File and Directory Permissions Modification

Adversaries may modify file or directory permissions to evade defenses.

Indicator Removal: Clear Command History

Adversaries may remove indicators of compromise from the host to evade detection.

Deletes itself

Executes dropped EXE

Checks hardware identifiers (DMI)

Checks DMI information which indicate if the system is a virtual machine.

Creates/modifies Cron job

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

Creates/modifies environment variables

Creating/modifying environment variables is a common persistence mechanism.

Disables SELinux

Disables SELinux security module.

Enumerates active TCP sockets

Gets active TCP sockets from /proc virtual filesystem.

Enumerates running processes

Discovers information about currently running processes on the system

Looks up external IP address via web service

Uses a legitimate IP lookup service to find the infected system's external IP.

Modifies special file permissions

Adds special setuid and/ or setgid bits on a file, possibly to elevate privileges.

Modifies systemd

Adds/ modifies systemd service files. Likely to achieve persistence.

Reads hardware information

Accesses system info like serial numbers, manufacturer names etc.

Reads list of loaded kernel modules

Reads the list of currently loaded kernel modules, possibly to detect virtual environments.

Writes file to system bin folder

Indicator Removal: Timestomp

Adversaries may remove indicators of compromise from the host to evade detection.

Modifies Bash startup script

UPX packed file

Detects executables packed with UPX/modified UPX open source packer.