1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
|
package main
import (
"fmt"
"strings"
"github.com/aquasecurity/tracee/signatures/helpers"
"github.com/aquasecurity/tracee/types/detect"
"github.com/aquasecurity/tracee/types/protocol"
"github.com/aquasecurity/tracee/types/trace"
)
type LdPreload struct {
cb detect.SignatureHandler
preloadEnvs []string
preloadPath string
}
func (sig *LdPreload) Init(ctx detect.SignatureContext) error {
sig.cb = ctx.Callback
sig.preloadEnvs = []string{"LD_PRELOAD", "LD_LIBRARY_PATH"}
sig.preloadPath = "/etc/ld.so.preload"
return nil
}
func (sig *LdPreload) GetMetadata() (detect.SignatureMetadata, error) {
return detect.SignatureMetadata{
ID: "TRC-107",
Version: "1",
Name: "LD_PRELOAD code injection detected",
EventName: "ld_preload",
Description: "LD_PRELOAD usage was detected. LD_PRELOAD lets you load your library before any other library, allowing you to hook functions in a process. Adversaries may use this technique to change your applications' behavior or load their own programs.",
Properties: map[string]interface{}{
"Severity": 2,
"Category": "persistence",
"Technique": "Hijack Execution Flow",
"Kubernetes_Technique": "",
"id": "attack-pattern--aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6",
"external_id": "T1574",
},
}, nil
}
func (sig *LdPreload) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {
return []detect.SignatureEventSelector{
{Source: "tracee", Name: "sched_process_exec", Origin: "*"},
{Source: "tracee", Name: "security_file_open", Origin: "*"},
{Source: "tracee", Name: "security_inode_rename", Origin: "*"},
}, nil
}
func (sig *LdPreload) OnEvent(event protocol.Event) error {
eventObj, ok := event.Payload.(trace.Event)
if !ok {
return fmt.Errorf("invalid event")
}
switch eventObj.EventName {
case "sched_process_exec":
envVars, err := helpers.GetTraceeSliceStringArgumentByName(eventObj, "env")
if err != nil {
return nil
}
for _, envVar := range envVars {
for _, preloadEnv := range sig.preloadEnvs {
if strings.HasPrefix(envVar, preloadEnv+"=") {
metadata, err := sig.GetMetadata()
if err != nil {
return err
}
sig.cb(&detect.Finding{
SigMetadata: metadata,
Event: event,
Data: map[string]interface{}{preloadEnv: envVar},
})
return nil
}
}
}
case "security_file_open":
pathname, err := helpers.GetTraceeStringArgumentByName(eventObj, "pathname")
if err != nil {
return err
}
flags, err := helpers.GetTraceeStringArgumentByName(eventObj, "flags")
if err != nil {
return err
}
if strings.HasSuffix(pathname, sig.preloadPath) && helpers.IsFileWrite(flags) {
metadata, err := sig.GetMetadata()
if err != nil {
return err
}
sig.cb(&detect.Finding{
SigMetadata: metadata,
Event: event,
Data: nil,
})
}
case "security_inode_rename":
newPath, err := helpers.GetTraceeStringArgumentByName(eventObj, "new_path")
if err != nil {
return err
}
if strings.HasSuffix(newPath, sig.preloadPath) {
metadata, err := sig.GetMetadata()
if err != nil {
return err
}
sig.cb(&detect.Finding{
SigMetadata: metadata,
Event: event,
Data: nil,
})
}
}
return nil
}
func (sig *LdPreload) OnSignal(s detect.Signal) error {
return nil
}
func (sig *LdPreload) Close() {}
|