File and Directory Permissions Modification

Adversaries may modify file or directory permissions to evade defenses.

Deletes system logs

Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

Executes dropped EXE

OS Credential Dumping

Adversaries may attempt to dump credentials to use it in password cracking.

Writes DNS configuration

Writes data to DNS resolver config file.

Adds a user to the system

Attempts to change immutable files

Modifies inode attributes on the filesystem to allow changing of immutable files.

Checks hardware identifiers (DMI)

Checks DMI information which indicate if the system is a virtual machine.

Checks mountinfo of local process

Checks mountinfo of running processes which indicate if it is running in chroot jail.

Creates/modifies Cron job

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

Deletes log files

Deletes log files on the system.

Disables AppArmor

Disables AppArmor security module.

Enumerates running processes

Discovers information about currently running processes on the system

Modifies init.d

Adds/modifies system service, likely for persistence.

Modifies rc script

Adding/modifying system rc scripts is a common persistence mechanism.

Reads hardware information

Accesses system info like serial numbers, manufacturer names etc.

Write file to user bin folder

Writes file to system bin folder

Reads process memory

Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.

UPX packed file

Detects executables packed with UPX/modified UPX open source packer.