Suspicious Dynamic Linker Discovery via od
Monitors for dynamic linker discovery via the od utility. od (octal dump) is a command-line utility in Unix operating systems used for displaying data in various formats, including octal, hexadecimal, decimal, and ASCII, primarily used for examining and debugging binary files or data streams. Attackers can leverage od to analyze the dynamic linker by identifying injection points and craft exploits based on the observed behaviors and structures within these files.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/02/01"
3integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"]
4maturity = "production"
5min_stack_version = "8.13.0"
6min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
7updated_date = "2025/01/15"
8
9[rule]
10author = ["Elastic"]
11description = """
12Monitors for dynamic linker discovery via the od utility. od (octal dump) is a command-line utility in Unix operating
13systems used for displaying data in various formats, including octal, hexadecimal, decimal, and ASCII, primarily used
14for examining and debugging binary files or data streams. Attackers can leverage od to analyze the dynamic linker by
15identifying injection points and craft exploits based on the observed behaviors and structures within these files.
16"""
17from = "now-9m"
18index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
19language = "eql"
20license = "Elastic License v2"
21name = "Suspicious Dynamic Linker Discovery via od"
22references = ["https://github.com/arget13/DDexec"]
23risk_score = 21
24rule_id = "0369e8a6-0fa7-4e7a-961a-53180a4c966e"
25setup = """## Setup
26
27
28This rule requires data coming in from Elastic Defend.
29
30### Elastic Defend Integration Setup
31Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
32
33#### Prerequisite Requirements:
34- Fleet is required for Elastic Defend.
35- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
36
37#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
38- Go to the Kibana home page and click "Add integrations".
39- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
40- Click "Add Elastic Defend".
41- Configure the integration name and optionally add a description.
42- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
43- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
44- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
45- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
46For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
47- Click "Save and Continue".
48- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
49For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
50"""
51severity = "low"
52tags = [
53 "Domain: Endpoint",
54 "OS: Linux",
55 "Use Case: Threat Detection",
56 "Tactic: Discovery",
57 "Data Source: Elastic Defend",
58 "Data Source: Elastic Endgame",
59 "Data Source: Auditd Manager",
60 "Data Source: Crowdstrike",
61 "Data Source: SentinelOne",
62 "Resources: Investigation Guide",
63]
64timestamp_override = "event.ingested"
65type = "eql"
66
67query = '''
68process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started")
69 and process.name == "od" and process.args in (
70 "/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2", "/etc/ld.so.preload", "/lib64/ld-linux-x86-64.so.2",
71 "/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2", "/usr/lib64/ld-linux-x86-64.so.2"
72)
73'''
74note = """## Triage and analysis
75
76> **Disclaimer**:
77> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
78
79### Investigating Suspicious Dynamic Linker Discovery via od
80
81The dynamic linker in Linux environments is crucial for loading shared libraries needed by programs. Attackers may exploit the `od` utility to inspect these linkers, seeking vulnerabilities for code injection. The detection rule identifies suspicious use of `od` targeting specific linker files, flagging potential reconnaissance activities that could precede an exploit attempt.
82
83### Possible investigation steps
84
85- Review the process execution details to confirm the use of the 'od' utility, focusing on the process name and arguments to ensure they match the suspicious patterns identified in the query.
86- Investigate the user account associated with the process execution to determine if the activity aligns with their typical behavior or if it appears anomalous.
87- Check the system's process execution history for any other unusual or related activities around the same time, such as attempts to access or modify linker files.
88- Analyze any network connections or data transfers initiated by the host around the time of the alert to identify potential data exfiltration or communication with known malicious IPs.
89- Correlate this event with other security alerts or logs from the same host to identify patterns or sequences of actions that could indicate a broader attack campaign.
90
91### False positive analysis
92
93- System administrators or developers may use the od utility to inspect dynamic linker files for legitimate debugging or system maintenance purposes. To handle this, create exceptions for known user accounts or processes that regularly perform these activities.
94- Automated scripts or monitoring tools might invoke od on dynamic linker files as part of routine system checks. Identify these scripts and whitelist their execution paths to prevent unnecessary alerts.
95- Security researchers or penetration testers could use od during authorized security assessments. Establish a process to temporarily disable the rule or add exceptions for the duration of the assessment to avoid false positives.
96- Some software installations or updates might involve the use of od to verify linker integrity. Monitor installation logs and correlate with od usage to determine if the activity is benign, and consider adding exceptions for these specific scenarios.
97
98### Response and remediation
99
100- Immediately isolate the affected system from the network to prevent potential lateral movement or further exploitation.
101- Terminate any suspicious processes associated with the `od` utility that are targeting dynamic linker files to halt any ongoing reconnaissance or exploitation attempts.
102- Conduct a thorough review of system logs and process execution history to identify any unauthorized access or modifications to the dynamic linker files.
103- Restore any altered or compromised dynamic linker files from a known good backup to ensure system integrity.
104- Implement stricter access controls and monitoring on critical system files, including dynamic linkers, to prevent unauthorized access and modifications.
105- Escalate the incident to the security operations team for further analysis and to determine if additional systems are affected or if there is a broader threat campaign.
106- Update detection and monitoring systems to enhance visibility and alerting for similar suspicious activities involving the `od` utility and critical system files."""
107
108
109[[rule.threat]]
110framework = "MITRE ATT&CK"
111[[rule.threat.technique]]
112id = "T1057"
113name = "Process Discovery"
114reference = "https://attack.mitre.org/techniques/T1057/"
115
116
117[rule.threat.tactic]
118id = "TA0007"
119name = "Discovery"
120reference = "https://attack.mitre.org/tactics/TA0007/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Suspicious Dynamic Linker Discovery via od
The dynamic linker in Linux environments is crucial for loading shared libraries needed by programs. Attackers may exploit the od
utility to inspect these linkers, seeking vulnerabilities for code injection. The detection rule identifies suspicious use of od
targeting specific linker files, flagging potential reconnaissance activities that could precede an exploit attempt.
Possible investigation steps
- Review the process execution details to confirm the use of the 'od' utility, focusing on the process name and arguments to ensure they match the suspicious patterns identified in the query.
- Investigate the user account associated with the process execution to determine if the activity aligns with their typical behavior or if it appears anomalous.
- Check the system's process execution history for any other unusual or related activities around the same time, such as attempts to access or modify linker files.
- Analyze any network connections or data transfers initiated by the host around the time of the alert to identify potential data exfiltration or communication with known malicious IPs.
- Correlate this event with other security alerts or logs from the same host to identify patterns or sequences of actions that could indicate a broader attack campaign.
False positive analysis
- System administrators or developers may use the od utility to inspect dynamic linker files for legitimate debugging or system maintenance purposes. To handle this, create exceptions for known user accounts or processes that regularly perform these activities.
- Automated scripts or monitoring tools might invoke od on dynamic linker files as part of routine system checks. Identify these scripts and whitelist their execution paths to prevent unnecessary alerts.
- Security researchers or penetration testers could use od during authorized security assessments. Establish a process to temporarily disable the rule or add exceptions for the duration of the assessment to avoid false positives.
- Some software installations or updates might involve the use of od to verify linker integrity. Monitor installation logs and correlate with od usage to determine if the activity is benign, and consider adding exceptions for these specific scenarios.
Response and remediation
- Immediately isolate the affected system from the network to prevent potential lateral movement or further exploitation.
- Terminate any suspicious processes associated with the
od
utility that are targeting dynamic linker files to halt any ongoing reconnaissance or exploitation attempts. - Conduct a thorough review of system logs and process execution history to identify any unauthorized access or modifications to the dynamic linker files.
- Restore any altered or compromised dynamic linker files from a known good backup to ensure system integrity.
- Implement stricter access controls and monitoring on critical system files, including dynamic linkers, to prevent unauthorized access and modifications.
- Escalate the incident to the security operations team for further analysis and to determine if additional systems are affected or if there is a broader threat campaign.
- Update detection and monitoring systems to enhance visibility and alerting for similar suspicious activities involving the
od
utility and critical system files.
References
Related rules
- Hping Process Activity
- Nping Process Activity
- Access Control List Modification via setfacl
- Attempt to Clear Kernel Ring Buffer
- Base16 or Base32 Encoding/Decoding Activity