IronShade
Perform a compromise assessment on a Linux host and identify the attack footprints. - by Dex01
Last updated
Perform a compromise assessment on a Linux host and identify the attack footprints. - by Dex01
Last updated
The following post by 0xb0b is licensed under CC BY 4.0
The following challenge recreates an incident scenario, where a honeypot got attacked by an APT Group called IronShade. Our task is now to investigate on one of those compromised linux servers. We need to perform a thorough compromise assessment on the Linux server and identify the attack footprints. Below I provide the commands to answer the individual questions of the challenge. This is a somewhat challenging to write, as a lot is revealed with each answer to the question. I hope you like it anyway.
To get the unique identifier of the machine, we issue the following command: cat /etc/machine-id
. This ID is typically used for system identification, software licensing, and other purposes requiring a unique machine identifier.
To check for a backdoor user account created on the server, we issue the following command: cat /etc/passwd
. This command lists all user accounts on the system, allowing you to review and identify any unauthorized or suspicious accounts that may have been added.
To check if an attacker has set up a cron job for persistence, we issue the following command: sudo crontab -l
. This command lists all scheduled tasks for the root user, allowing you to identify any unauthorized or suspicious cron jobs that may have been added by an attacker.
To identify a suspicious hidden process associated with a backdoor account, we issue the following command: ps aux | grep "home/m**********e"
. This command searches for processes related to the specified path, helping to detect any potentially malicious processes running under the backdoor account.
To determine the number of processes running from a backdoor account's directory, we issue the following command: ps aux | grep "home/m**********e"
. This command lists all processes associated with the specified directory, allowing you to count how many are currently active.
To identify a hidden file in memory located in the root directory, we issue the following command: ls -lah /
. This command lists all files and directories in the root directory, including hidden ones, along with their sizes and other attributes, helping to spot any suspicious or hidden files that might be present.
To identify suspicious services installed on the server, we issue the following command: systemctl list-units --type=service --all
. This command lists all services on the system, including active, inactive, and disabled ones, allowing you to review and spot any unauthorized or suspicious services that may have been installed. Here we find two services with a very short description. We have already found one of them in the home directory under the running processes. For validation, the services have the following names b*****.******e
and s******.******e.
To check if a backdoor account was created on the infected system, we issue the following command: grep -a 'useradd' /var/log/auth.log
. This command searches the authentication log for any instances of the useradd
command being executed, helping to identify unauthorized user accounts that may have been added.
To identify multiple SSH connections to a backdoor account originating from an IP address, we issue the following command: grep -a 'sshd' /var/log/auth.log
.
To determine the number of failed SSH login attempts on the backdoor account, we issue the following command: grep -a 'Failed password for microservice' /var/log/auth.log. This command searches the authentication log for entries related to failed password attempts for the specified user, allowing you to count the number of failed login attempts on the backdoor account. Some log entries indicate "message repeated 2 times," totaling 3 failed attempts, keep that in mind.
To identify a malicious package installed on the host, we issue the following command: grep 'install ' /var/log/dpkg.log
. This command searches the package manager's log for entries related to package installations, helping to spot any potentially unauthorized or malicious packages that were installed on the system. One installation stands out clearly with its time of correlation. The previous events also occurred at approximately the same time.
To find the secret code or other metadata of a suspicious package, we issue the following command: apt show pscanner. This command displays detailed information about the package p*******
, including its description, version, dependencies, and metadata, where a hidden or suspicious code might be found.