在 Linux 扩展文件属性中查找有效载荷.pdf

《在 Linux 扩展文件属性中查找有效载荷.pdf》由会员分享，可在线阅读，更多相关《在 Linux 扩展文件属性中查找有效载荷.pdf（24页珍藏版）》请在三个皮匠报告上搜索。

1、Hunting Payloads in Linux Extended File Attributes Xavier Mertens Freelance Consultant SANS Certified Instructor(FOR610&FOR710)SANS ISC Senior Handler Hunting Malware BruCON Co-Organizer$whoami23DisclaimerPoll4 Lets have a look at Linux Still today,many people think that Linux is“safe”and“malware fr

2、ee”Todays malware landscape evolves constantly Lot of“fileless”malware samples A“fileless”malware tries to maintain its footprint at filesystem level as small as possible but.it MUST touch it(persistence)It tries to avoid using regular files Extended Attributes or“xattrs”are used legitimately but.At

3、tackers are always trying new ways to abuse Stealthy storage channel,persistence,hiding artefacts from casual inspection,.Motivations5xavierlab0:$ls-l/etc/hosts-rw-r-r-1 root root 338 Nov 14 2023/etc/hostsxavierlab0:$stat/etc/hostsFile:/etc/hostsSize:338 Blocks:8 IO Block:4096 regular fileDevice:8,2

4、Inode:529393 Links:1Access:(0644/-rw-r-r-)Uid:(0/root)Gid:(0/root)Access:2025-09-10 12:20:40.893557244+0000Modify:2023-11-14 11:04:03.111417474+0000Change:2023-11-14 11:04:03.111417474+0000Birth:2023-11-14 11:04:03.111417474+0000Standard Metadata of a File6xavierlab0:$sudo debugfs-R stat/var/log/jou

5、rnal/dev/sda2Inode:1835306 Type:directory Mode:02755 Flags:0 x80000Generation:3957997831 Version:0 x00000000:00000002User:0 Group:101 Project:0 Size:4096File ACL:0Links:3 Blockcount:8Fragment:Address:0 Number:0 Size:0ctime:0 x601d05d3:8757b5ac-Fri Feb 5 08:46:11 2021atime:0 x68c13007:151dcb54-Wed Se

6、p 10 08:00:07 2025mtime:0 x5d966df6:0458caf8-Thu Oct 3 21:53:58 2019crtime:0 x5d9660dc:33f6b040-Thu Oct 3 20:58:04 2019Size of extra inode fields:32Extended attributes:system.posix_acl_default(28)=01 00 00 00 01 00 07 00 04 00 05 00 08 00 05 00 04 00 00 0010 00 05 00 20 00 05 00system.posix_acl_acce