Command

Command Exploitation in nix Systems

Attackers often exploit both interactive and non-interactive shell environments to execute commands that help them escalate privileges, maintain persistence, or evade detection. Understanding these techniques and employing robust monitoring strategies can help detect and mitigate malicious activities.

Shell Types

1. Interactive Shell

  • Directly takes user input.

  • Executes commands and displays results in real-time.

2. Non-Interactive Shell

  • Executes commands from scripts or other programs without direct user interaction.

Example: Check shell type:

[[ $- == *i* ]] && echo 'Interactive' || echo 'Not Interactive'

Key Commands and Their Exploitation

1. at Command

  • Purpose: Schedule a one-time job at a future time.

  • Abuse: Used to schedule malicious, non-interactive commands.

Example:

COMMAND='echo "test" > /tmp/test.txt'
echo $COMMAND | at now

Detection:

  • Audit Logs:

    cat /var/log/audit/audit.log | grep "at"

  • Command History:

    history | grep "at"
cat ~/.bash_history | grep "at"

  • EDR/XDR Logs: Search for at process creation events.

2. crontab Command

  • Purpose: Schedule repetitive tasks.

  • Abuse: Modify tasks using crontab -e to maintain persistence.

Example:

crontab -e

Detection:

  • Audit Logs:

    cat /var/log/audit/audit.log | grep "crontab" | grep "-e"

  • Command History:

    history | grep "crontab" | grep "-e"

  • Monitor Changes: Track modifications in /etc/cron* directories.

3. nohup Command

  • Purpose: Run long processes in the background, immune to hangups.

  • Abuse: Hide malicious background processes.

Example:

COMMAND='/usr/bin/id'
nohup "$COMMAND"
cat nohup.out

Detection:

  • Audit Logs:

    cat /var/log/audit/audit.log | grep "nohup"

  • Command History:

    history | grep "nohup"

4. split Command

  • Purpose: Split large files into smaller parts.

  • Abuse: Execute commands using the --filter parameter.

Example:

echo | split --filter=id

Detection:

  • Audit Logs:

    cat /var/log/audit/audit.log | grep "split" | grep "filter"

  • Command History:

    history | grep "split" | grep "filter"

General Detection Methods

1. Audit Logs

Search for suspicious command usage in /var/log/audit/audit.log.

Example:

cat /var/log/audit/audit.log | grep <command>

2. Command History

Inspect the shell history for evidence of malicious command execution.

Examples:

history | grep <command>
cat ~/.bash_history | grep <command>

3. EDR/XDR Logs

Use Endpoint Detection and Response (EDR) or Extended Detection and Response (XDR) solutions to monitor:

  • Process creation events.

  • Command-line arguments for suspicious patterns.

Key Points

Commands such as at, crontab, nohup, and split can be exploited by attackers for non-interactive tasks and maintaining stealth. Effective detection involves continuous monitoring of audit logs, command histories, and EDR/XDR alerts. By proactively identifying these activities, defenders can mitigate potential attacks and reduce their impact.

PreviousShellNextReverse Shell

Last updated