Hidden processes, often created by rootkits, are a common tactic used by attackers to conceal malicious activities. Argus’s rootcheck module detects such hidden processes using system calls like setsid(), getpid(), and kill(). This use case demonstrates detecting hidden processes created by deploying the Diamorphine rootkit on an Ubuntu system.
Infrastructure
- Ubuntu 22.04: Endpoint where the Diamorphine rootkit is deployed, and Argus is configured to detect anomalies.
Configuration Steps
1. Update the Kernel and Install Required Packages
Switch to the root user and update the kernel:
sudo su
apt update
apt -y install gcc git
2. Configure the Argus Agent for Frequent Rootcheck Scans
Edit the /var/ossec/etc/ossec.conf file to enable the rootcheck module and set the scan frequency to 2 minutes:
<rootcheck>
<disabled>no</disabled>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
<frequency>120</frequency> <!– Scans every 2 minutes –>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
<skip_nfs>yes</skip_nfs>
</rootcheck>
Restart the Argus agent to apply the changes:
systemctl restart wazuh-agent
Attack Emulation
1. Download and Compile the Diamorphine Rootkit
Clone the Diamorphine rootkit source code from GitHub:
git clone https://github.com/m0nad/Diamorphine
cd Diamorphine
make
2. Load the Rootkit
Load the kernel module:
insmod diamorphine.ko
Note: If you encounter errors (e.g., Invalid parameters), restart the system and try again.
3. Hide and Unhide the Rootkit
- To hide/unhide the rootkit, send a kill signal 63 to any process:
kill -63 <PID>
- Verify the module is hidden:
lsmod | grep diamorphine
4. Hide a Specific Process
- Identify the PID of a process (e.g., rsyslogd):
ps auxw | grep rsyslogd | grep -v grep
- Use kill signal 31 to hide the process:
kill -31 <PID_OF_RSYSLOGD>
- Verify the process is hidden:
ps auxw | grep rsyslogd | grep -v grep
Detection
Argus’s next rootcheck scan will detect the hidden rsyslogd process and generate an alert.
- To view the alerts:
- Open the Argus dashboard.
- Navigate to the Threat Hunting module.
- Apply the filter: rule.groups:rootcheck.
If the kill -31 command is repeated, making the process visible again, subsequent scans will not generate alerts for the process.
Summary
Argus’s rootcheck module provides robust detection of rootkits and hidden processes, ensuring endpoint security. By simulating an attack with the Diamorphine rootkit, you can verify Argus’s anomaly detection capabilities and view actionable alerts in the dashboard for improved visibility and response.