Professional Documents
Culture Documents
1. we can use the Volatility linux_ifconfig plugin, which provides all the
necessary information in the following way:
The output will contain the packets.pcap file, which is a dump of network
traffic.
1. let's use the linux_pstree plugin and add sshd process identifiers – 29897
and 23251:
💡 we can see that the child processes of sshd are bash as well as sudo,
which means that elevated privileges were used.
2. we can search the bash history through linux_bash plugin as well as dump
and analyze the memory of these processes.
we can see that someone was working with MySQL and WordPress, and we
can see the interaction with the site-info.php file, as well as the nyan-cat.gif
download associated with the bash process with the 30112 PID.
3. We can check which user ran bash in this case through linux_psenv
Volatility plugin.
4. use the linux_recover_filesystem plugin and try to recover the filesystem from
memory
$ vol.py --plugins=profiles -f /mnt/hgfs/flash/ubuntu-server.vmem --profile=Linuxubuntu-
server_17_47_52-profilex64 linux_recover_filesystem -D /mnt/hgfs/flash/recovered/
As you can see in the figure, the /etc directory failed to recover; nevertheless,
we have /var/log where we can find the auth.log file , which show that admin
user was created at the time of the attack.
4. Let's add the network traffic dump extracted from the memory dump to our
investigation. To extract the traffic, we run Bulk Extractor:
This means that this request was made using the WPScan tool, used to
search for vulnerabilities in the content management system WordPress.
6. You cab extract that file using NetworkMiner or WireShark , and it seemed that
the attacker left a comment on the blog with a link accessing the same
192.168.110.40 IP address.
7. you can look for information about them in the MySQL logs or in the
memory of this process so, we will dump the process using linux_dump_map
plugin
Bingo! Here , we can see the payload that was used,we can also note the
interaction with the site-info.php file in the footer directory .
Scenario 2
This is an example worthy of special attention because this type of payload is
most often found on Linux-based systems involved in incidents. So, we have
information that some connections were made using port 4444 through
Meterpreter.
1. check the network connections and look for connections to ports and
addresses we know
The inject found there starts with ELF, so we are dealing with something
executable.
4. we can either calculate the hash of the executable and check it in cyber
threat intelligence platforms or try to run the file in a controlled
environment and find out what it does. Of course, if you have reverse
engineering skills or have a dedicated malware analysis team, they are
good options as well.
6. so , let’s try to look a little bit more into what happened after the
rules_for_emplo process started , through linux_pstree
7. so lets see the names of the running programs and their locations and the
arguments passed to them at startup through linux_psaux plugin
💡 From the output of this plugin, we can see that the attacker was
trying to install a cron job to get persistence , We can also notice that
the /tmp directory was used as a working directory for creating and
storing temporary files.
/dev/tty stands for the controlling terminal for the current process.
table hooking
10. find files that are opened from within the kernel with the
linux_kernel_opened_files
11. check file operation structures for rootkit modifications with the
linux_check_fop plugin.