【Elkeid 策略】完美检测:从RCE到容器逃逸
Elkeid 策略分享会持续从特定case入手提供Elkeid 策略编写的相关建议,以供社区利用Elkeid建设生产网防御能力时进行参考
===
靶场环境
模拟真实业务环境存在漏洞
CVE-2019-11043
漏洞简介:
- 当nginx配置不当时,会导致PHP-FPM远程任意代码执行。
漏洞环境复现:
- 可以使用vulhub复现,这也是本文后续的测试环境
漏洞利用:
-
PoC本文不做详细介绍,读者可自行查阅资料。
漏洞利用过程
环境探测
-
扫描目标主机开放端口,发现如下web服务
-
利用扫描器尝试进行payload注入
获得控制权
-
利用CVE-2019-11043,获取webshell
Docker逃逸
-
环境信息收集,判断为docker环境,发现docker的网络模式为host
-
尝试docker逃逸
获取宿主机权限
-
通过容器逃逸,获取宿主机权限
-
获取逃逸权限之后,可以尝试添加public key,或者crontab任务等方式实现驻留
使用Elkeid防御
策略建设思路
一般来说,我们往往认为机器上存在恶意命令执行,即可被判断是一次攻击。那么如何定义恶意命令执行?防御方不可能将所有潜在高危程序都定义成恶意命令,这会干扰正常运维行为。因此具体到高危命令执行的时候,需要深入分析思考攻击行为和运维行为在数据中产生的差异,并进而形成固定的策略。下面我们会分析攻击者的行为,以及策略上可以从哪些方面进行应对。
PHP RCE
首先攻击者通过PHP的RCE漏洞获取webshell。在这个方面,相关行为的直接描述为存在php的进程派生了新的进程并执行了某些敏感行为。因此策略可以围绕这个方面进行编写,我们通过pid_tree信息来获取敏感行为的进程派生来源,再通过argv和exe字段对敏感行为进行定位即可捕获到可作为PHP RCE的基础特征。
到这一步已经描述了php 派生敏感行为的类RCE 行为。但这里由于部分业务可能常用php进行命令执行,因此可以通过对特定的业务行为(exe)加白,或者通过对业务进程树(pid_tree)进行加白等方式,来规避业务进程。
Elkeid告警样例
以下是对PHP执行的whoami进行告警的行为样例
{"SMITH_ALETR_DATA": {"RULE_INFO": {"Action": null,"AffectedTarget": "host_process","Desc": "业务PHP服务执行敏感shell命令,可能存在rce行为","DesignateNode": null,"FreqCountField": "","FreqCountType": "","FreqHitReset": false,"FreqRange": 0,"HarmLevel": "critical","KillChainID": "persistent","RuleID": "critical_php_rce_alert","RuleName": "critical_php_rce_alert","RuleType": "Detection","Threshold": ""}},"SMITH_DELAY": 617619137,"SMITH_INPUT": "hids","SMITH_KEY": "4791538632986456002","SMITH_TIMESTAM": 1622108165882525400,"agent_id": "x","alert": true,"argv": "whoami","comm": "whoami","data_type": "59","dip": "-1","dport": "-1","ex_ipv4_list": "","ex_ipv6_list": "","exe": "/usr/bin/whoami","exe_hash": "3ab86fa77d1b458f","hostname": "x","in_ipv4_list": "x","in_ipv6_list": "x","ip": "x","ld_preload": "-1","nodename": "x","pgid": "3924847","pgid_argv": "php-fpm: master process (/etc/php/7.0/fpm/php-fpm.conf)","pid": "328110","pid_tree": "328110.whoami<328109.sh<3924849.php-fpm7.0<3924847.php-fpm7.0<1864761.systemd<1864626.containerd-shim<1.systemd","pns": "4026531836","pod_name": "","ppid": "328109","ppid_argv": "whoami","res": "0","risk": 4,"root_pns": "4026531836","run_path": "/home/work/web/help_content_creat/get_doc","sa_family": "-1","sessionid": "4294967295","sid": "3924847","sip": "-1","socket_argv": "-3","socket_pid": "-1","sport": "-1","ssh": "-1","stdin": "socket:[1407106981]","stdout": "pipe:[1615343709]","tgid": "328110","time_pkg": "1622108164","tty": "-1","type": "HIDS_WARN","uid": "33","username": "www-data","version": "1.6.0.38"}
运营人员也可以依据如sid或者pid_tree等进行进一步溯源,来快速判断影响程度。
后门下载类行为
攻击者利用PHP的RCE漏洞获取了webshell权限之后,植入了后门,这一系列行为虽然是攻击行为,但是和正常文件下载并没有很明显的区别,因此策略不能在这部分卡点进行直出告警,但可以通过关联行为进行行为分析,如果有足够的异常行为,可以进行告警。
Docker逃逸
攻击者利用webshell获取权限之后,发现处于docker环境当中,收集信息准备尝试逃逸。利用docker逃逸到宿主机,完成权限提升。这时可以通过对常见的docker逃逸手段编写策略,形成单点告警。在这个case中,是利用特权容器挂载cgroup进行逃逸,可以同归对cgroup的修改行为进行第二次直出告警。
Elkeid告警样例
需要注意的是,这个告警本身是对尝试修改cgroup release agent相关的告警,但在告警中会被Elkeid本身采集更多的有效信息。从pid_tree中可以进一步发现 Shell 这个进程存在前后关联,并存在对外部IP的访问。这时单看数据/告警基本可以确定存在入侵行为了,这需要安全人员拉起对应的应急响应流程,并进行止损和阻断。
{"SMITH_ALETR_DATA": {"RULE_INFO": {"Action": null,"AffectedTarget": "service","Author": "x","Desc": "存在针对cgroup notify agent进行修改的行为","DesignateNode": null,"FreqCountField": "","FreqCountType": "","FreqHitReset": false,"FreqRange": 0,"HarmLevel": "critical","KillChainID": "critical","RuleID": "critical_docker_cgroup_change_alert","RuleName": "critical_docker_cgroup_change_alert","RuleType": "Detection","Threshold": ""}},"SMITH_DELAY": 805459957,"SMITH_INPUT": "hids","SMITH_KEY": "4791538632986456793","SMITH_TIMESTAM": 1622108284874768400,"agent_id": "x","alert": true,"argv": "vi /sys/fs/cgroup/systemd/notify_on_release","comm": "vi","data_type": "59","dip": "39.102.74.228","dport": "8783","ex_ipv4_list": "","ex_ipv6_list": "","exe": "/usr/bin/vim.basic","exe_hash": "5b20d82478b368bf","hostname": "x","in_ipv4_list": "x","in_ipv6_list": "x","ip": "x","ld_preload": "-1","nodename": "x","pgid": "295749","pgid_argv": "-3","pid": "840528","pid_tree": "840528.vi<617060.sh<295749.bash<295659.shell<1864761.systemd<1864626.containerd-shim<1.systemd","pns": "4026531836","pod_name": "dp-daafa1d3ce-7b9cc5456c-wr545","ppid": "617060","ppid_argv": "sh","res": "0","risk": 4,"root_pns": "4026531836","run_path": "/home/work/web/help_content_creat/get_doc","sa_family": "2","sessionid": "4294967295","sid": "295659","sip": "x","socket_argv": "shell","socket_pid": "295659","sport": "47188","ssh": "-1","stdin": "/dev/pts/0","stdout": "/dev/pts/0","tgid": "840528","time_pkg": "1622108283","tty": "pts0","type": "HIDS_WARN","uid": "0","username": "root","version": "1.6.0.38"}结语各个公司的技术栈不同,因此内网环境也有相应的区别。策略编写应该以适合自身公司告警为主。攻击和正常行为有时候界限很模糊,策略也需要在误报和及时性之间做出取舍。这里列举出的策略思路如果不加分辨直接应用,难免出现大量误报;但为了减少误报而不告警,则可能放过真正的攻击行为。而Elkeid所提供强大的数据采集能力则是极大的丰富了能直接编写直出告警的可用数据。针对较难区分的,也可以通过联系上下文信息,准确发现恶意攻击行为。
相关链接
Elkeid 项目链接:
Github:https://github.com/bytedance/Elkeid
相关文章:
Elkeid(原AgentSmith-HIDS) vs. AuditD
Elkeid Server 开源 && Elkeid Agent 更新
【Elkeid 策略】抗击黑客:如何利用Elkeid构建入侵检测能力
Elkeid 飞书用户群
飞书下载链接:https://www.feishu.cn/download
===
