Unknown Execution of Binary with RWX Memory Region
Monitors for the execution of a previously unknown unix binary with read, write and execute memory region permissions. The mprotect() system call is used to change the access protections on a region of memory that has already been allocated. This syscall allows a process to modify the permissions of pages in its virtual address space, enabling or disabling permissions such as read, write, and execute for those pages. RWX permissions on memory is in many cases overly permissive, and should be analyzed thoroughly.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/03/13"
3integration = ["auditd_manager"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10Monitors for the execution of a previously unknown unix binary with read, write and execute memory region permissions.
11The mprotect() system call is used to change the access protections on a region of memory that has already been
12allocated. This syscall allows a process to modify the permissions of pages in its virtual address space, enabling or
13disabling permissions such as read, write, and execute for those pages. RWX permissions on memory is in many cases
14overly permissive, and should be analyzed thoroughly.
15"""
16from = "now-9m"
17index = ["auditbeat-*", "logs-auditd_manager.auditd-*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "Unknown Execution of Binary with RWX Memory Region"
21references = [
22 "https://man7.org/linux/man-pages/man2/mprotect.2.html",
23 "https://www.elastic.co/security-labs/linux-detection-engineering-with-auditd",
24]
25risk_score = 47
26rule_id = "23bcd283-2bc0-4db2-81d4-273fc051e5c0"
27setup = """## Setup
28
29This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.
Kibana --> Management --> Integrations --> Auditd Manager --> Add Auditd Manager
1`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from.
2For this detection rule to trigger, the following additional audit rules are required to be added to the integration:
-a always,exit -F arch=b64 -S mprotect
1Add the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.
2"""
3severity = "medium"
4tags = [
5 "Domain: Endpoint",
6 "OS: Linux",
7 "Use Case: Threat Detection",
8 "Tactic: Execution",
9 "Data Source: Auditd Manager",
10 "Resources: Investigation Guide",
11]
12timestamp_override = "event.ingested"
13type = "new_terms"
14
15query = '''
16event.category:process and host.os.type:linux and auditd.data.syscall:mprotect and auditd.data.a2:7 and not (
17 process.executable:(
18 "/usr/share/kibana/node/bin/node" or "/usr/share/elasticsearch/jdk/bin/java" or "/usr/sbin/apache2"
19 ) or
20 process.name:httpd
21)
22'''
23note = """## Triage and analysis
24
25> **Disclaimer**:
26> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
27
28### Investigating Unknown Execution of Binary with RWX Memory Region
29
30In Linux environments, the `mprotect()` system call is crucial for managing memory permissions, allowing processes to modify access rights of memory pages. Adversaries exploit this by granting read, write, and execute (RWX) permissions to inject and execute malicious code. The detection rule identifies suspicious RWX memory allocations by monitoring `mprotect()` calls, excluding known safe binaries, thus highlighting potential threats.
31
32### Possible investigation steps
33
34- Review the process details associated with the alert, focusing on the process.executable and process.name fields to identify the binary that triggered the alert.
35- Investigate the command line arguments and parent process of the suspicious binary to understand its origin and purpose.
36- Check the process's hash against known threat intelligence databases to determine if it is associated with any known malicious activity.
37- Analyze the network activity of the process to identify any suspicious connections or data exfiltration attempts.
38- Examine the user account under which the process is running to assess if it has been compromised or is being used for unauthorized activities.
39- Review recent system logs and audit records for any other anomalies or related suspicious activities around the time of the alert.
40
41### False positive analysis
42
43- Known safe binaries like Node.js, Java, and Apache may trigger the rule due to their legitimate use of RWX memory regions. These are already excluded in the rule, but additional similar applications might need to be added to the exclusion list.
44- Custom or in-house developed applications that require RWX permissions for legitimate functionality can also cause false positives. Identify these applications and add them to the exclusion list to prevent unnecessary alerts.
45- Development environments or testing frameworks that dynamically generate and execute code might be flagged. Consider excluding these environments if they are known and trusted within your organization.
46- Security tools or monitoring software that perform memory analysis or manipulation could be mistakenly identified. Verify their behavior and exclude them if they are part of your security infrastructure.
47- Regularly review and update the exclusion list to ensure it reflects the current environment and any new applications that are introduced.
48
49### Response and remediation
50
51- Immediately isolate the affected system from the network to prevent potential lateral movement or data exfiltration by the malicious code.
52- Terminate the suspicious process identified by the detection rule to halt any ongoing malicious activity.
53- Conduct a forensic analysis of the affected system to identify the source and scope of the compromise, focusing on the unknown binary and its origin.
54- Remove any malicious binaries or scripts identified during the forensic analysis to prevent further execution.
55- Apply security patches and updates to the affected system to address any vulnerabilities that may have been exploited.
56- Restore the system from a known good backup if the integrity of the system is in question and ensure all security patches are applied post-restoration.
57- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected."""
58
59
60[[rule.threat]]
61framework = "MITRE ATT&CK"
62[[rule.threat.technique]]
63id = "T1059"
64name = "Command and Scripting Interpreter"
65reference = "https://attack.mitre.org/techniques/T1059/"
66[[rule.threat.technique.subtechnique]]
67id = "T1059.004"
68name = "Unix Shell"
69reference = "https://attack.mitre.org/techniques/T1059/004/"
70
71
72
73[rule.threat.tactic]
74id = "TA0002"
75name = "Execution"
76reference = "https://attack.mitre.org/tactics/TA0002/"
77
78[rule.new_terms]
79field = "new_terms_fields"
80value = ["process.executable"]
81[[rule.new_terms.history_window_start]]
82field = "history_window_start"
83value = "now-7d"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Unknown Execution of Binary with RWX Memory Region
In Linux environments, the mprotect()
system call is crucial for managing memory permissions, allowing processes to modify access rights of memory pages. Adversaries exploit this by granting read, write, and execute (RWX) permissions to inject and execute malicious code. The detection rule identifies suspicious RWX memory allocations by monitoring mprotect()
calls, excluding known safe binaries, thus highlighting potential threats.
Possible investigation steps
- Review the process details associated with the alert, focusing on the process.executable and process.name fields to identify the binary that triggered the alert.
- Investigate the command line arguments and parent process of the suspicious binary to understand its origin and purpose.
- Check the process's hash against known threat intelligence databases to determine if it is associated with any known malicious activity.
- Analyze the network activity of the process to identify any suspicious connections or data exfiltration attempts.
- Examine the user account under which the process is running to assess if it has been compromised or is being used for unauthorized activities.
- Review recent system logs and audit records for any other anomalies or related suspicious activities around the time of the alert.
False positive analysis
- Known safe binaries like Node.js, Java, and Apache may trigger the rule due to their legitimate use of RWX memory regions. These are already excluded in the rule, but additional similar applications might need to be added to the exclusion list.
- Custom or in-house developed applications that require RWX permissions for legitimate functionality can also cause false positives. Identify these applications and add them to the exclusion list to prevent unnecessary alerts.
- Development environments or testing frameworks that dynamically generate and execute code might be flagged. Consider excluding these environments if they are known and trusted within your organization.
- Security tools or monitoring software that perform memory analysis or manipulation could be mistakenly identified. Verify their behavior and exclude them if they are part of your security infrastructure.
- Regularly review and update the exclusion list to ensure it reflects the current environment and any new applications that are introduced.
Response and remediation
- Immediately isolate the affected system from the network to prevent potential lateral movement or data exfiltration by the malicious code.
- Terminate the suspicious process identified by the detection rule to halt any ongoing malicious activity.
- Conduct a forensic analysis of the affected system to identify the source and scope of the compromise, focusing on the unknown binary and its origin.
- Remove any malicious binaries or scripts identified during the forensic analysis to prevent further execution.
- Apply security patches and updates to the affected system to address any vulnerabilities that may have been exploited.
- Restore the system from a known good backup if the integrity of the system is in question and ensure all security patches are applied post-restoration.
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
References
Related rules
- AWS SSM `SendCommand` with Run Shell Command Parameters
- Network Connection from Binary with RWX Memory Region
- Potential Linux Hack Tool Launched
- Potential Meterpreter Reverse Shell
- Potential Reverse Shell via UDP