RawSecOct 5, 2023
Excited for @hack_lu! In addition to my planned talk, I'll conduct a 90-min workshop to introduce Kunai: your new Linux threat-hunting tool (an alternative to #SysmonForLinux). See you there! More info: https://github.com/0xrawsec/kunai
GitHub - 0xrawsec/kunai: Threat-hunting tool for Linux

Threat-hunting tool for Linux. Contribute to 0xrawsec/kunai development by creating an account on GitHub.

GitHub
RawSecJul 18, 2023
If you are looking for a #SysmonForLinux alternative or if you are just curious ! Take a look to kunai: https://why.kunai.rocks/
I am currently working on making the project buildable to everyone, without having to compile LLVM ... If you want to try the stuff out, there is a pre-compiled binary on GitHub: https://github.com/0xrawsec/kunai/releases/tag/v0.1.0
I am heavily interested by feedbacks (positive or not) so don't hesitate to share your thoughts !
#ebpf #linux #threathunting #dfir
Bring your Linux Threat-Hunting capabilities to the next level | Kunai

Description will go into a meta tag in <head />

raptor May 8, 2023

#Encoding is hard, exhibit no.2368474 #SysmonForLinux

// ht @timb_machine

https://github.com/Sysinternals/SysmonForLinux/issues/83

Lack of error checking on calls to UTF8toUTF16, rule filter bypass · Issue #83 · Sysinternals/SysmonForLinux

Summary Event filtering in Sysmon For Linux incorrectly assumes event data, such as executable image paths, will be valid UTF-8 and that conversion to UTF-16 will always succeed. This can result in...

GitHub
Show threadChris WalkerMar 20, 2023

I should probably take a look at auditd logs that are available and compare the telemetry to Sysmon, seeing if it's better at filling in the missing info in Sysmon.

#Sysmonforlinux #Wine #Linux

Show threadChris WalkerMar 16, 2023

A sigma rule for file permission setting using chmod

https://github.com/exeronn/Linux-Detection/blob/main/Sigma/Defense%20Evasion/chmod_file_executable.yml

#SysmonforLinux #SIGMA

Linux-Detection/chmod_file_executable.yml at main · exeronn/Linux-Detection

Rules and other artifacts related to Linux compromise / malware detection - Linux-Detection/chmod_file_executable.yml at main · exeronn/Linux-Detection

GitHub
Show threadChris WalkerMar 14, 2023

The decompiled interpretation from ghidra of the main function.
This is a link to the sample executed - https://bazaar.abuse.ch/sample/990628a2402ee9d0c66f52bd4ce24f039dc01b30fb1146df741d93a396a07cac/

#SysmonforLinux

MalwareBazaar | Checking your browser

Chris WalkerMar 10, 2023

A few bits from this one, using echo directly into crontab & attempting to mount /tmp over the PID in /proc/ as likely a stealth method. Not running as root prevented the mount command so I ran it as root to test it.

Sigma rule for mount - https://github.com/exeronn/Linux-Detection/blob/main/Sigma/suspicious_mount_against_proc.yml

#Sigma #Sysmonforlinux

Chris WalkerMar 9, 2023

Another compiled python sample, with better stealth than the previous one. Its files are located in /dev/shm/.p/, it uses a process hider to change the name for ps and similar output and the compiled python code isn't listed in objdump.

#SysmonforLinux

Chris WalkerMar 2, 2023

A fairly crude, yet relatively well functioned perl implant. Supports Scanning, log cleanup, DOS and arbitary command execution. Whilst it was simple it was good for 8 new sigma rules!

#Sigma #SysmonforLinux #Perl #Malware

1/

Show threadChris WalkerFeb 28, 2023

I also created a Sysmon config with the required sections that can be merged with a current config to record the specific event types

https://github.com/exeronn/Linux-Detection/blob/main/Sysmon/Execution/T1059-006_sysmon_pyInstaller.xml

#SysmonforLinux #Sigma #PyInstaller #Python

end/

Linux-Detection/T1059-006_sysmon_pyInstaller.xml at main · exeronn/Linux-Detection

Rules and other artifacts related to Linux compromise / malware detection - Linux-Detection/T1059-006_sysmon_pyInstaller.xml at main · exeronn/Linux-Detection

GitHub