Detection: Linux Auditd Private Keys and Certificate Enumeration

Description

The following analytic detects suspicious attempts to find private keys, which may indicate an attacker's effort to access sensitive cryptographic information. Private keys are crucial for securing encrypted communications and data, and unauthorized access to them can lead to severe security breaches, including data decryption and identity theft. By monitoring for unusual or unauthorized searches for private keys, this analytic helps identify potential threats to cryptographic security, enabling security teams to take swift action to protect the integrity and confidentiality of encrypted information.

Search

1`linux_auditd` `linux_auditd_normalized_execve_process` 
2| rename host as dest 
3| rename comm as process_name 
4| rename exe as process 
5| where (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%.pem%") OR LIKE (process_exec, "%.cer%") OR LIKE (process_exec, "%.crt%") OR LIKE (process_exec, "%.pgp%") OR LIKE (process_exec, "%.key%") OR LIKE (process_exec, "%.gpg%")OR LIKE (process_exec, "%.ppk%") OR LIKE (process_exec, "%.p12%") OR LIKE (process_exec, "%.pfx%")OR LIKE (process_exec, "%.p7b%")) 
6| stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest 
7| `security_content_ctime(firstTime)` 
8| `security_content_ctime(lastTime)`
9| `linux_auditd_private_keys_and_certificate_enumeration_filter`

Data Source

Name	Platform	Sourcetype	Source
Linux Auditd Execve	Linux	'linux:audit'	'/var/log/audit/audit.log'

Macros Used

Annotations

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Implementation

To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed

Known False Positives

Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives.

Associated Analytic Story

• Compromised Linux Host

• Linux Living Off The Land

• Linux Persistence Techniques

• Linux Privilege Escalation

Risk Based Analytics (RBA)

Risk Message:

A [$process_exec$] event occurred on host - [$dest$] to find private keys.

References

• https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html

• https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS

Detection Testing

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 1