THM-Linux Incident Surface-Writeup
Explore various areas of Incident Surface in Linux and how to identify the footprints of the incident.
Find This Rom: Linux Incident Surface
Task 1: Introduction
Introduction
The Linux Incident Surface focuses on all potential points or sources in the Linux system where an incident could occur or traces of incidents could be found. This could lead to a security breach, which could also be part of the Linux Attack Surface.
Linux Attack Surface refers to various entry points where an attack or unauthorized attempt could be made to enter the system or gain unauthorized attempts.
The room is all about exploring various incident points from the defensive perspective while also considering the attack surface perspective.
Prerequisites:
This room expects users to have covered the following rooms:
Let’s dive in.
No answer needed.
Task 2: Lab Connection
All the important files are placed in the /home/activities/processes
directory in the room. So start the machine and navigate to the directory.
#2.1 Connect with the lab. How many files and folders are in the /home/activities/processes directory?
Answer: 3
Task 3: Linux Incident Surface — An Overview
As explained before, the Linux Incident Surface refers to all the potential points in the Linux system where the attacker could exploit a weakness to gain unauthorized access, impacting the system’s C-I-A.
Linux Attack Surface
The Linux Attack Surface refers to all the points of interaction in a Linux system where an adversary might attempt to exploit vulnerabilities to gain unauthorized access or carry out malicious activities. One of the main purposes of identifying the attack surface is to reduce the number of entry points that the attackers could potentially exploit.
Some of the key entry points that could be identified as part of the Linux Attack Surface are:
- Open ports
- Running services
- Running software or applications with vulnerabilities
- Network communication
The primary goal is to minimize the attack surface by reducing potential weaknesses from the areas the attacker could exploit. Some of the steps that are involved in achieving this goal are:
- Identifying and patching the vulnerabilities
- Minimizing the usage of unwanted services
- Check the interfaces where the user interacts
- Minimizing the publicly exposed services, applications, ports, etc
Linux Incident Surface
The Linux Incident Surface, on the other hand, refers to all the system areas involved in the detection, management, and response to an actual security incident (post-compromise). It includes where security breaches may be detected and analyzed and where a response plan must be implemented to mitigate the incident.
The main purpose of identifying the incident surface is to hunt down, detect, respond to, and recover from the incident if it has occurred. A security analyst would monitor all areas within the operating system where any traces or footprints of the attack could be found. Some of the key points where we could find the incident traces are highlighted below:
- System logs
- auth.log, syslog, krnl.log, etc
- Network traffic
- Running processes
- Running services
- The integrity of the files and processes
No answer needed.
Task 4: Processes and Network Communication
Processes and network communication are crucial in any operating system in incident investigations. Monitoring and analyzing processes, especially those with network communication, can help identify and address security incidents. Running processes are a key part of the Linux Incident Surface, as they could represent a potential source of evidence of an attack.
To complete the questions in this task, simply follow the steps provided. Once you’ve performed the steps as outlined, you will arrive at the answers. I’ve also included images of the output you’ll get when you go through these steps:
Step 1: Execute simple.c in another terminal and write the command below in another terminal:
Simple.c
Step 2: Getting files/resources connected with the process:
files/resources connected with the process
Step 3: Getting PID for netcom after executing it in another terminal
getting PID for netcom after executing it in another terminal
getting PID for netcom after executing it in another terminal
Step 4: Utilizing Osquery
#4.1 What is the remote IP to which the process netcom establishes the connection?
Answer: 68.53.23.246
For the next part,
It’s okay if you’re unsure of the exact variable name for finding the remote port with osquery. In the query’s SELECT command, you can use SELECT *
to retrieve all fields, and you'll be able to identify the remote_port
, which is 443.
#4.2 Update the osquery command. What is the remote port the netcom process is communicating to?
Answer: 443
Task 5: Persistence
Persistence generally refers to adversaries’ techniques for maintaining access to a compromised system after the initial exploitation. To understand how different incidents are identified at various points of the Linux endpoint, we will first perform the attack and then examine where and how the attack footprints are reflected.
Answers to the questions in the tasks and how to find them:
#5.1 What is the default path that contains all the installed services in Linux?
Answer: /etc/systemd/system
#5.2 Which suspicious service was found to be running on the host?
Answer: benign.service
#5.3 What process does this service point to?
Answer: benign
#5.4 Before getting this service stopped on 11th Sept, how many log entries were observed in the journalctl against this service?
Answer: 7
Task 6: Footprints on Disk
Linux Incident Surface on the disk refer to areas of the filesystem that attackers may target and where they could leave traces of their activities. From a forensics perspective, examining these areas can be crucial in understanding and investigating security incidents. Forensic analysts can identify the attack’s traces that could aid the incident response by focusing on these potential incident surfaces.
#6.1 Create a suspicious Debian package on the disk by following the steps mentioned in the task. How many log entries are observed in the dpkg.log file associated with this installation activity?
Answer: 6
#6.2 What package was installed on the system on the 17th of September, 2024?
Answer: c2comm
Task 7: Linux Logs
Logs in every digital device play an important role in understanding what happened. Similarly, logs in Linux are essential for monitoring and tracking system activities, detecting attacks, and identifying incident surfaces. The logs contain records of each event or activity on the system, which could be valuable when identifying and investigating security-related incidents.
View the auth.log.1 file in /var/log and you will find the answers:
#7.1 Examine the auth.log files. Which user attempted to connect with SSH on 11th Sept 2024?
Answer: Saqib
#7.1 From which IP was this failed SSH connection attempt made?
Answer: 10.11.75.247
Task 8: Conclusion
No answer needed.