Bpfdoor TCP Ports Redirect
All TCP traffic on particular port from attacker is routed to different port. ex. '/sbin/iptables -t nat -D PREROUTING -p tcp -s 192.168.1.1 --dport 22 -j REDIRECT --to-ports 42392' The traffic looks like encrypted SSH communications going to TCP port 22, but in reality is being directed to the shell port once it hits the iptables rule for the attacker host only.
Sigma rule (View on GitHub)
1title: Bpfdoor TCP Ports Redirect
2id: 70b4156e-50fc-4523-aa50-c9dddf1993fc
3status: test
4description: |
5 All TCP traffic on particular port from attacker is routed to different port. ex. '/sbin/iptables -t nat -D PREROUTING -p tcp -s 192.168.1.1 --dport 22 -j REDIRECT --to-ports 42392'
6 The traffic looks like encrypted SSH communications going to TCP port 22, but in reality is being directed to the shell port once it hits the iptables rule for the attacker host only.
7references:
8 - https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/
9 - https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor
10author: Rafal Piasecki
11date: 2022-08-10
12tags:
13 - attack.defense-evasion
14 - attack.t1562.004
15logsource:
16 product: linux
17 service: auditd
18detection:
19 cmd:
20 type: 'EXECVE'
21 a0|endswith: 'iptables'
22 a1: '-t'
23 a2: 'nat'
24 keywords:
25 - '--to-ports 42'
26 - '--to-ports 43'
27 condition: cmd and keywords
28falsepositives:
29 - Legitimate ports redirect
30level: medium
References
Related rules
- All Rules Have Been Deleted From The Windows Firewall Configuration
- Azure Firewall Modified or Deleted
- Azure Firewall Rule Collection Modified or Deleted
- Disable Microsoft Defender Firewall via Registry
- Disable System Firewall