This document provides a comprehensive analysis of current detection gaps within Linux environments, detailing missing coverage for reverse shells, privilege escalation, defense evasion, and advanced exploitation techniques.
[Unknown component: div]
Threat Architecture & Attack Paths
The current detection posture leaves several critical paths in the Linux attack lifecycle unmonitored. The diagram below illustrates how initial access vectors can progress to full system compromise without triggering alerts in the current configuration.
Critical Visibility Gap Identified
The current environment has zero reverse shell detection, no webshell activity detection, no hack tool signatures, and extremely limited credential access/persistence coverage. Immediate remediation is required for the Critical Priority items.
Critical Priority Gaps
These gaps represent immediate, actively exploited techniques that currently bypass all alerting mechanisms. They primarily cover execution and initial access persistence.
Reverse Shells and Webshells
The most severe gap is the lack of reverse shell detection. Attackers utilizing common living-off-the-land binaries (LOLBins) can establish C2 connections undetected.
Exploitation and Injection
Implementation Priority: When deploying rules, prioritize proc_creation_lnx_webshell_detection.yml and proc_creation_lnx_susp_java_children.yml on external-facing assets first, as these catch the initial exploitation phase before reverse shells are even established.
High Priority Gaps
High priority gaps cover post-exploitation activities, including defense evasion, privilege escalation, and specific high-impact threats like ransomware and cryptominers.
Defense Evasion & Credential Access
Attackers frequently attempt to blind defenders and steal credentials immediately after gaining a foothold.
Log Clearing (T1070.002): Execution of
rm,shred, orunlinktargeting/var/log.History Deletion (T1565.001): Deletion of
.bash_historyor.zsh_history.Security Tool Disabling (T1562.004): Stopping services like
iptables,firewalld,cbdaemon,falcon-sensor, or SELinux viasystemctl.Credential Access (T1565.001 / T1552.001): Modifying
/etc/passwdor/etc/shadow, or copying these files to/tmpfor exfiltration.
Persistence & Privilege Escalation
Advanced Threats & Execution
Execution from /tmp (T1036 / T1059.004): Processes executing from
/tmp/or/dev/shm, often combined withcurl/wgetfor multi-stage payloads.PTY Upgrades (T1059): Using
python -c 'import pty; pty.spawn("/bin/bash")'to upgrade a dumb shell to a fully interactive TTY.Crypto Mining (T1496): Execution arguments like
--cpu-priority,--donate-level,stratum+tcp://, or connections to known Monero mining pools.ESXi Ransomware (T1529): Execution of
esxcli vm process kill, a known pre-encryption step for ESXiArgs ransomware.Cloud Agent Hijacking (T1219.002): Unauthorized re-registration of the
amazon-ssm-agent.BPFDoor (T1106): Access to specific files associated with the BPFDoor APT rootkit.
Medium Priority & Cross-Platform Gaps
The following gaps represent alternative execution methods, specialized rootkits, and macOS-specific threats that should be addressed after Critical and High priorities are resolved.
Alternative Reverse Shells (T1059): Perl (
fdopen+Socket) and Ruby (TCPSocket) reverse shell patterns.Immutable Flag Removal (T1222.002): Execution of
chattr -i, commonly used by ransomware and rootkits to prevent file deletion.Timestomping (T1070.006): Using
touch -ton.servicefiles to hide modifications.Process Injection (T1055.009): Using
ddto write directly to/proc/PID/mem.Named Pipes (T1059): Creating named pipes (
mkfifo) in/tmp, associated with Barracuda ESG exploitation.Container Discovery (T1082): Reading
/proc/*/cgroupto detect containerized environments.Vulnerability Exploitation: Shellshock patterns
() { :; };(T1505.003) and OMIGOD SCX exploitation (T1068, T1190).Rootkits & Certificates: Triple Cross eBPF rootkit installation (
sudo tc + qdisc/filter) and unauthorized root certificate installation (update-ca-certificates).
While primarily focused on Linux, several macOS gaps were identified in the Unix-like ecosystem:
Gatekeeper Bypass (T1553.001): Execution of
xattr -d com.apple.quarantine.Root Account Enablement (T1078): Execution of the
dsenablerootcommand.Time Machine Deletion (T1490): Execution of
tmutil delete, a common ransomware preparation step.Keychain Dumping (T1555.001): Using
security find-certificate,export, ordump-keychain.Malware Indicators (C2): Specific patterns for WizardUpdate and XCSSET malware infections.
Current Coverage: ~97 rules
Identified Gaps: 47
Key Areas: While basic AWS/Azure/GCP operations have good coverage, advanced attacks like Golden SAML and Azure Identity abuse require additional rule deployment.
Remediation Workflow
To systematically close these detection gaps, follow this deployment pipeline:
Import the Critical Priority Sigma rules (L1-L10) into your SIEM. Set the initial action to "Audit" or "Log Only" to baseline the environment and identify any administrative scripts (e.g., legitimate backup scripts using nc) that might trigger false positives.
Carefully tune proc_creation_lnx_webshell_detection.yml and proc_creation_lnx_susp_java_children.yml. Exclude known, expected child processes for your specific Java applications and web server architectures.
Once baselined, promote the reverse shell rules (Netcat, Python, Bash, PHP) to high-severity alerts. These should have near-zero false positives in a healthy production environment.
Roll out the High Priority rules (L11-L29), focusing first on Defense Evasion (log clearing) and Credential Access (/etc/shadow access), as these provide high-fidelity indicators of compromise.
All referenced Sigma rules can be found in the official SigmaHQ GitHub Repository. Ensure your SIEM's Sigma compiler is updated to support the latest log source mappings for linux/process_creation and linux/auditd.