LinuxExploitSuggester, while a powerful auditing tool, can be used by attackers to check for the Linux version and kernel version of a system to find out what exploits can be run on that system. Exploit-DB provides the operator with a link to suitable exploits that can be downloaded from exploit-DB.com, a community reference for both penetration testers and malicious hackers. When command line activity in a production environment shows both the use of the uname utility and the use of grep with the string “exploit-DB” to find common vulnerabilities and exposures (CVEs), you should be highly suspicious. You can use this search to identify this hallmark of malicious LinuxExploitSuggester usage.
Sysmon for Linux
- Install the Add-on for Linux Sysmon
- Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype="sysmon_linux" CommandLine="cvelist-file:" OR CommandLine="uname -a" OR CommandLine="*exploit*" OR CommandLine="*exploit-db*" | stats count BY CommandLine, user, Computer, action, signature, process_name
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
|sourcetype="sysmon_linux" CommandLine="cvelist-file:" OR CommandLine="uname -a" OR CommandLine="*exploit*" OR CommandLine="*exploit-db*"||Search the sysmon_linux sourcetype for variations on common command line strings used by the LinuxExploitSuggester tool.|
|| stats count BY CommandLine, user, Computer, action, signature, process_name||Display results sorted by CommandLine, then the rest of the fields shown.|
The local vulnerabilities surfaced through this activity might allow operators to escalate privileges. Examine your results, assess whether they look suspicious, and investigate further as needed.
You might also be interested in other processes associated with the Detecting usage of popular Linux post-exploitation tools use case.