Vulnerabilities
Misconfiguration
Runtime Security
Compliance
Tracee > Defense Evasion >

Syscall Table Hooking Detected

HIGH
Source
Tracee
ID
TRC-1030
Version
1
Date
10 Apr 2024

Syscall Table Hooking Detected

Syscall table hooking detected. Syscalls (system calls) are the interface between user applications and the kernel. By hooking the syscall table an adversary gains control on certain system function, such as file writing and reading or other basic function performed by the operation system. The adversary may also hijack the execution flow and execute it’s own code. Syscall table hooking is considered a malicious behavior that is performed by rootkits and may indicate that the host’s kernel has been compromised. Hidden modules are marked as hidden symbol owners and indicate further malicious activity of an adversary.

MITRE ATT&CK

Defense Evasion: Rootkit

Go Source

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69

package main

import (
	"fmt"

	"github.com/aquasecurity/tracee/types/detect"
	"github.com/aquasecurity/tracee/types/protocol"
	"github.com/aquasecurity/tracee/types/trace"
)

type SyscallTableHooking struct {
	cb detect.SignatureHandler
}

func (sig *SyscallTableHooking) Init(ctx detect.SignatureContext) error {
	sig.cb = ctx.Callback
	return nil
}

func (sig *SyscallTableHooking) GetMetadata() (detect.SignatureMetadata, error) {
	return detect.SignatureMetadata{
		ID:          "TRC-1030",
		Version:     "1",
		Name:        "Syscall table hooking detected",
		EventName:   "syscall_hooking",
		Description: "Syscall table hooking detected. Syscalls (system calls) are the interface between user applications and the kernel. By hooking the syscall table an adversary gains control on certain system function, such as file writing and reading or other basic function performed by the operation system. The adversary may also hijack the execution flow and execute it's own code. Syscall table hooking is considered a malicious behavior that is performed by rootkits and may indicate that the host's kernel has been compromised. Hidden modules are marked as hidden symbol owners and indicate further malicious activity of an adversary.",
		Properties: map[string]interface{}{
			"Severity":             3,
			"Category":             "defense-evasion",
			"Technique":            "Rootkit",
			"Kubernetes_Technique": "",
			"id":                   "attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b",
			"external_id":          "T1014",
		},
	}, nil
}

func (sig *SyscallTableHooking) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {
	return []detect.SignatureEventSelector{
		{Source: "tracee", Name: "hooked_syscall", Origin: "*"},
	}, nil
}

func (sig *SyscallTableHooking) OnEvent(event protocol.Event) error {
	eventObj, ok := event.Payload.(trace.Event)
	if !ok {
		return fmt.Errorf("invalid event")
	}

	switch eventObj.EventName {
	case "hooked_syscall":
		metadata, err := sig.GetMetadata()
		if err != nil {
			return err
		}
		sig.cb(&detect.Finding{
			SigMetadata: metadata,
			Event:       event,
		})
	}

	return nil
}

func (sig *SyscallTableHooking) OnSignal(s detect.Signal) error {
	return nil
}
func (sig *SyscallTableHooking) Close() {}
Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2024 Aqua Security Software Ltd.   Privacy Policy | Terms of Use