IronShade
Perform a compromise assessment on a Linux host and identify the attack footprints. - by Dex01
The following post by 0xb0b is licensed under CC BY 4.0
The following challenge recreates an incident scenario, where a honeypot got attacked by an APT Group called IronShade. Our task is now to investigate on one of those compromised linux servers. We need to perform a thorough compromise assessment on the Linux server and identify the attack footprints. Below I provide the commands to answer the individual questions of the challenge. This is a somewhat challenging to write, as a lot is revealed with each answer to the question. I hope you like it anyway.
Retrieving The Machine ID
To get the unique identifier of the machine, we issue the following command: cat /etc/machine-id. This ID is typically used for system identification, software licensing, and other purposes requiring a unique machine identifier.
cat /etc/machine-idBackdoor User Account Created on the Server
To check for a backdoor user account created on the server, we issue the following command: cat /etc/passwd. This command lists all user accounts on the system, allowing you to review and identify any unauthorized or suspicious accounts that may have been added.
cat /etc/passwdCronjob Set Up by Attacker for Persistence
To check if an attacker has set up a cron job for persistence, we issue the following command: sudo crontab -l. This command lists all scheduled tasks for the root user, allowing you to identify any unauthorized or suspicious cron jobs that may have been added by an attacker.
sudo crontab -l Suspicious Hidden Process Identified from Backdoor Account
To identify a suspicious hidden process associated with a backdoor account, we issue the following command: ps aux | grep "home/m**********e". This command searches for processes related to the specified path, helping to detect any potentially malicious processes running under the backdoor account.
ps aux |grep "home/m**********e"Number of Processes Running from Backdoor Account's Directory
To determine the number of processes running from a backdoor account's directory, we issue the following command: ps aux | grep "home/m**********e". This command lists all processes associated with the specified directory, allowing you to count how many are currently active.
ps aux |grep "home/m**********e"Hidden File in Memory Found in the Root Directory
To identify a hidden file in memory located in the root directory, we issue the following command: ls -lah /. This command lists all files and directories in the root directory, including hidden ones, along with their sizes and other attributes, helping to spot any suspicious or hidden files that might be present.
ls -lah /Suspicious Services Installed on the Server
To identify suspicious services installed on the server, we issue the following command: systemctl list-units --type=service --all. This command lists all services on the system, including active, inactive, and disabled ones, allowing you to review and spot any unauthorized or suspicious services that may have been installed. Here we find two services with a very short description. We have already found one of them in the home directory under the running processes. For validation, the services have the following names b*****.******e and s******.******e.
systemctl list-units --type=sercice --allBackdoor Account Created on the Infected System
To check if a backdoor account was created on the infected system, we issue the following command: grep -a 'useradd' /var/log/auth.log. This command searches the authentication log for any instances of the useradd command being executed, helping to identify unauthorized user accounts that may have been added.
grep -a 'useradd' /var/log/auth.logMultiple SSH Connections to Backdoor Account Originated from IP Address
To identify multiple SSH connections to a backdoor account originating from an IP address, we issue the following command: grep -a 'sshd' /var/log/auth.log.
grep -a 'sshd' /var/log/auth.logNumber of Failed SSH Login Attempts on the Backdoor Account
To determine the number of failed SSH login attempts on the backdoor account, we issue the following command: grep -a 'Failed password for microservice' /var/log/auth.log. This command searches the authentication log for entries related to failed password attempts for the specified user, allowing you to count the number of failed login attempts on the backdoor account. Some log entries indicate "message repeated 2 times," totaling 3 failed attempts, keep that in mind.
grep -a 'Failed password for microservice' /var/log/auth.logMalicious Package Installed on the Host
To identify a malicious package installed on the host, we issue the following command: grep 'install ' /var/log/dpkg.log. This command searches the package manager's log for entries related to package installations, helping to spot any potentially unauthorized or malicious packages that were installed on the system. One installation stands out clearly with its time of correlation. The previous events also occurred at approximately the same time.
grep 'install ' /var/log/dpkg.logSecret Code Found in the Metadata of the Suspicious Package
To find the secret code or other metadata of a suspicious package, we issue the following command: apt show pscanner. This command displays detailed information about the package p*******, including its description, version, dependencies, and metadata, where a hidden or suspicious code might be found.
apt show p*******Last updated
Was this helpful?