Masquerading as Linux crond process

Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.

Rule Content

- title: Masquerading as Linux crond process
  id: 9d4548fa-bba0-4e88-bd66-5d5bf516cda0
  status: experimental
  description: Masquerading occurs when the name or location of an executable, legitimate
    or malicious, is manipulated or abused for the sake of evading defenses and observation.
    Several different variations of this technique have been observed.
  author: Timur Zinniatullin, oscd.community
  date: 2019/10/21
  references:
  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.yaml
  logsource:
    product: linux
    service: auditd
    category: null
  detection:
    selection:
      type: execve
      a0: cp
      a1: -i
      a2: /bin/sh
      a3: '*/crond'
    condition: selection
  level: medium
  tags:
  - attack.defense_evasion
  - attack.t1036

Querying Elasticsearch

Import Libraries



In [ ]:

    
from elasticsearch import Elasticsearch
from elasticsearch_dsl import Search
import pandas as pd

Initialize Elasticsearch client



In [ ]:

    
es = Elasticsearch(['http://helk-elasticsearch:9200'])
searchContext = Search(using=es, index='logs-*', doc_type='doc')

Run Elasticsearch Query



In [ ]:

    
s = searchContext.query('query_string', query='(type:"execve" AND a0:"cp" AND a1:"\-i" AND a2:"\/bin\/sh" AND a3.keyword:*\/crond)')
response = s.execute()
if response.success():
    df = pd.DataFrame((d.to_dict() for d in s.scan()))

Show Results



In [ ]:

    
df.head()