Detecting suspicious binaries

ThreatLockDown has anomaly and malware detection capabilities that detect suspicious binaries on an endpoint. Binaries are executable code written to perform automated tasks. Malicious actors use them mostly to carry out exploitation to avoid being detected.

In this use case, we demonstrate how the ThreatLockDown rootcheck module can detect a trojan system binary on an Ubuntu endpoint. You perform the exploit by replacing the content of a legitimate binary with malicious code to trick the endpoint into running it as the legitimate binary.

The ThreatLockDown rootcheck module also checks for hidden processes, ports, and files.

Infrastructure

Endpoint

Description

Ubuntu 22.04

The ThreatLockDown rootcheck module detects the execution of a suspicious binary on this endpoint.

Configuration

Take the following steps on the Ubuntu endpoint to enable the ThreatLockDown rootcheck module and perform anomaly and malware detection.

By default, the ThreatLockDown rootcheck module is enabled in the ThreatLockDown agent configuration file. Check the <rootcheck> block in the /var/ossec/etc/ossec.conf configuration file of the monitored endpoint and make sure that it has the configuration below:

<rootcheck>
    <disabled>no</disabled>
    <check_files>yes</check_files>

    <!-- Line for trojans detection -->
    <check_trojans>yes</check_trojans>

    <check_dev>yes</check_dev>
    <check_sys>yes</check_sys>
    <check_pids>yes</check_pids>
    <check_ports>yes</check_ports>
    <check_if>yes</check_if>

    <!-- Frequency that rootcheck is executed - every 12 hours -->
    <frequency>43200</frequency>
    <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
    <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
    <skip_nfs>yes</skip_nfs>
</rootcheck>

The rootcheck section explains the options in the rootcheck module.

Attack emulation

  1. Create a copy of the original system binary:

    $ sudo cp -p /usr/bin/w /usr/bin/w.copy
    
  2. Replace the original system binary /usr/bin/w with the following shell script:

    $ sudo tee /usr/bin/w << EOF
    #!/bin/bash
    echo "`date` this is evil" > /tmp/trojan_created_file
    echo 'test for /usr/bin/w trojaned file' >> /tmp/trojan_created_file
    #Now running original binary
    /usr/bin/w.copy
    EOF
    
  3. The rootcheck scan runs every 12 hours by default. Force a scan by restarting the ThreatLockDown agent to see the relevant alert:

    $ sudo systemctl restart wazuh-agent
    

Visualize the alerts

You can visualize the alert data in the ThreatLockDown dashboard. To do this, go to the Threat Hunting module and add the filters in the search bar to query the alerts.

  • location:rootcheck AND rule.id:510 AND data.title:Trojaned version of file detected.

  • Additionally, using the Filter by type search field, apply the full_log filter.