #Freedom #UNCharter
Read 210 tweets
Profile picture
Malwrologist
@DissectMalware
#linux #bash #obfuscation #technique #bashfuscation
padding commands with history expansion characters (#exclamation mark (!))
! ! ! ! echo this is test
(removed the previous tweet as I revealed too much info !)
#linux #bash #obfuscation #bashfuscation

using history expansion character -> !! (i.e. last command)

ca
!!t really

is equivalent to
cat really

(only 4 interactive shell)
#linux #bash #obfuscation #bashfuscation

padding commands with empty commands (: ;)

: -> true (do nothing)
; -> command separator

: : ; : ; cat really
! ! ! : : ; : ; cat really
Read 8 tweets
Profile picture
Malwrologist
@DissectMalware
#linux #bash #obfuscation using octal vals
$'\143\141\164' really

gnu.org/software/bash/…
"Words of the form $'string' are treated specially. The word expands to string, with backslash-escaped characters replaced as specified by the ANSI C standard."

Variations
$'\143'$'\141'$'\164' really
$'\143'''$'\141'''''''''''''$'\164' really
$'\143'''$'\141'''""''''""''$'\164' really

Explanation:
'' -> empty string
""-> empty string
'a''b' -> 'ab' (concatenation)

(deleted the previous one, as the picture had a problem)
To give you a headache

t=
$'\143'''$'\141'$t''"$t"''`$t`''$'\164' really
Read 13 tweets
Profile picture
Naval Surface Forces
@SurfaceWarriors
#LIVE NOW: @NAVSURFOR VADM Tom Rowden speaks at #SNA2018
VADM Rowden: We are the preeminent Navy on the face of the Earth. We are the preeminent Surface Navy on the face of the Earth. That is not given, that is earned.
VADM Rowden: #SurForStrategy describes the return to #SeaControl, which is the timeless & universal purpose of the @USNavy. It also highlights the implementation of #DistributedLethality as an operational & organizational principle for achieving & sustaining sea control. #SNA2018
Read 24 tweets

Trending hashtags

#CBOA #LIVE #TriStation #VenezuelaNoSeRinde #Investment #TRITON #coup #cdnpoli #NavyPride #China #DonaldTrump #expansion #WhiteHouse #FromTheSouth #unroll #Maradona #NoDAPL #Trump #linux #Turkey #null #Arms #Caracas #Grenada #Brazil
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!