Tracee > Defense Evasion > File Operations Hooking On Proc Filesystem Detected
HIGH
Source
Tracee
ID
TRC-1020
Version
1
Date
1 Dec 2022

File Operations Hooking On Proc Filesystem Detected

File operations hooking on proc filesystem detected. The proc filesystem is an interface for the running processes as files. This allows programs like ps and top to check what are the running processes. File operations are the functions defined on a file or directory. File operations hooking includes replacing the default function used to perform a basic task on files and directories like enumerating files. By hooking the file operations of /proc an adversary gains control on certain system function, such as file listing or other basic function performed by the operation system. The adversary may also hijack the execution flow and execute it’s own code. File operation hooking is considered a malicious behavior that is performed by rootkits and may indicate that the host’s kernel has been compromised. Hidden modules are marked as hidden symbol owners and indicate further malicious activity of an adversary.

MITRE ATT&CK

Defense Evasion: Rootkit

Go Source

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
package main

import (
	"fmt"

	"github.com/aquasecurity/tracee/signatures/helpers"
	"github.com/aquasecurity/tracee/types/detect"
	"github.com/aquasecurity/tracee/types/protocol"
	"github.com/aquasecurity/tracee/types/trace"
)

type ProcFopsHooking struct {
	cb detect.SignatureHandler
}

func (sig *ProcFopsHooking) Init(cb detect.SignatureHandler) error {
	sig.cb = cb
	return nil
}

func (sig *ProcFopsHooking) GetMetadata() (detect.SignatureMetadata, error) {
	return detect.SignatureMetadata{
		ID:          "TRC-1020",
		Version:     "1",
		Name:        "File operations hooking on proc filesystem detected",
		Description: "File operations hooking on proc filesystem detected. The proc filesystem is an interface for the running processes as files. This allows programs like `ps` and `top` to check what are the running processes. File operations are the functions defined on a file or directory. File operations hooking includes replacing the default function used to perform a basic task on files and directories like enumerating files. By hooking the file operations of /proc an adversary gains control on certain system function, such as file listing or other basic function performed by the operation system. The adversary may also hijack the execution flow and execute it's own code. File operation hooking is considered a malicious behavior that is performed by rootkits and may indicate that the host's kernel has been compromised. Hidden modules are marked as hidden symbol owners and indicate further malicious activity of an adversary.",
		Properties: map[string]interface{}{
			"Severity":             3,
			"Category":             "defense-evasion",
			"Technique":            "Rootkit",
			"Kubernetes_Technique": "",
			"id":                   "attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b",
			"external_id":          "T1014",
		},
	}, nil
}

func (sig *ProcFopsHooking) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {
	return []detect.SignatureEventSelector{
		{Source: "tracee", Name: "hooked_proc_fops", Origin: "host"},
	}, nil
}

func (sig *ProcFopsHooking) OnEvent(event protocol.Event) error {

	eventObj, ok := event.Payload.(trace.Event)
	if !ok {
		return fmt.Errorf("invalid event")
	}

	switch eventObj.EventName {

	case "hooked_proc_fops":

		hookedSymbolSlice, err := helpers.GetTraceeHookedSymbolDataArgumentByName(eventObj, "hooked_fops_pointers")
		if err != nil {
			return err
		}

		if len(hookedSymbolSlice) > 0 {
			metadata, err := sig.GetMetadata()
			if err != nil {
				return err
			}
			sig.cb(detect.Finding{
				SigMetadata: metadata,
				Event:       event,
				Data:        map[string]interface{}{"Hooked proc file operations": hookedSymbolSlice},
			})
		}

	}

	return nil
}

func (sig *ProcFopsHooking) OnSignal(s detect.Signal) error {
	return nil
}
func (sig *ProcFopsHooking) Close() {}