Vulnerabilities
Misconfiguration
Runtime Security
Compliance
Tracee > Defense Evasion >

File Operations Hooking On Proc Filesystem Detected

HIGH
Source
Tracee
ID
TRC-1020
Version
1
Date
10 Nov 2024

File Operations Hooking On Proc Filesystem Detected

File operations hooking on proc filesystem detected. The proc filesystem is an interface for the running processes as files. This allows programs like ps and top to check what are the running processes. File operations are the functions defined on a file or directory. File operations hooking includes replacing the default function used to perform a basic task on files and directories like enumerating files. By hooking the file operations of /proc an adversary gains control on certain system function, such as file listing or other basic function performed by the operation system. The adversary may also hijack the execution flow and execute it’s own code. File operation hooking is considered a malicious behavior that is performed by rootkits and may indicate that the host’s kernel has been compromised. Hidden modules are marked as hidden symbol owners and indicate further malicious activity of an adversary.

MITRE ATT&CK

Defense Evasion: Rootkit

Go Source

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77

package main

import (
	"fmt"

	"github.com/aquasecurity/tracee/signatures/helpers"
	"github.com/aquasecurity/tracee/types/detect"
	"github.com/aquasecurity/tracee/types/protocol"
	"github.com/aquasecurity/tracee/types/trace"
)

type ProcFopsHooking struct {
	cb detect.SignatureHandler
}

func (sig *ProcFopsHooking) Init(ctx detect.SignatureContext) error {
	sig.cb = ctx.Callback
	return nil
}

func (sig *ProcFopsHooking) GetMetadata() (detect.SignatureMetadata, error) {
	return detect.SignatureMetadata{
		ID:          "TRC-1020",
		Version:     "1",
		Name:        "File operations hooking on proc filesystem detected",
		EventName:   "proc_fops_hooking",
		Description: "File operations hooking on proc filesystem detected. The proc filesystem is an interface for the running processes as files. This allows programs like `ps` and `top` to check what are the running processes. File operations are the functions defined on a file or directory. File operations hooking includes replacing the default function used to perform a basic task on files and directories like enumerating files. By hooking the file operations of /proc an adversary gains control on certain system function, such as file listing or other basic function performed by the operation system. The adversary may also hijack the execution flow and execute it's own code. File operation hooking is considered a malicious behavior that is performed by rootkits and may indicate that the host's kernel has been compromised. Hidden modules are marked as hidden symbol owners and indicate further malicious activity of an adversary.",
		Properties: map[string]interface{}{
			"Severity":             3,
			"Category":             "defense-evasion",
			"Technique":            "Rootkit",
			"Kubernetes_Technique": "",
			"id":                   "attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b",
			"external_id":          "T1014",
		},
	}, nil
}

func (sig *ProcFopsHooking) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {
	return []detect.SignatureEventSelector{
		{Source: "tracee", Name: "hooked_proc_fops", Origin: "host"},
	}, nil
}

func (sig *ProcFopsHooking) OnEvent(event protocol.Event) error {
	eventObj, ok := event.Payload.(trace.Event)
	if !ok {
		return fmt.Errorf("invalid event")
	}

	switch eventObj.EventName {
	case "hooked_proc_fops":
		hookedSymbolSlice, err := helpers.GetTraceeHookedSymbolDataArgumentByName(eventObj, "hooked_fops_pointers")
		if err != nil {
			return err
		}

		if len(hookedSymbolSlice) > 0 {
			metadata, err := sig.GetMetadata()
			if err != nil {
				return err
			}
			sig.cb(&detect.Finding{
				SigMetadata: metadata,
				Event:       event,
				Data:        map[string]interface{}{"Hooked proc file operations": hookedSymbolSlice},
			})
		}
	}

	return nil
}

func (sig *ProcFopsHooking) OnSignal(s detect.Signal) error {
	return nil
}
func (sig *ProcFopsHooking) Close() {}
Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2024 Aqua Security Software Ltd.   Privacy Policy | Terms of Use