You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This pull request integrates Aqua Security Tracee, an eBPF-based threat detection engine with built-in signatures, into CAPEv2 for Linux dynamic analysis to complement the existing strace implementation. The log streaming implementation is similar to @winson0123's strace streaming to prevent ransomware's encryption of the logs.
Please comment if you see any issues.
Screenshots and demo
Screenshot of the Tracee Behaviour UI
Demonstration of a captured kernel module (which was encrypted and stored only in memory)
Rationale
In no order of importance:
Tracee has functionality to capture artifacts such as loaded kernel modules, suspicious memory regions and eBPF programs in their run-time state, allowing their easy extraction even from packed and encrypted malwares, aiding in dynamic analysis
Powerful filtering UI based on datatables JavaScript library
Opted for client-side data filtering for performance reasons and to ease server load
Compressed (gzipped) data format for storage in CAPE report (~10x compression and bandwidth savings due to JSON log format)
Able to store uncompressed fields if required, e.g. for integration into CAPE signatures (future work)
Tracee has advanced built-in signatures for many suspicious behaviours such as:
Dynamic Code Loading
Fileless Execution
Hidden File Created
Syscall Table Hooking
kallsyms_lookup_name - it could be used in some rootkits, likely until recently... (it's an interesting story)
Illegitimate Shell - detect instances where a web server program spawns a shell
Loader Preload - identifies manipulation of LD_PRELOAD and LD_LIBRARY_PATH environment variables, or similar methods which can potentially be leveraged for code injection
Process VM Write - detect potential code injection attacks using the process_vm_writev syscall
Scheduled Task Modification - like cron
Standard I/O Over Socket - potential remote shell
Many more...
Built-in signatures make it easier for users to identify and narrow down suspicious behaviours compared to sifting through many syscalls
Tracee operates at the eBPF level, making it harder (but not impossible) to detect than strace by malware.
Trying it out
To get started, use the branch theoleecj2/CAPEv2 -> tracee.
Run docker pull docker.io/aquasec/tracee:0.20.0 in a Ubuntu VM which already has the CAPE agent running. For best results, use Ubuntu 20.04.
Side Note: Some rootkits and malware you may find online may require kallsyms_lookup_name which is affected in Linux kernel versions > 5.7. See here for more information.
Then docker image tag aquasec/tracee:0.20.0 aquasec/tracee:latest to record v0.20.0 as the latest.
Add tracee_linux = yes to the auxiliary.conf's [auxiliary_modules] section and
For further demonstration, you can try https://github.com/citronneur/pamspy which loads an eBPF program to steal credentials. The eBPF should be captured by Tracee in 'Dropped Files'.
Limitations
Tracee sometimes does not de-reference pointers while strace can capture the contents. The Tracee implementation here is not 100% reliable, and we are working on improving it (for instance, we have added a health check).
Common Issues
You need to have the strace auxiliary module enabled. Processing for strace need not be enabled, but you can enable it to observe the Tracee module's weaknesses and strengths compared to it.
The event capturing is not 100% reliable. If a task's Tracee output looks incorrect, please try again.
hello, thank you for such a great contribution, i will merge it , but some parts will be moved to community repo to clarify that is not done by core devs
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Tracee Pull Request
This pull request integrates Aqua Security Tracee, an eBPF-based threat detection engine with built-in signatures, into CAPEv2 for Linux dynamic analysis to complement the existing
straceimplementation. The log streaming implementation is similar to @winson0123'sstracestreaming to prevent ransomware's encryption of the logs.Please comment if you see any issues.
Screenshots and demo
Screenshot of the Tracee Behaviour UI
Demonstration of a captured kernel module (which was encrypted and stored only in memory)
Rationale
In no order of importance:
kallsyms_lookup_name- it could be used in some rootkits, likely until recently... (it's an interesting story)LD_PRELOADandLD_LIBRARY_PATHenvironment variables, or similar methods which can potentially be leveraged for code injectionprocess_vm_writevsyscallstraceby malware.Trying it out
To get started, use the branch theoleecj2/CAPEv2 -> tracee.
Run
docker pull docker.io/aquasec/tracee:0.20.0in a Ubuntu VM which already has the CAPE agent running. For best results, use Ubuntu 20.04.Then
docker image tag aquasec/tracee:0.20.0 aquasec/tracee:latestto record v0.20.0 as the latest.Add
tracee_linux = yesto the auxiliary.conf's[auxiliary_modules]section andinto processing.conf.
You can obtain a live malware sample for Linux to load into CAPEv2 from https://bazaar.abuse.ch/sample/bd0141e88a0d56b508bc52db4dab68a49b6027a486e4d9514ec0db006fe71eed/. Please be careful with this file as it's an actual malware. We do not take responsibility for anything that goes wrong.
For further demonstration, you can try https://github.com/citronneur/pamspy which loads an eBPF program to steal credentials. The eBPF should be captured by Tracee in 'Dropped Files'.
Limitations
Tracee sometimes does not de-reference pointers while
stracecan capture the contents. The Tracee implementation here is not 100% reliable, and we are working on improving it (for instance, we have added a health check).Common Issues
You need to have the
straceauxiliary module enabled. Processing forstraceneed not be enabled, but you can enable it to observe the Tracee module's weaknesses and strengths compared to it.The event capturing is not 100% reliable. If a task's Tracee output looks incorrect, please try again.
Check that you have
/opt/CAPEv2/data/linux/linux-syscalls.json. If not, you can obtain it from https://raw.githubusercontent.com/mebeim/linux-syscalls/master/db/x86/64/x64/v6.5/table.json.