Detecting usage of popular Linux post-exploitation tools
Tools that are focused on Linux post-exploitation efforts use similar commands. Many of these commands, seen in an isolated context, are not effective as single indicators of post-exploitation because they can be used for legitimate purposes by administrators. However, malicious actors often use these tools to search for opportunities to exploit Linux hosts. Among these tools are:
- Linpeas, used to search for possible paths to escalate privileges on Linux/Unix/MacOS hosts
- LinuxExploitSuggester, used to audit privilege escalation in Linux systems
- AutoSUID, used for harvesting of SUID executable files as a path to escalate privileges
Digging into the data deeper with Sysmon for Linux and looking at the different processes, services, and user-session information might indicate the use of these tools in the context of post-exploitation.
How to use Splunk software for this use case
To deploy this use case, make sure that you have the Splunk ES Content Updates installed on your Splunk Enterprise Security deployment. This extensive content library empowers you to deploy out-of-the-box security detections and analytic stories to enhance your investigations and improve your security posture. If you do not have Splunk Enterprise Security, these detections will still give you an idea of what you can accomplish with SPL in the Splunk platform or with the free app, Splunk Security Essentials.
Some of the detections that can help you with this use case include:
Results returned from these searches show hallmarks of checks made by these tools on Linux hosts in your environment. You should analyze these results further to identify whether they definitely show suspicious activity.
The content in this guide comes from a previously published blog, one of the thousands of Splunk resources available to help users succeed.
Still need help with this use case? Most customers have OnDemand Services per their license support plan. Engage the ODS team at OnDemand-Inquires@splunk.