Overview
Perform a compromise assessment on a Linux host and identify the attack footprints. IronShade is an advanced digital forensics room that challenges participants to conduct a thorough compromise assessment, identifying backdoors, persistence mechanisms, malicious processes, and attacker infrastructure through detailed system analysis.
Investigation Scope
This room covers comprehensive Linux incident response and compromise assessment including:
- System Identification: Machine identification and baseline assessment
- User Account Analysis: Detection of unauthorized accounts and backdoors
- Persistence Mechanisms: Cron jobs, services, and scheduled tasks
- Process Analysis: Running processes and hidden malware
- Memory Forensics: Hidden files and in-memory artifacts
- Service Enumeration: Malicious and suspicious services
- Log Analysis: System logs and authentication attempts
- Network Forensics: SSH connections and remote access patterns
- Malware Analysis: Installed packages and malicious software
1. System Identification
What is the Machine ID of the machine we are investigating?
The machine ID is a unique identifier for the system, typically found in system configuration or identification files. This helps establish the baseline for our investigation.
Answer: dc7c8ac5c09a4bbfaf3d09d399f10d96
2. User Account Analysis
What backdoor user account was created on the server?
Attackers often create backdoor accounts for persistence and easy access. We need to identify any unauthorized user accounts that were created during the compromise.
cat /etc/passwd | grep -v "^#" | cut -d: -f1 | sort
Examine user accounts for suspicious or recently created entries. The backdoor account was disguised with a similar name to legitimate services.
3. Persistence Mechanisms
What is the cronjob that was set up by the attacker for persistence?
Cron jobs are commonly used by attackers for persistence. We should examine the crontab files and cron directories for any suspicious scheduled tasks.
cat /etc/crontab
ls -la /etc/cron.*
crontab -l
The attacker set up a cron job to automatically start their malware on system reboot, ensuring persistence across system restarts.
Answer: @reboot /home/mircoservice/printer_app
4. Process Analysis
Examine the running processes on the machine. Can you identify the suspicious-looking hidden process from the backdoor account?
Attackers often hide malicious processes by giving them names that start with dots or names that resemble legitimate services. We need to examine running processes for suspicious entries.
ps aux | grep mircoservice
ls -la /proc/*/exe 2>/dev/null | grep -i microservice
Hidden processes are often disguised with dot prefixes and run from the attacker's home directory.
How many processes are found to be running from the backdoor account's directory?
Count all processes that are executed from the backdoor user's home directory, including both visible and hidden processes.
5. Memory Forensics
What is the name of the hidden file in memory from the root directory?
Some malware hides files in memory or uses unusual file locations. We may need to examine memory dumps or use specialized tools to identify hidden files.
find / -name ".*" -type f 2>/dev/null | head -20
ls -la / | grep "^\."
Hidden files (files starting with dots) are often used to conceal malware and system modifications.
6. Service Enumeration
What suspicious services were installed on the server? Format is service a, service b in alphabetical order.
Attackers often install malicious services for persistence. We should examine systemd services for any suspicious or unauthorized services.
systemctl list-units --type=service --all
ls -la /etc/systemd/system/
New or unusual services, especially those in user directories or with suspicious names, should be investigated.
Answer: backup.service, strokes.service
7. Log Analysis
Examine the logs; when was the backdoor account created on this infected system?
System logs contain valuable information about when accounts were created, services started, and other system events. We should examine authentication logs, system logs, and user creation logs.
grep "useradd\|adduser" /var/log/auth.log
grep "mircoservice" /var/log/auth.log
cat /var/log/secure | grep -i microservice
Authentication logs typically record user creation events with timestamps, revealing when the backdoor was established.
8. Network Forensics
From which IP address were multiple SSH connections observed against the suspicious backdoor account?
SSH logs can reveal connection patterns and source IP addresses. We should examine SSH login attempts and successful connections to identify attacker infrastructure.
grep "Accepted\|Failed" /var/log/auth.log | grep mircoservice
grep "sshd" /var/log/auth.log | grep -i microservice
How many failed SSH login attempts were observed on the backdoor account?
Count failed authentication attempts that may indicate brute-force attempts, password guessing, or reconnaissance activity.
9. Malware Analysis
Which malicious package was installed on the host?
Attackers often install malicious packages or backdoors disguised as legitimate software. We should examine installed packages for suspicious entries.
dpkg -l | grep -v "^ii"
apt list --installed | grep -E "(scanner|tool|util)"
Suspicious package names or unknown packages should be investigated. Tools like pscanner may be disguised network scanners or malware.
What is the secret code found in the metadata of the suspicious package?
Many malicious packages contain hidden information in metadata, comments, or embedded strings. We should examine the package files for any embedded secrets or flags.
dpkg -L pscanner
strings /path/to/package/files | grep -i "secret\|flag\|code"
Malicious packages often contain identification strings or flags embedded within their files or metadata.
Linux Compromise Assessment Framework
System Baseline
- Machine ID: Unique system identifier for correlation
- System Information: OS version, kernel, installed packages
- Network Configuration: IP addresses, routing, network interfaces
- User Accounts: Valid users, system accounts, UID ranges
Common Compromise Indicators
- Unauthorized Accounts: Unexpected user accounts or privileged users
- Suspicious Processes: Hidden processes, unusual process names
- Backdoor Services: Unexpected listening services or ports
- Persistence Mechanisms: Cron jobs, systemd services, startup scripts
- Log Tampering: Missing logs, suspicious log entries
- Rootkits: Hidden files, kernel modules, altered system files
Investigation Methodology
Phase 1: Host Identification
- Gather system information (hostname, IP, OS version)
- Document system purpose and normal baseline
- Identify critical systems and sensitive data
Phase 2: Compromise Detection
- Check system logs for suspicious activity
- Examine user accounts and group memberships
- Review running processes and services
- Check for unauthorized network connections
Phase 3: Artifact Collection
- Capture memory dumps if possible
- Collect system logs and configuration files
- Document malicious files and persistence mechanisms
- Take disk images if forensic preservation is needed
Phase 4: Analysis and Attribution
- Analyze collected artifacts for IOCs
- Determine attack timeline and methods
- Identify attacker tools and techniques
- Correlate with threat intelligence
Forensic Commands
# System Information
uname -a
cat /etc/os-release
hostnamectl
# User Analysis
cat /etc/passwd
cat /etc/shadow
lastlog
last
# Process Analysis
ps auxf
pstree
ls -la /proc/*/exe
lsof -i
# Service Analysis
systemctl list-units --type=service
journalctl -u [service-name]
chkconfig --list
# Log Analysis
grep -r "suspicious" /var/log/
ausearch -m all
journalctl --since "1 day ago"
# File System Analysis
find / -mtime -1 -type f 2>/dev/null # Recently modified files
find / -user [username] -type f # Files owned by user
lsattr -R / # Check file attributes
# Network Analysis
netstat -tlnp
ss -tlnp
iptables -L
Common Linux Malware Techniques
Backdoor Creation
- SSH Keys: Authorized_keys manipulation
- User Accounts: Hidden user accounts with sudo access
- Web Shells: Hidden PHP/Python shells in web directories
- Rootkits: Kernel-level malware hiding processes
Persistence Methods
- Cron Jobs: @reboot and scheduled task execution
- Systemd Services: Custom service files
- Startup Scripts: Modification of rc.local, profile files
- Kernel Modules: Loadable kernel modules (LKMs)
Anti-Forensic Techniques
- Log Deletion: Removal of authentication logs
- Timestomp: Modification of file timestamps
- Process Hiding: Hidden process names
- Rootkit Installation: Userland and kernel rootkits
Digital Forensics Tools
- Volatility: Memory analysis framework
- Autopsy: Digital forensics platform
- Sleuth Kit: Forensic toolkit for Linux
- chkrootkit: Rootkit detection tool
- rkhunter: Rootkit hunter and scanner
- lynis: Security auditing and hardening
- OSSEC: Host-based intrusion detection
- Sysdig: System-level exploration and troubleshooting
Lessons Learned
- Comprehensive system investigations require methodical approaches
- Attackers use multiple persistence mechanisms for redundancy
- Hidden processes and files are common evasion techniques
- Log analysis is crucial for understanding attack timelines
- System hardening should be implemented as defense in depth
- Incident response requires both technical and analytical skills
- Documentation and evidence preservation are critical
- Understanding attacker TTPs helps in detection and prevention
- Regular security assessments can prevent advanced persistent threats
Prevention Strategies
System Hardening
- Principle of Least Privilege: Minimal user permissions
- Regular Updates: Patch management and vulnerability scanning
- Access Controls: Strong authentication and authorization
- Monitoring: Continuous logging and alerting
- Network Segmentation: Isolate systems and services
Detection Capabilities
- EDR Solutions: Endpoint detection and response
- SIEM Systems: Security information and event management
- File Integrity Monitoring: Detect unauthorized changes
- Network IDS/IPS: Traffic monitoring and blocking
- Regular Audits: Scheduled security assessments