Introduction
We covered live forensics of a Linux workstation suspected of being infected with malware. We analyzed running processes, services, scheduled cronjobs, autostart script and application artefacts and we discovered the existence of bind shell and scripts performing calls to C2 servers to retrieve further malware. This was part of TryHackMe Linux Process Analysis room.
Task Scenario
While we perform live forensic analysis on this system, it is essential to note that in this assumed scenario, we have already acquired all necessary backups and have isolated the system from the network to prevent further compromise or tampering.
As this is a potentially compromised host, it is a good idea to ensure we are using known good binaries and libraries to conduct our information gathering and analysis. Often, this can be done by mounting a USB or drive containing binaries from a clean Debian-based installation (since the compromised workstation is Ubuntu). This has been simulated on the attached VM by copying the /bin, /sbin, /lib, and /lib64 folders from a clean installation into the /mnt/usb mount on the affected system.
This effort aims to mitigate the risk of inadvertently executing malicious code or compromised utilities on systems. Suppose an attacker gains privileged access to a system. In that case, they may replace or alter existing utilities with malicious binaries or libraries that could cause further harm when run by an unsuspecting investigator. By using a trusted source, it enhances the reliability and integrity of our investigation.
Linux Processes
In Linux, a process is a running instance of a program. When you execute a program or command in Linux, the operating system creates a process for running that program. Each process has its unique identifier called a Process ID (PID), which helps the operating system to manage and track it.
Processes can have parent-child relationships, forming a hierarchical structure. When one process spawns another process (for example, when one shell session spawns an additional process in a subshell), the new process becomes the child of the process that created it, referred to as its parent. This relationship is essential for managing processes and resource allocation within the operating system.
Various tools and utilities can be employed to inspect the running processes on a system. Using this enumeration, we can seek to identify malicious activity or suspicious parent-child process relationships.
Linux Cronjobs
Cronjobs are scheduled tasks executed automatically at predefined intervals by the cron daemon. The cron daemon is a background process responsible for managing cronjobs based on configuration files known as crontabs. Users can have their crontab file stored in the /var/spool/cron/crontabs directory. The main crontab file at /etc/crontab governs system-wide cronjobs.
- Minute (10): The first field specifies the minute when the command will be executed.
- Hour (05): The second field specifies the hour when the command will be executed.
- Day of the Month (*): The third field specifies the day of the month when the command will be executed.
- Month (*): The fourth field specifies the month when the command will be executed.
- Day of the Week (*): The fifth field specifies the day of the week the command will be executed.
- Command : The final field contains the command to be executed.
Linux Services
In Linux, services refer to various background processes or daemons that run continuously, performing tasks such as managing system resources, providing network services, or handling user requests. For example, the cron daemon we analysed previously ran the cronjobs. Other common services include SSH (sshd) for secure shell or the Apache HTTP Server (httpd). Typically, services are configured using the system’s service management utility – systemd or init. Some environments like BusyBox, however, do not use systemd.
Services can be a target for attackers if they can exploit vulnerabilities, abuse misconfigurations, or manipulate legitimate services to establish persistence or escalate privileges on the system. For example, attackers might create new malicious services or modify existing ones to inject or execute malicious commands during system startup or ad-hoc if they can start and stop the service.
As such, incident responders need to have a pre-established baseline to detect anomalies and locate artefacts related to service abuse.
Enumerating Services
systemctl is a utility in Linux used for controlling systemd and service managers. As mentioned earlier, systemd is a service management utility in Unix-based systems and, for the most part, has replaced the traditional init system in many distributions. As such, systemd is responsible for managing the startup processes, services, and daemons on a Linux system, and systemctl lets us manage these services directly.
Linux Autostart Scripts
Autostart scripts, as the name implies, are scripts or commands executed automatically when a system boots up or a user logs in. These scripts are typically used to launch certain programs or commands automatically without manual intervention on login. User-specific autostart scripts differ from cronjobs and services in that they are tailored to run tasks upon system startup or user login rather than at scheduled intervals like cronjobs or continuously like services. They are crucial in automating the initialisation process of various applications or utilities, ensuring that essential components are up and running without requiring manual intervention.
There are generally two types of autostart scripts in Linux systems:
System-wide autostart scripts
These scripts are executed when the operating system boots up before users log in. They are often found in directories like /etc/init.d/, /etc/rc.d/, or /etc/systemd/system/. System-wide autostart scripts are typically used to start system services or daemons, similar to the unit files covered in the previous task.
User-specific autostart scripts
These scripts are executed when a user logs into their account. They are usually found in directories like ~/.config/autostart/ or ~/.config/ (under various subdirectories). User-specific autostart scripts are commonly used to launch user-specific programs or applications upon login.
Like with all of the components we’ve discussed, attackers can target autostart scripts for various reasons. If an attacker can modify or create autostart scripts, they may be able to abuse this to achieve persistence, install backdoors, disguise malware, or execute privileged commands. For example, by injecting malicious commands or binaries to autostart scripts, attackers can execute a reverse shell in the context of a service account or a user, or abuse permissions to escalate privileges. As such, analysts need to be able to review and harden autostart scripts to detect anomalies and prevent abuse.
Room Answers | TryHackMe Linux Process Analysis
Which command lists all open files and the processes that opened them?
lsof
Use pstree to list out the process hierarchies. What is the name of the nc processes parent?
abzkd83o4jakxld
Search around the system for suspicious system-level cronjob entries. What is the full URL of the C2 server?
http://c2.intelligent-software.thm:8310/beacon
List the user-level cronjobs in the system. What is the hidden flag in one of the scripts?
THM{4682786cf2d92f01c4d30a2bbf4621f7}
Use pspy64 to monitor executions occurring through the system. What is the decoded flag value that is echoed every 15 seconds?
THM{851a981445dbfb9485c3771510a53568}
List all running services on the system. What is the flag you discover in the backdoor service’s description?
THM{4922066dc6494e8d4d507eef2205c262}
View the journalctl logs associated with the backdoor service. What is the flag you discover?
THM{053c12e620acea8a77b4bdcba578ca19}
What is the full URL that receives Janice’s private SSH key on system startup?
http://aabab.best-it-services.thm/id_rsa
Identify and investigate the remaining .desktop files on the system. What is the command that executes with the Show Network Interfaces autostart script?
ifconfig
Analyse Janice’s .viminfo log. What flag do you find within the Vim search history?
THM{4a8fd984228d89999342d189e6b916de}
Use DumpZilla to investigate Eduardo’s Firefox bookmarks. What flag do you find in one of the entries?
THM{5d5cb0ffe8369ab08f1e90aa9e9bc24e}
Room Answers | TryHackMe Linux Process Analysis
