Linux Malware (Scenario2)

The Linux Malware scenario uses the same infrastructure as the videoserver-scenario:

../_images/AttackBed-Videoserver.png

Attacker Steps:

  1. Malware is installed and persisted:

    1. sliver is installed via systemd(T1569, T1547, T1037)

    2. sliver is executed via cronjob(T1053)

  2. Malware executes commands (T1106, T1622, T1140)

  3. Malware exfiltrates data(/etc/shadow) (T1071,T1132,T1001,T1573,T1572, T1041, T1048, T1030, T1020)

  4. Malware uses a tar-archiv(T1560, T1074,T1005)

  5. Malware discovers password policy(T1201)

  6. Malware uploads nmap(T1105)

  7. Malware executes nmap (T1046, T1018)

  8. Attacker installs LD_PRELOAD Rootkit(T1014, T1564, T1574)

  9. Attacker uses rootkit to gain root-privileges (T1574)

  10. Attacker hides process via rootkit(T1014)

  11. Hidden rootuser runs find against suid files(T1083)

  12. Hidden rootuser discovers group-files(T1069)

  13. Hidden rootuser runs nmap(T1046, T1018)

  14. Hidden rootuser discovers password policy(T1201)