Fileless Attack Detection for Linux is now Generally Available

Published 12-01-2020 02:40 PM 2,999 Views
Microsoft

This blog post was co-authored by:

Aditya Joshi, Senior Software Engineer, Microsoft Defender for Endpoint

Tino Morenz, Senior Software Engineer, Enterprise Data Protection

 

The Azure Defender team is excited to share that the Fileless Attack Detection for Linux Preview, which we announced earlier this year, is now generally available for all Azure VMs and non-Azure machines enrolled in Azure Defender.

 

Fileless Attack Detection for Linux periodically scans your machine and extracts insights directly from the memory of processes.  Automated memory forensic techniques identify fileless attack toolkits, techniques, and behaviors.  This detection capability identifies attacker payloads that persist within the memory of compromised processes and perform malicious activities.

 

See below for an example fileless attack from our preview program, a description of detection capabilities, and an overview of the onboarding process.

 

Real-world attack pattern from our preview program

In our continuous monitoring of fileless attacks we often encounter malware components, exhibiting in-memory ELF and shellcode payloads that are in the initial stages of being weaponized by attackers.

 

In this example, a customer’s VM is infected with malware that is attempting to blend in as standard system security components.

  • The first component of the malware is the binary /usr/bin/.securetty/.esd-644/auditd, running from the user's bin location under hidden folders. On disk, the file has been packed with UPX and contains no section headers.
  • The malware filename is auditd, which is the userspace component of the Linux Auditing System. In addition, the commandline for the malware is "/usr/sbin/abrtd". This path is associated with the Automatic Bug Reporting Tool, a daemon that watches for application crashes.
  • Accompanying the masquerading auditd is another payload impersonating anacron, a system utility used to execute commands periodically.
  • The second payload runs with the commandline "/usr/sbin/anacron -s" and runs as the file name devkit-power-daemon to impersonate the DeviceKit-power daemon. The malware also maintains a persistent outgoing TCP connection to port 53, which is typically associated with DNS queries.

 

Detecting the attack

  • Fileless Attack Detection begins by identifying dynamically allocated code segments that are not backed by the filesystem. In this case, this scan identifies a 32-bit ELF in an anonymous executable region of memory.
  • Next our detector scans these segments for specific behaviors and indicators. Packed malware, such as in this case, obfuscates its contents on disk, but often exhibits malicious indicators in-memory.
  • The in-memory ELF analysis identifies numerous syscalls to perform system operations for process control, dynamic memory allocation, signal handling and changing thread context. Some of the syscalls identified include clone, epoll_create, getpid, gettid, kill, mmap, munmap, rt_sigaction, rt_sigprocmask, set_thread_area, sigaltstack, and tgkill.

 

Fileless attack detection capabilities

Fileless Attack Detection for Linux scans the memory of all processes for shellcode, malicious injected ELF executables, and well-known toolkits.  Toolkits include crypto mining software.

 

Here is an example alert:

 

PI for Linux Alert Summary.png

The alerts contain information to assist with triaging and correlation activities, which include process metadata:

 

PI for Linux Alert Metadata.png

We plan to add and refine alert capabilities over time. Additional alert types will be documented here.

 

Process memory scanning is non-invasive and does not affect the other processes on the system. Most scans run in less than five seconds. The privacy of your data is protected throughout this procedure as all memory analysis is performed on the host itself. Scan results contain only security-relevant metadata and details of suspicious payloads.

 

Onboarding details

This capability is automatically deployed to your Linux machines as an extension to the Log Analytics Agent for Linux, which is also known as the OMS Agent. This agent supports the Linux OS distributions described in this document. Azure VMs and non-Azure machines must be enrolled in Azure Defender to benefit from this detection capability.

 

To learn more about Azure Defender, visit the Azure Defender Page.

%3CLINGO-SUB%20id%3D%22lingo-sub-1903892%22%20slang%3D%22en-US%22%3EFileless%20Attack%20Detection%20for%20Linux%20is%20now%20Generally%20Available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1903892%22%20slang%3D%22en-US%22%3E%3CP%3E%3CEM%3EThis%20blog%20post%20was%20co-authored%20by%3A%20%3C%2FEM%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%3CEM%3EAditya%20Joshi%2C%20Senior%20Software%20Engineer%2C%20Microsoft%20Defender%20for%20Endpoint%3C%2FEM%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%3CEM%3ETino%20Morenz%2C%20Senior%20Software%20Engineer%2C%20Enterprise%20Data%20Protection%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20Azure%20Defender%20team%20is%20excited%20to%20share%20that%20the%20Fileless%20Attack%20Detection%20for%20Linux%20Preview%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fblog%2Ffileless-attack-detection-for-linux-in-preview%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ewhich%20we%20announced%20earlier%20this%20year%3C%2FA%3E%2C%20is%20now%20generally%20available%20for%20all%20Azure%20VMs%20and%20non-Azure%20machines%20enrolled%20in%20Azure%20Defender.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFileless%20Attack%20Detection%20for%20Linux%20periodically%20scans%20your%20machine%20and%20extracts%20insights%20directly%20from%20the%20memory%20of%20processes.%26nbsp%3B%20Automated%20memory%20forensic%20techniques%20identify%20fileless%20attack%20toolkits%2C%20techniques%2C%20and%20behaviors.%26nbsp%3B%20This%20detection%20capability%20identifies%20attacker%20payloads%20that%20persist%20within%20the%20memory%20of%20compromised%20processes%20and%20perform%20malicious%20activities.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESee%20below%20for%20an%20example%20fileless%20attack%20from%20our%20preview%20program%2C%20a%20description%20of%20detection%20capabilities%2C%20and%20an%20overview%20of%20the%20onboarding%20process.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EReal-world%20attack%20pattern%20from%20our%20preview%20program%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EIn%20our%20continuous%20monitoring%20of%20fileless%20attacks%20we%20often%20encounter%20malware%20components%2C%20exhibiting%20in-memory%20ELF%20and%20shellcode%20payloads%20that%20are%20in%20the%20initial%20stages%20of%20being%20weaponized%20by%20attackers.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20this%20example%2C%20a%20customer%E2%80%99s%20VM%20is%20infected%20with%20malware%20that%20is%20attempting%20to%20blend%20in%20as%20standard%20system%20security%20components.%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EThe%20first%20component%20of%20the%20malware%20is%20the%20binary%26nbsp%3B%3CSTRONG%3E%2Fusr%2Fbin%2F.securetty%2F.esd-644%2Fauditd%3C%2FSTRONG%3E%2C%20running%20from%20the%20user's%20bin%20location%20under%20hidden%20folders.%20On%20disk%2C%20the%20file%20has%20been%20packed%20with%20UPX%20and%20contains%20no%20section%20headers.%3C%2FLI%3E%0A%3CLI%3EThe%20malware%20filename%20is%20auditd%2C%20which%20is%20the%20userspace%20component%20of%20the%20Linux%20Auditing%20System.%20In%20addition%2C%20the%20commandline%20for%20the%20malware%20is%20%22%2Fusr%2Fsbin%2Fabrtd%22.%20This%20path%20is%20associated%20with%20the%20Automatic%20Bug%20Reporting%20Tool%2C%20a%20daemon%20that%20watches%20for%20application%20crashes.%3C%2FLI%3E%0A%3CLI%3EAccompanying%20the%20masquerading%20auditd%20is%20another%20payload%20impersonating%20anacron%2C%20a%20system%20utility%20used%20to%20execute%20commands%20periodically.%3C%2FLI%3E%0A%3CLI%3EThe%20second%20payload%20runs%20with%20the%20commandline%20%22%2Fusr%2Fsbin%2Fanacron%20-s%22%20and%20runs%20as%20the%20file%20name%20devkit-power-daemon%20to%20impersonate%20the%20DeviceKit-power%20daemon.%20The%20malware%20also%20maintains%20a%20persistent%20outgoing%20TCP%20connection%20to%20port%2053%2C%20which%20is%20typically%20associated%20with%20DNS%20queries.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EDetecting%20the%20attack%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EFileless%20Attack%20Detection%20begins%20by%20identifying%20dynamically%20allocated%20code%20segments%20that%20are%20not%20backed%20by%20the%20filesystem.%20In%20this%20case%2C%20this%20scan%20identifies%20a%2032-bit%20ELF%20in%20an%20anonymous%20executable%20region%20of%20memory.%3C%2FLI%3E%0A%3CLI%3ENext%20our%20detector%20scans%20these%20segments%20for%20specific%20behaviors%20and%20indicators.%20Packed%20malware%2C%20such%20as%20in%20this%20case%2C%20obfuscates%20its%20contents%20on%20disk%2C%20but%20often%20exhibits%20malicious%20indicators%20in-memory.%3C%2FLI%3E%0A%3CLI%3EThe%20in-memory%20ELF%20analysis%20identifies%20numerous%20syscalls%20to%20perform%20system%20operations%20for%20process%20control%2C%20dynamic%20memory%20allocation%2C%20signal%20handling%20and%20changing%20thread%20context.%20Some%20of%20the%20syscalls%20identified%20include%20clone%2C%20epoll_create%2C%20getpid%2C%20gettid%2C%20kill%2C%20mmap%2C%20munmap%2C%20rt_sigaction%2C%20rt_sigprocmask%2C%20set_thread_area%2C%20sigaltstack%2C%20and%20tgkill.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EFileless%20attack%20detection%20capabilities%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EFileless%20Attack%20Detection%20for%20Linux%20scans%20the%20memory%20of%20all%20processes%20for%20shellcode%2C%20malicious%20injected%20ELF%20executables%2C%20and%20well-known%20toolkits.%26nbsp%3B%20Toolkits%20include%20crypto%20mining%20software.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHere%20is%20an%20example%20alert%3A%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorBen%20Nick_2%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22PI%20for%20Linux%20Alert%20Summary.png%22%20style%3D%22width%3A%20624px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F234583iC979644E1A344609%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22PI%20for%20Linux%20Alert%20Summary.png%22%20alt%3D%22PI%20for%20Linux%20Alert%20Summary.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EThe%20alerts%20contain%20information%20to%20assist%20with%20triaging%20and%20correlation%20activities%2C%20which%20include%20process%20metadata%3A%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorBen%20Nick_1%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22PI%20for%20Linux%20Alert%20Metadata.png%22%20style%3D%22width%3A%20624px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F234584iCD26D3C72042DD1B%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22PI%20for%20Linux%20Alert%20Metadata.png%22%20alt%3D%22PI%20for%20Linux%20Alert%20Metadata.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EWe%20plan%20to%20add%20and%20refine%20alert%20capabilities%20over%20time.%20Additional%20alert%20types%20will%20be%20documented%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Falerts-reference%23alerts-linux%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EProcess%20memory%20scanning%20is%20non-invasive%20and%20does%20not%20affect%20the%20other%20processes%20on%20the%20system.%26nbsp%3BMost%20scans%20run%20in%20less%20than%20five%20seconds.%20The%20privacy%20of%20your%20data%20is%20protected%20throughout%20this%20procedure%20as%20all%20memory%20analysis%20is%20performed%20on%20the%20host%20itself.%20Scan%20results%20contain%20only%20security-relevant%20metadata%20and%20details%20of%20suspicious%20payloads.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EOnboarding%20details%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EThis%20capability%20is%20automatically%20deployed%20to%20your%20Linux%20machines%20as%20an%20extension%20to%20the%20Log%20Analytics%20Agent%20for%20Linux%2C%20which%20is%20also%20known%20as%20the%20OMS%20Agent.%20This%20agent%20supports%20the%20Linux%20OS%20distributions%20described%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Flog-analytics-agent%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ein%20this%20document%3C%2FA%3E.%20Azure%20VMs%20and%20non-Azure%20machines%20must%20be%20enrolled%20in%20Azure%20Defender%20to%20benefit%20from%20this%20detection%20capability.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20learn%20more%20about%20Azure%20Defender%2C%20visit%20the%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fservices%2Fazure-defender%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20Defender%20Page%3C%2FA%3E.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1903892%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20Azure%20Defender%20team%20is%20excited%20to%20share%20that%20the%20Fileless%20Attack%20Detection%20for%20Linux%20Preview%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fblog%2Ffileless-attack-detection-for-linux-in-preview%2F%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3Ewhich%20we%20announced%20earlier%20this%20year%3C%2FA%3E%2C%20is%20now%20generally%20available%20for%20all%20Azure%20VMs%20and%20non-Azure%20machines%20enrolled%20in%20Azure%20Defender%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22PI%20for%20Linux%20Alert%20Summary%20-%20Teaser.png%22%20style%3D%22width%3A%20620px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F237092i1474FBB4FEE4685E%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22PI%20for%20Linux%20Alert%20Summary%20-%20Teaser.png%22%20alt%3D%22PI%20for%20Linux%20Alert%20Summary%20-%20Teaser.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1903892%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Defender%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EFileless%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EFileless%20attack%20detection%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Version history
Last update:
‎Dec 01 2020 02:40 PM
Updated by: