A set of rules for Linux ELFs

[TcM1911]

This PR is for some Linux rules as part of mandiant/capa#699.

Example analysis:

+------------------------+------------------------------------------------------------------------------------+
| md5                    | 7351f8a40c5450557b24622417fc478d                                                   |
| sha1                   | 8766d7e0c943ea66ebe90030617881a899b2aa11                                           |
| sha256                 | 0423258b94e8a9af58ad63ea493818618de2d8c60cf75ec7980edcaa34dcc919                   |
| path                   | /[REDACTED]/redxor/po1kitd-update-k                              |
+------------------------+------------------------------------------------------------------------------------+

+------------------------+------------------------------------------------------------------------------------+
| ATT&CK Tactic          | ATT&CK Technique                                                                   |
|------------------------+------------------------------------------------------------------------------------|
| DEFENSE EVASION        | Obfuscated Files or Information:: T1027                                            |
|                        | Obfuscated Files or Information::Indicator Removal from Tools T1027.005            |
| DISCOVERY              | System Information Discovery:: T1082                                               |
| EXECUTION              | Command and Scripting Interpreter::Unix Shell T1059.004                            |
| PERSISTENCE            | Boot or Logon Autostart Execution::XDG Autostart Entries T1547.013                 |
|                        | Boot or Logon Initialization Scripts::RC Scripts T1037.004                         |
|                        | Event Triggered Execution::Unix Shell Configuration Modification T1546.004         |
+------------------------+------------------------------------------------------------------------------------+

+-----------------------------+-------------------------------------------------------------------------------+
| MBC Objective               | MBC Behavior                                                                  |
|-----------------------------+-------------------------------------------------------------------------------|
| ANTI-STATIC ANALYSIS        | Disassembler Evasion::Argument Obfuscation [B0012.001]                        |
| COMMAND AND CONTROL         | C2 Communication::Receive Data [B0030.002]                                    |
|                             | C2 Communication::Send Data [B0030.001]                                       |
| COMMUNICATION               | DNS Communication::Resolve [C0011.001]                                        |
|                             | HTTP Communication::Send Request [C0002.003]                                  |
|                             | Socket Communication::Connect Socket [C0001.004]                              |
|                             | Socket Communication::Create TCP Socket [C0001.011]                           |
|                             | Socket Communication::Create UDP Socket [C0001.010]                           |
|                             | Socket Communication::Receive Data [C0001.006]                                |
|                             | Socket Communication::Send Data [C0001.007]                                   |
|                             | Socket Communication::TCP Client [C0001.008]                                  |
| CRYPTOGRAPHY                | Encrypt Data::RC4 [C0027.009]                                                 |
|                             | Generate Pseudo-random Sequence::RC4 PRGA [C0021.004]                         |
| DATA                        | Check String:: [C0019]                                                        |
|                             | Encode Data::Base64 [C0026.001]                                               |
| DEFENSE EVASION             | Obfuscated Files or Information::Encoding-Standard Algorithm [E1027.m02]      |
| FILE SYSTEM                 | Delete File:: [C0047]                                                         |
|                             | Read File:: [C0051]                                                           |
|                             | Writes File:: [C0052]                                                         |
| IMPACT                      | Remote Access::Reverse Shell [B0022.001]                                      |
| PROCESS                     | Create Mutex:: [C0042]                                                        |
|                             | Create Process:: [C0017]                                                      |
|                             | Create Thread:: [C0038]                                                       |
|                             | Terminate Process:: [C0018]                                                   |
+-----------------------------+-------------------------------------------------------------------------------+

+------------------------------------------------------+------------------------------------------------------+
| CAPABILITY                                           | NAMESPACE                                            |
|------------------------------------------------------+------------------------------------------------------|
| contain obfuscated stackstrings                      | anti-analysis/obfuscation/string/stackstring         |
| read and send data from client to server (2 matches) | c2/file-transfer                                     |
| receive and write data from server to client         | c2/file-transfer                                     |
| create unix reverse shell                            | c2/shell                                             |
| execute shell command received from socket           | c2/shell                                             |
| get current user                                     | collection                                           |
| create UDP socket (4 matches)                        | communication/socket/udp/send                        |
| act as TCP client                                    | communication/tcp/client                             |
| encode data using Base64                             | data-manipulation/encoding/base64                    |
| reference Base64 string                              | data-manipulation/encoding/base64                    |
| encrypt data using RC4 PRGA (2 matches)              | data-manipulation/encryption/rc4                     |
| change file permission (5 matches)                   | host-interaction/file-system                         |
| delete file (3 matches)                              | host-interaction/file-system/delete                  |
| move file (2 matches)                                | host-interaction/file-system/move                    |
| get CPU information                                  | host-interaction/hardware/cpu                        |
| get memory information                               | host-interaction/hardware/memory                     |
| create locked file                                   | host-interaction/mutex                               |
| resolve DNS (2 matches)                              | host-interaction/network/dns/resolve                 |
| get hostname (2 matches)                             | host-interaction/os/hostname                         |
| get distribution                                     | host-interaction/os/version                          |
| get kernel version                                   | host-interaction/os/version                          |
| terminate process via kill (3 matches)               | host-interaction/process/terminate                   |
| create thread (2 matches)                            | host-interaction/thread/create                       |
| persist via .desktop autostart                       | persistence                                          |
| persist via shell profile or rc file                 | persistence                                          |
| persist via rc script                                | persistence/service                                  |
+------------------------------------------------------+------------------------------------------------------+

[TcM1911]

PR for test file: mandiant/capa-testfiles#104

[williballenthin]

yuck these paths are ugly.

i wonder if substring literals are common enough for us to introduce a new feature/format. perhaps something like:

• substring: "/etc/passwd"
• string/substring: "/etc/passwd"
• string: "/etc/passwd"g

note: this specific path isn't the best example because its actually a regex patter, but you get the idea.

[mr-tz]

Yes, I think there's room for improvement here since this comes up a lot and has caused confusion (e.g. #390 (comment)).

I like option 1 then option 2.

[TcM1911]

It may look ugly because it needs a wildcard for the name of the network adapter. For example /sys/class/net/lo/address, /sys/class/net/docker0/address.

[williballenthin]

this file is getting a bit unruly. the logic tree is so deep that its tricky to interpret as a human.

we should probably split this file into "write file on POSIX" and "write file on Windows".

[mr-tz]

very cool, thanks for getting capa kickstarted for Linux/ELF support!

[mr-tz]

we should document unix vs. linux and the preferred terms to use
I suspect the naming here comes from the ATT&CK name

[TcM1911]

Yes the name is from ATT&CK. Also this is a higher level rule that depends on a few lower level rules that can be OS dependent.

[mr-tz]

Windows rule for this: get session user name

[TcM1911]

Linux doesn't use the term session username. This checks for queries via the effective user id and extracting the user's info from "passwd" or the username of the user that started the process.

[mr-tz]

Yes, I think there's room for improvement here since this comes up a lot and has caused confusion (e.g. #390 (comment)).

I like option 1 then option 2.

[williballenthin]

I'd like to propose the following conventions for naming rules:

1. when naming an OS-specific rule, use the form "XXXXX on ZZZZZ", like "get current user on Linux". if there's a specific mechanism, then it would be like `XXXX via YYYYY on ZZZZZ", like "encrypt data with RC4 via OpenSSL on Windows".

2. start with naming the OSes we have experience and examples for (like "...on Linux"). when someone subsequently confirms the behavior matches somewhere else (like on macOS) then we can and should rename the rule. i anticipate that many patterns will work on many unix-like operating systems; however, defining these sets may be tedious and i dont want to over-engineering things too soon. so, i'd propose that we focus on the rules and samples that we know work well.

let me know what you all think. the goal isn't to be annoying or add overhead - just to strive for consistency when it makes sense. once we reach a consensus, i'll update the rule documentation with these suggestions.

[williballenthin]

im going to take a stab at mandiant/capa#737 (substring feature) because it will improve a bunch of these rules. then i'll propose some changes to this PR and we'll get this merged in. i have no major concerns with the logic in these rules - just some tweaks to naming, splitting up a couple rules, and making use of - os: linux, etc.

[mr-tz]

I'm on board with the OS conventions! Thanks for handling the substring and the updates here!

[williballenthin]

i'm going to merge this and then open a new PR with proposed changes for os, substring, etc.

@TcM1911 i'll tag you to review along with the rest of the crew