Sandfly 2.5.2 – Scheduling Priority, Detecting Command Line Web Servers, Port Scanners and Kernel Thread Masquerading
March 26, 2020
Sandfly 2.5.2 has been released and now allows you to set the priority of scans on remote hosts to limit processor impacts. It also expands coverage for command line web server detection, flags more port scanners, finds malicious use of packet sniffers and increases the kinds of kernel thread masquerading attacks we can detect.
On top of this we have added a new ad hoc scanning feature to the API. This allows you to quickly call out to Sandfly through the API to initiate a scan on hosts with disposable credentials as needed.
Sandfly Schedule Priority
Sandfly has always been designed to have low system impacts and be easy to install, however one thing customers have asked for is a way to prioritize our scans if the remote system is under heavy load. We now can do that.
In our scheduler we now have the ability to set a Linux compatible priority for our scans. The Linux convention is a range of values for priority where -19 is highest priority, 0 is default priority and 20 is lowest priority. Before Sandfly always used the system default of 0, but now you can set the values in the scheduler. The default value is now 10 which is medium-low priority. This ensures that Sandfly can run on all your systems with even lower risk of impacting their core tasks if they are under heavy load.
During the upgrade to 2.5.2 your existing schedules will be converted to the new priority format with the default set to 10. We recommend you run it this way as it provides good performance with little risk of remote system impact.
Command Line Web Server Detection
A lot of system tools on Linux can run as a web server with a single command line. This is especially common for language interpreters like Python, PHP, Ruby and so on. While running a web server from a quick command line is convenient for developers, it’s a very dangerous security practice at best and can also be done by attackers to allow exfiltration of data from the remote system.
For example, we’ll run a simple command line Python3 web server on port 8000 to show you what can happen if an attacker is able to execute the same thing. The commands we’ll use are the following:
cd / python3 -m http.server 8000
The above command goes to the top level directory and starts our web server on TCP port 8000. After this we connect to the target host on port 8000. Finally, we can browse the entire file system and download anything we want as demonstrated below:
This kind of attack can happen if an intruder is able to convince a remote system process to execute the above command. After the command runs, they can download passwords, SSH keys, config files, or confidential data such as databases, etc. They could also run a remote shell and gain further access.
In this update, we are flagging anything that looks like a command line web server for common programs such as Python, PHP, Ruby, Perl, Erlang, webfsd and busybox.
Again, a command line web server is not always malicious. However, it often is a bad practice unless done for a very specific reason with appropriate security controls in place.
Detect More Common Port Scanners
We’ve added more common port scanners we search for operating on the remote host. We now will flag programs like hping, nping and masscan along with standard nmap programs. These port scanning utilities can be legitimate, but if you don’t know why they are running on a host they should be investigated to be sure they aren’t part of an automated piece of malware.
More Kernel Thread Masquerading Detection
We’ve expanded and improved the kind of kernel thread masquerading attacks we can spot. We now use multiple search methods to detect this tactic and it will find most malware and rootkits we’ve seen trying to hide with it.
Malicious Network Sniffer Detection
We already flag processes running as network sniffers, but now we’ve added new methods to find sniffers operating with deliberate command line options associated with credential theft. For instance, someone running a tcpdump process watching traffic for FTP and POP3 protocols is likely trying to steal unencrypted credentials. We will flag any process we see that is sniffing traffic with suspicious command lines.
Ad Hoc Scanning
Finally, we have added in a new ad hoc scanning method to the REST API. This new method will allow you to quickly scan hosts or IP address ranges with a list of sandflies and one-time credential of your choice. You can see the interface for this new feature here:Ad Hoc Scanning REST API
This new API allows you to insert hosts without being previously registered. Sandfly will take the list of hosts, or IP address range, and use your supplied credentials in a one-time scan. The results are returned as normal but the credentials are not stored for re-use. In this way, you can use short expiration SSH key certs or normal credentials to do a scan on demand and get immediate results.
The above graphic shows the options available. If you need assistance with this new feature, please contact us and we will be able to demonstrate it and help you.
Because Sandfly is agentless, we can connect to the remote Linux host and get results back to you in under 15 seconds in most all cases. The new ad hoc feature means you can begin using Sandfly inside SOAR tools or command line scripts for on-demand scans for attacks and incident response. It is very powerful and allows you to easily use Sandfly in a headless manner to leverage your existing tooling.
How to Upgrade Sandfly
Sandfly is easy to upgrade. Please follow the instructions here:Upgrading Sandfly
767 Sandfly Checks and Growing
Sandfly 2.5.2 has now brought the number of compromise and incident response checks we do on Linux up to 767. We can spot a tremendous amount of Linux malware, rootkits and intruder activity without loading any agents on your endpoints and without disruptive updates. Thank you for using our product.