Bring your own file system (BYOF) tool executed

Classification:

attack

Tactic:

TA0011-command-and-control

Technique:

T1105-ingress-tool-transfer

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

What happened

A Bring Your Own Filesystem (BYOF) tool was executed, which attackers can abuse to download and access additional utilities.

Goal

Detect execution of the BYOF tool proot, which attackers may use to download and access additional malicious tools.

Strategy

This rule monitors for execution of the proot binary and detects processes spawned from the path */freeroot/root.sh, a file system previously observed in BYOF compromises.

Triage and response

  1. Review the process tree to understand what initiated the proot execution.
  2. Investigate the filesystem and determine if this is authorized activity.
  3. If the activity is unauthorized, isolate the affected system and investigate the initial access point.
  4. Review related signals and events to establish a timeline of the compromise.

Requires Agent version 7.27 or greater.