HIGH
Source
Tracee
ID
TRC-1030
Version
1
Date
1 Dec 2022

Syscall Table Hooking Detected

Syscall table hooking detected. Syscalls (system calls) are the interface between user applications and the kernel. By hooking the syscall table an adversary gains control on certain system function, such as file writing and reading or other basic function performed by the operation system. The adversary may also hijack the execution flow and execute it’s own code. Syscall table hooking is considered a malicious behavior that is performed by rootkits and may indicate that the host’s kernel has been compromised. Hidden modules are marked as hidden symbol owners and indicate further malicious activity of an adversary.

MITRE ATT&CK

Defense Evasion: Rootkit

Go Source

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
package main

import (
	"fmt"

	"github.com/aquasecurity/tracee/signatures/helpers"
	"github.com/aquasecurity/tracee/types/detect"
	"github.com/aquasecurity/tracee/types/protocol"
	"github.com/aquasecurity/tracee/types/trace"
)

type SyscallTableHooking struct {
	cb detect.SignatureHandler
}

func (sig *SyscallTableHooking) Init(cb detect.SignatureHandler) error {
	sig.cb = cb
	return nil
}

func (sig *SyscallTableHooking) GetMetadata() (detect.SignatureMetadata, error) {
	return detect.SignatureMetadata{
		ID:          "TRC-1030",
		Version:     "1",
		Name:        "Syscall table hooking detected",
		Description: "Syscall table hooking detected. Syscalls (system calls) are the interface between user applications and the kernel. By hooking the syscall table an adversary gains control on certain system function, such as file writing and reading or other basic function performed by the operation system. The adversary may also hijack the execution flow and execute it's own code. Syscall table hooking is considered a malicious behavior that is performed by rootkits and may indicate that the host's kernel has been compromised. Hidden modules are marked as hidden symbol owners and indicate further malicious activity of an adversary.",
		Properties: map[string]interface{}{
			"Severity":             3,
			"Category":             "defense-evasion",
			"Technique":            "Rootkit",
			"Kubernetes_Technique": "",
			"id":                   "attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b",
			"external_id":          "T1014",
		},
	}, nil
}

func (sig *SyscallTableHooking) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {
	return []detect.SignatureEventSelector{
		{Source: "tracee", Name: "hooked_syscalls", Origin: "*"},
	}, nil
}

func (sig *SyscallTableHooking) OnEvent(event protocol.Event) error {

	eventObj, ok := event.Payload.(trace.Event)
	if !ok {
		return fmt.Errorf("invalid event")
	}

	switch eventObj.EventName {

	case "hooked_syscalls":

		hookedSymbolSlice, err := helpers.GetTraceeHookedSymbolDataArgumentByName(eventObj, "hooked_syscalls")
		if err != nil {
			return err
		}

		if len(hookedSymbolSlice) > 0 {
			metadata, err := sig.GetMetadata()
			if err != nil {
				return err
			}
			sig.cb(detect.Finding{
				SigMetadata: metadata,
				Event:       event,
				Data:        map[string]interface{}{"Hooked syscalls": hookedSymbolSlice},
			})
		}

	}

	return nil
}

func (sig *SyscallTableHooking) OnSignal(s detect.Signal) error {
	return nil
}
func (sig *SyscallTableHooking) Close() {}