Bring your own file system (BYOF) tool executed
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
What happened
A Bring Your Own Filesystem (BYOF) tool was executed, which attackers can abuse to download and access additional utilities.
Goal
Detect execution of the BYOF tool proot
, which attackers may use to download and access additional malicious tools.
Strategy
This rule monitors for execution of the proot
binary and detects processes spawned from the path */freeroot/root.sh
, a file system previously observed in BYOF compromises.
Triage and response
- Review the process tree to understand what initiated the
proot
execution. - Investigate the filesystem and determine if this is authorized activity.
- If the activity is unauthorized, isolate the affected system and investigate the initial access point.
- Review related signals and events to establish a timeline of the compromise.
Requires Agent version 7.27 or greater.