Sandfly 2.8.2 – Over 1,000 Linux Compromise Detection Modules and More
January 20, 2021
Sandfly 2.8.2 is here and features many upgrades including over 1,000 compromise detection and incident response modules for Linux. This update features:
- User password entry decoder to search for password age, expiration and hash parameters.
- An SSH authorized_keys file decoder and many new templates to keep an eye on SSH key usage.
- Expanded ability to hunt for suspicious file artifacts left on a system which can expose compromise activity.
- New backdoor detection methods.
- Known hacking tool detections.
- New policy checks to find system misconfigurations and dangerous practices.
- Much more!
Massive Signature Boost
First, we have increased the number of signature modules now to over 1,000. This is a big landmark for us as it represents what is the widest and deepest compromise detection set for Linux in the industry. Sandfly is a powerful forensics and compromise detection tool for Linux and this new upgrade brings in many new and important investigation areas. Sandfly can detect an extremely large number of Linux compromise tactics, rootkits, exploits and suspicious activity automatically and without deploying agents.
Linux User Password Signatures and Search Tools
While we recommend everyone use SSH keys and certificates for user logins, the reality is that usernames and passwords are here for the time being and we want to make sure you have the tools to work with them and keep your systems secure. As a result, we have added password entry decoding to Sandfly. This allows us to create an entirely new suite of signatures designed to help find unusual password additions or changes, password expiration policy violations, stale accounts, obsolete password hash algorithms and much more.
There are modules available to help detect and alert on the following password fields:
- Max age allowed.
- Minimum age allowed.
- Days since password expired.
- Days since password last changed.
- Password inactivity period before being locked.
- Password change warning period.
- Password hash type.
- Duplicate password hashes.
- Password data cross-system searching.
In addition to this, we have kept other fields to help identify password hashes present, disabled and locked.
Find Users With New or Recently Changed Passwords
One way to leverage our new password age decoding is to use it to help find users that have recently had a new or changed password added to their account. Often attackers will add new accounts or passwords to existing accounts to allow remote access. With our new signatures you can quickly find any account that has had new passwords added or changed over a period of days you specify. We have a variety of pre-defined templates available to clone and use automatically or as part of an incident response.
To demonstrate, below we scanned a system for any new or changed passwords and flagged a suspicious “proxy” account that had a new password added five days ago.
Obsolete Password Hash Checks
Being able to check what kind of password hash a user has can spot obsolete and stale accounts. Obsolete hashes are a particular risk if the /etc/shadow file is stolen as they can allow GPU-based crackers to try huge combinations of passwords per second and break them. Now you can look for obsolete hashes such as DES, MD5 and Blowfish as an automated policy check or on-demand.
Search for Unknown and Unencrypted Password Hash Types
In addition to looking for obsolete password hashes, we can also find unencrypted or unknown password hash types which should be investigated.
Search All Password Age Parameters
All standard Linux password age parameters can be searched and used. For instance, you can use it to search for users that have a password that has been expired for more than 30 days. This can help identify stale users and unused accounts:
Duplicate Password Hash Detection
Some malware has been known to insert multiple users with identical password hashes. These kinds of passwords are extremely suspicious under Linux. This new check will look at all users and flag any with duplicate password hashes for immediate investigation.
Custom Password Parameter Searches
As with all Sandfly checks, you can clone and customize the search parameters as needed. Below we see an example of a check that flags any user with a password hash that is unlocked. This can be useful for finding old accounts not using SSH keys and still have a password hash sitting around and not disabled.
SSH Key Decoding
We now parse the SSH authorized_keys and authorized_keys2 files and pull out all SSH login public key information. All of the following parameters can be searched for with templates or built-in modules to do SSH key threat hunting:
- Key comments.
- Full key entry.
- Key hash (hash of key itself to search across all systems).
- SSH options.
- SSH key type.
- Duplicate key entries.
- authorized_keys path.
- authorized_keys file attributes (size, hash, ownership, etc.).
SSH Duplicate Keys
Sandfly will identify duplicate SSH keys present in an authorized_keys or authorized_keys2 file. This will find entries that may be stale, unintended duplicates or other misconfiguration. Linux malware sometimes inserts duplicate keys into the same file and this will also be spotted.
Weak SSH Keys
We now will check for SSH keys using ECDSA NIST algorithms that are suspected of being weakened by the NSA to allow easier compromise. If you are concerned about this risk you can enable these checks and move users to a more secure ed25519 key.
Custom SSH Key Searches
You can build searches for any SSH authorized_keys parameters of interest. We have many templates included to allow you to quickly complete many SSH search/hunt tasks. All elements of the SSH key can be searched for including the actual key, comments, options, key type or sanitized hash values of the key.
For instance, if you have identified a key used as part of an incident (or is compromised in other ways) you can create a search for it to see where it is being used. Below we show a sample SSH banned key search across all hosts which is a rapid way to track down compromised accounts:
Known Linux Hacking and Recon Tool Detection
We have added in a list of common Linux based hacking and recon tools. These tools can have legitimate use for Red Teams, but if you see them running on your hosts and don’t know why they are there you should investigate what they are doing.
Scripts, Password Files, SSH Keys and Other Exploit Artifact Detection
Sandfly will keep an eye on critical system areas for signs that exploit artifacts have been left behind. We will check for scripts, password files, SSH keys and source code files which are in high risk locations for exploitation.
More Bindshell Backdoor Detection Including OpenSSL Backdoors
We have added in new backdoor bindshell detection modules and expanded existing modules. We also added in detection for backdoors tunnelling traffic over the openssl command to hide traffic from network monitoring tools.
More Anti-Forensics Detection
We have expanded anti-forensic activity we search for in history files. Commands targeting /var/log and other critical system areas will be flagged if seen in a user’s history file.
Many More Incident Response Modules
We have added in many more incident response modules to help investigate hosts suspected of being compromised. For instance, how about searching for any new archive files created in the last hour across all your hosts instantly?
Or maybe you want to see any new binaries created over the last four hours?
Expanded Policy Checks
Many new policy checks have been added to find unusual user password, SSH and file activity on a host. You can enable these policy checks to keep an eye on your systems for changes which may lead to compromise or other problems.
How to Upgrade Sandfly
Sandfly is easy to upgrade. Please follow the instructions here:Upgrading Sandfly
Over 1000 Sandfly Checks and Growing
Sandfly 2.8.2 has now brought the number of compromise and incident response checks we do on Linux up to over 1,000. We can spot a tremendous amount of Linux malware, rootkits and intruder activity without loading any agents on your endpoints and without disruptive updates. Our agentless response capability gives you the ability to discover and remediate Linux incidents quickly and effectively.
Thank you for using our product.