Bpfdoor TCP Ports Redirect

calendar Oct 17, 2023 · attack.defense_evasion attack.t1562.004  ·
Share on: linkedin copy

All TCP traffic on particular port from attacker is routed to different port. ex. '/sbin/iptables -t nat -D PREROUTING -p tcp -s 192.168.1.1 --dport 22 -j REDIRECT --to-ports 42392' The traffic looks like encrypted SSH communications going to TCP port 22, but in reality is being directed to the shell port once it hits the iptables rule for the attacker host only.

Sigma rule (View on GitHub)

 1title: Bpfdoor TCP Ports Redirect
 2id: 70b4156e-50fc-4523-aa50-c9dddf1993fc
 3status: test
 4description: |
 5    All TCP traffic on particular port from attacker is routed to different port. ex. '/sbin/iptables -t nat -D PREROUTING -p tcp -s 192.168.1.1 --dport 22 -j REDIRECT --to-ports 42392'
 6    The traffic looks like encrypted SSH communications going to TCP port 22, but in reality is being directed to the shell port once it hits the iptables rule for the attacker host only.    
 7references:
 8    - https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/
 9    - https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor
10author: Rafal Piasecki
11date: 2022/08/10
12tags:
13    - attack.defense_evasion
14    - attack.t1562.004
15logsource:
16    product: linux
17    service: auditd
18detection:
19    cmd:
20        type: 'EXECVE'
21        a0|endswith: 'iptables'
22        a1: '-t'
23        a2: 'nat'
24    keywords:
25        - '--to-ports 42'
26        - '--to-ports 43'
27    condition: cmd and keywords
28falsepositives:
29    - Legitimate ports redirect
30level: medium

References

Related rules

to-top