%3CLINGO-SUB%20id%3D%22lingo-sub-1551766%22%20slang%3D%22en-US%22%3EFileless%20Attack%20Detection%20for%20Linux%20Preview%20is%20Expanding%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1551766%22%20slang%3D%22en-US%22%3E%3CP%3E%3CEM%3EThis%20blog%20post%20was%20co-authored%20by%20Aditya%20Joshi%2C%20Senior%20Software%20Engineer%2C%20Enterprise%20Protection%20and%20Detection.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20Security%20Center%20team%20is%20excited%20to%20share%20that%20the%20Fileless%20Attack%20Detection%20for%20Linux%20Preview%2C%20%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fblog%2Ffileless-attack-detection-for-linux-in-preview%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ewhich%20we%20announced%20earlier%20this%20year%3C%2FA%3E%2C%20is%20expanding%20to%20include%20all%20Azure%20VMs%20and%20non-Azure%20machines%20enrolled%20in%20Azure%20Security%20Center%20Standard%20and%20Standard%20Trial%20pricing%20tiers.%26nbsp%3B%20This%20solution%20periodically%20scans%20your%20machine%20and%20extracts%20insights%20directly%20from%20the%20memory%20of%20processes.%26nbsp%3B%20Automated%20memory%20forensic%20techniques%20identify%20fileless%20attack%20toolkits%2C%20techniques%2C%20and%20behaviors.%26nbsp%3B%20This%20detection%20capability%20identifies%20attacker%20payloads%20that%20persist%20within%20the%20memory%20of%20compromised%20processes%20and%20perform%20malicious%20activities.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESee%20below%20for%20an%20example%20fileless%20attack%20from%20our%20preview%20program%2C%20a%20description%20of%20detection%20capabilities%2C%20and%20an%20overview%20of%20the%20onboarding%20process.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-1200720473%22%20id%3D%22toc-hId-1200720473%22%3E%3CSTRONG%3EReal-world%20attack%20pattern%20from%20our%20preview%20program%20%3C%2FSTRONG%3E%3C%2FH3%3E%0A%3CP%3EWe%20continue%20to%20see%20the%20exploitation%20of%20vulnerabilities%20and%20multi-staged%20attack%20payloads%20with%20shellcode%20and%20dynamic%20code%20visible%20only%20in%20memory.%26nbsp%3B%20In%20this%20example%2C%20a%20customer%E2%80%99s%20VM%20is%20running%20shellcode-based%20malware%20and%20a%20cryptominer%20as%20root%20within%20a%20compromised%20docker%20container.%20%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHere%20are%20the%20steps%20of%20the%20attack%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EThe%20attacker%20uses%20an%20unauthenticated%20network%20facing%20service%20running%20inside%20a%20docker%20container%20to%20achieve%20code%20execution%20as%20root%20inside%20the%20container.%3C%2FLI%3E%0A%3CLI%3EThe%20attacker%20downloads%20and%20executes%20a%20file%20and%20deletes%20the%20file%20to%20deter%20disk-based%20detection%2C%20leaving%20only%20the%20in-memory%20payload.%3C%2FLI%3E%0A%3CLI%3EThe%20attacker%20achieves%20persistence%20by%20adding%20a%20crontab%20task%20to%20run%20a%20bash%20shell%20script%20to%20download%20a%202%3CSUP%3End%3C%2FSUP%3E%20stage%20payload.%26nbsp%3B%20The%202%3CSUP%3End%3C%2FSUP%3E%20stage%20payload%20is%20a%20packed%20file%20containing%20the%20XMRIG%20cryptocurrency%20miner.%26nbsp%3B%3C%2FLI%3E%0A%3CLI%3EThe%20attacker%20unpacks%20and%20runs%20XMRIG%20within%20the%20container.%20XMRIG%20persists%20in%20memory%20and%20connects%20to%20a%20miner%20pool%20to%20start%20crypto%20mining.%3C%2FLI%3E%0A%3CLI%3EThe%20attacker%20deletes%20the%20on-disk%20packed%20file%20so%20that%20the%20crypto%20mining%20activity%20is%20only%20observable%20in-memory.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CH2%20id%3D%22toc-hId-1190217369%22%20id%3D%22toc-hId-1190217369%22%3E%26nbsp%3B%3C%2FH2%3E%0A%3CH3%20id%3D%22toc-hId-1880778843%22%20id%3D%22toc-hId-1880778843%22%3E%3CSTRONG%3EDetecting%20the%20attack%3C%2FSTRONG%3E%3C%2FH3%3E%0A%3CP%3EIn%20the%20attack%20above%2C%20fileless%20attack%20detection%2C%20running%20on%20the%20docker%20host%2C%20uncovers%20the%20compromise%20via%20in-memory%20analysis.%26nbsp%3B%20It%20starts%20by%20identifying%20dynamically%20allocated%20code%20segments%2C%20then%20scanning%20each%20code%20segment%20for%20specific%20behaviors%20and%20indicators.%3C%2FP%3E%0A%3CP%3EThe%20first%20payload%E2%80%99s%20code%20segment%20contains%20shellcode%20with%20references%20to%20syscalls%20used%20for%20creating%20new%20tasks%2C%20getting%20process%20information%20and%20process%20control.%20Subset%20of%20detected%20syscalls%20include%3A%20fork%2C%20getpid%2C%20gettid%20and%20%26nbsp%3Brt_sigaction.%3C%2FP%3E%0A%3CP%3EThe%20second%20payload%E2%80%99s%20code%20segment%20contains%20an%20injected%20executable%20consisting%20of%20a%20well-known%20crypto%20mining%20toolkit%3A%20XMRIG.%26nbsp%3B%20Additionally%2C%20fileless%20attack%20detection%20identifies%20the%20active%20network%20connection%20to%20the%20crypto%20mining%20pool.%20%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1870275739%22%20id%3D%22toc-hId-1870275739%22%3E%26nbsp%3B%3C%2FH2%3E%0A%3CH3%20id%3D%22toc-hId--1734130083%22%20id%3D%22toc-hId--1734130083%22%3E%3CSTRONG%3EFileless%20attack%20detection%20preview%20capabilities%3C%2FSTRONG%3E%3C%2FH3%3E%0A%3CP%3EFor%20the%20preview%20program%2C%20fileless%20attack%20detection%20scans%20the%20memory%20of%20all%20processes%20for%20shellcode%2C%20malicious%20injected%20ELF%20executables%2C%20and%20well-known%20toolkits.%26nbsp%3B%20Toolkits%20include%20crypto%20mining%20software%20such%20as%20the%20one%20mentioned%20above.%3C%2FP%3E%0A%3CP%3EAt%20the%20start%20of%20the%20preview%20program%2C%20we%20will%20emit%20alerts%20for%20well-known%20toolkits%3A%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22teasureforblog.JPG%22%20style%3D%22width%3A%20823px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F208618i1D4887ACFAEBB0EE%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22teasureforblog.JPG%22%20alt%3D%22teasureforblog.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20alerts%20contain%20information%20to%20assist%20with%20triaging%20and%20correlation%20activities%2C%20which%20include%20process%20metadata%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22blogprocessmetadata1.png%22%20style%3D%22width%3A%20744px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F208621i0AAD975513C54ED3%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22blogprocessmetadata1.png%22%20alt%3D%22blogprocessmetadata1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EAlert%20details%20also%20include%20the%20toolkit%20name%2C%20capabilities%20of%20the%20detected%20payload%2C%20and%20network%20endpoints.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20plan%20to%20add%20and%20refine%20alert%20capabilities%20over%20time.%20Additional%20alert%20types%20will%20be%20documented%20-ERR%3AREF-NOT-FOUND-here.%3C%2FP%3E%0A%3CP%3EProcess%20memory%20scanning%20is%20non-invasive%20and%20does%20not%20affect%20the%20other%20processes%20on%20the%20system.%26nbsp%3BMost%20scans%20run%20in%20less%20than%20five%20seconds.%20The%20privacy%20of%20your%20data%20is%20protected%20throughout%20this%20procedure%20as%20all%20memory%20analysis%20is%20performed%20on%20the%20host%20itself.%20Scan%20results%20contain%20only%20security-relevant%20metadata%20and%20details%20of%20suspicious%20payloads.%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1744633187%22%20id%3D%22toc-hId--1744633187%22%3E%26nbsp%3B%3C%2FH2%3E%0A%3CH3%20id%3D%22toc-hId--1054071713%22%20id%3D%22toc-hId--1054071713%22%3E%3CSTRONG%3EOnboarding%20details%3C%2FSTRONG%3E%3C%2FH3%3E%0A%3CP%3EWe%20will%20be%20onboarding%20customer%20machines%20in%20phases%20to%20ensure%20the%20smoothest%20possible%20customer%20experience.%26nbsp%3B%20Deployment%20begins%20on%20July%2028%3CSUP%3Eth%3C%2FSUP%3E%20and%20completes%20by%20September%203%3CSUP%3Erd%3C%2FSUP%3E.%26nbsp%3B%20This%20capability%20is%20automatically%20deployed%20to%20your%20Linux%20machines%20as%20an%20extension%20to%20the%20Log%20Analytics%20Agent%20for%20Linux%20(also%20known%20as%20the%20OMS%20Agent).%20This%20agent%20supports%20the%20Linux%20OS%20distributions%20described%26nbsp%3B-ERR%3AREF-NOT-FOUND-in%20this%20document.%20Azure%20VMs%20and%20non-Azure%20machines%20must%20be%20enrolled%20in%20Standard%20or%20Standard%20Trial%20pricing%20tier%20to%20benefit%20from%20this%20detection%20capability.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20learn%20more%20about%20Azure%20Security%20Center%2C%20visit%20the%26nbsp%3B-ERR%3AREF-NOT-FOUND-Azure%20Security%20Center%20page.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1551766%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22teasureforblog%20(2).JPG%22%20style%3D%22width%3A%20814px%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Flog-analytics-agent%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3C%2FA%3E%3C%2FSPAN%3EThe%20Security%20Center%20team%20is%20excited%20to%20share%20that%20the%20Fileless%20Attack%20Detection%20for%20Linux%20Preview%2C%20-ERR%3AREF-NOT-FOUND-which%20we%20announced%20earlier%20this%20year%2C%20is%20expanding%20to%20include%20all%20Azure%20VMs%20and%20non-Azure%20machines%20enrolled%20in%20Azure%20Security%20Center%20Standard%20and%20Standard%20Trial%20pricing%20tiers.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1551766%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Security%20Center%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Ecode%20injection%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EFile-less%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EFileless%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Ein-memory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ELinux%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPreview%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eshellcode%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EThreat%20Protection%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

This blog post was co-authored by Aditya Joshi, Senior Software Engineer, Enterprise Protection and Detection.

 

The Security Center team is excited to share that the Fileless Attack Detection for Linux Preview, which we announced earlier this year, is expanding to include all Azure VMs and non-Azure machines enrolled in Azure Security Center Standard and Standard Trial pricing tiers.  This solution periodically scans your machine and extracts insights directly from the memory of processes.  Automated memory forensic techniques identify fileless attack toolkits, techniques, and behaviors.  This detection capability identifies attacker payloads that persist within the memory of compromised processes and perform malicious activities.

 

See below for an example fileless attack from our preview program, a description of detection capabilities, and an overview of the onboarding process.

 

Real-world attack pattern from our preview program

We continue to see the exploitation of vulnerabilities and multi-staged attack payloads with shellcode and dynamic code visible only in memory.  In this example, a customer’s VM is running shellcode-based malware and a cryptominer as root within a compromised docker container.  

Here are the steps of the attack:

  • The attacker uses an unauthenticated network facing service running inside a docker container to achieve code execution as root inside the container.
  • The attacker downloads and executes a file and deletes the file to deter disk-based detection, leaving only the in-memory payload.
  • The attacker achieves persistence by adding a crontab task to run a bash shell script to download a 2nd stage payload.  The 2nd stage payload is a packed file containing the XMRIG cryptocurrency miner. 
  • The attacker unpacks and runs XMRIG within the container. XMRIG persists in memory and connects to a miner pool to start crypto mining.
  • The attacker deletes the on-disk packed file so that the crypto mining activity is only observable in-memory.

 

Detecting the attack

In the attack above, fileless attack detection, running on the docker host, uncovers the compromise via in-memory analysis.  It starts by identifying dynamically allocated code segments, then scanning each code segment for specific behaviors and indicators.

The first payload’s code segment contains shellcode with references to syscalls used for creating new tasks, getting process information and process control. Subset of detected syscalls include: fork, getpid, gettid and  rt_sigaction.

The second payload’s code segment contains an injected executable consisting of a well-known crypto mining toolkit: XMRIG.  Additionally, fileless attack detection identifies the active network connection to the crypto mining pool.  

 

Fileless attack detection preview capabilities

For the preview program, fileless attack detection scans the memory of all processes for shellcode, malicious injected ELF executables, and well-known toolkits.  Toolkits include crypto mining software such as the one mentioned above.

At the start of the preview program, we will emit alerts for well-known toolkits: 

teasureforblog.JPG

 

The alerts contain information to assist with triaging and correlation activities, which include process metadata:

blogprocessmetadata1.png

Alert details also include the toolkit name, capabilities of the detected payload, and network endpoints.

 

We plan to add and refine alert capabilities over time. Additional alert types will be documented here.

Process memory scanning is non-invasive and does not affect the other processes on the system. Most scans run in less than five seconds. The privacy of your data is protected throughout this procedure as all memory analysis is performed on the host itself. Scan results contain only security-relevant metadata and details of suspicious payloads.

 

Onboarding details

We will be onboarding customer machines in phases to ensure the smoothest possible customer experience.  Deployment begins on July 28th and completes by September 3rd.  This capability is automatically deployed to your Linux machines as an extension to the Log Analytics Agent for Linux (also known as the OMS Agent). This agent supports the Linux OS distributions described in this document. Azure VMs and non-Azure machines must be enrolled in Standard or Standard Trial pricing tier to benefit from this detection capability.

 

To learn more about Azure Security Center, visit the Azure Security Center page.