kaiji | 6431f1372f237455978ffa78e54c0c44868775929988d9ee57c061943cc62d10

persistence privilege_escalation defense_evasion

description	ioc	Process
File opened for modification	/etc/crontab	bash

Creates/modifies environment variables 1 TTPs 3 IoCs

Creating/modifying environment variables is a common persistence mechanism.

Path Interception by PATH Environment Variable

description	ioc	Process
File opened for modification	/etc/profile.d/bash_config.sh	6431f1372f237455978ffa78e54c0c44868775929988d9ee57c061943cc62d10.elf
File opened for modification	/etc/profile.d/bash_config	6431f1372f237455978ffa78e54c0c44868775929988d9ee57c061943cc62d10.elf
File opened for modification	/etc/profile.d/linux.sh	6431f1372f237455978ffa78e54c0c44868775929988d9ee57c061943cc62d10.elf

Enumerates running processes
Discovers information about currently running processes on the system

Modifies init.d 2 TTPs 2 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

RC Scripts

T1037.004

description	ioc	Process
File opened for modification	/etc/init.d/linux_kill	6431f1372f237455978ffa78e54c0c44868775929988d9ee57c061943cc62d10.elf
File opened for modification	/etc/init.d/ssh	6431f1372f237455978ffa78e54c0c44868775929988d9ee57c061943cc62d10.elf

Write file to user bin folder 1 IoCs

persistence

description	ioc	Process
File opened for modification	/usr/bin/find	6431f1372f237455978ffa78e54c0c44868775929988d9ee57c061943cc62d10.elf

Modifies Bash startup script 2 TTPs 3 IoCs

persistence

Boot or Logon Autostart Execution

Unix Shell Configuration Modification

T1546.004

description	ioc	Process
File opened for modification	/etc/profile.d/bash_config.sh	6431f1372f237455978ffa78e54c0c44868775929988d9ee57c061943cc62d10.elf
File opened for modification	/etc/profile.d/bash_config	6431f1372f237455978ffa78e54c0c44868775929988d9ee57c061943cc62d10.elf
File opened for modification	/etc/profile.d/linux.sh	6431f1372f237455978ffa78e54c0c44868775929988d9ee57c061943cc62d10.elf

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	ksoftirqd/0	682	6431f1372f237455978ffa78e54c0c44868775929988d9ee57c061943cc62d10.elf

Reads CPU attributes 1 TTPs 2 IoCs

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	id.services.conf
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	6431f1372f237455978ffa78e54c0c44868775929988d9ee57c061943cc62d10.elf
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	id.services.conf
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	id.services.conf
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	6431f1372f237455978ffa78e54c0c44868775929988d9ee57c061943cc62d10.elf
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/1/status	pkill
File opened for reading	/proc/21/cmdline	pkill
File opened for reading	/proc/578/cmdline	pkill
File opened for reading	/proc/1/cmdline	pkill
File opened for reading	/proc/134/status	pkill
File opened for reading	/proc/578/cmdline	pkill
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/666/stat	6431f1372f237455978ffa78e54c0c44868775929988d9ee57c061943cc62d10.elf
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/829/stat	6431f1372f237455978ffa78e54c0c44868775929988d9ee57c061943cc62d10.elf
File opened for reading	/proc/598/cmdline	pkill
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/268/stat	6431f1372f237455978ffa78e54c0c44868775929988d9ee57c061943cc62d10.elf
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/302/stat	6431f1372f237455978ffa78e54c0c44868775929988d9ee57c061943cc62d10.elf
File opened for reading	/proc/10/status	pkill
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/97/status	pkill
File opened for reading	/proc/673/stat	6431f1372f237455978ffa78e54c0c44868775929988d9ee57c061943cc62d10.elf
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/8/status	pkill
File opened for reading	/proc/12/status	pkill
File opened for reading	/proc/20/cmdline	pkill
File opened for reading	/proc/288/cmdline	pkill
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/693/stat	6431f1372f237455978ffa78e54c0c44868775929988d9ee57c061943cc62d10.elf
File opened for reading	/proc/75/status	pkill
File opened for reading	/proc/107/status	pkill
File opened for reading	/proc/666/cmdline	pkill
File opened for reading	/proc/845/status	pkill
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/638/stat	6431f1372f237455978ffa78e54c0c44868775929988d9ee57c061943cc62d10.elf
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/216/status	pkill
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/28/status	pkill
File opened for reading	/proc/268/status	pkill
File opened for reading	/proc/664/stat	6431f1372f237455978ffa78e54c0c44868775929988d9ee57c061943cc62d10.elf
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/97/cmdline	pkill
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/822/stat	6431f1372f237455978ffa78e54c0c44868775929988d9ee57c061943cc62d10.elf
File opened for reading	/proc/sys/kernel/osrelease	pkill
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/582/stat	6431f1372f237455978ffa78e54c0c44868775929988d9ee57c061943cc62d10.elf
File opened for reading	/proc/794/stat	6431f1372f237455978ffa78e54c0c44868775929988d9ee57c061943cc62d10.elf
File opened for reading	/proc/844/stat	6431f1372f237455978ffa78e54c0c44868775929988d9ee57c061943cc62d10.elf
File opened for reading	/proc/41/status	pkill
File opened for reading	/proc/266/status	pkill
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/674/stat	6431f1372f237455978ffa78e54c0c44868775929988d9ee57c061943cc62d10.elf
File opened for reading	/proc/903/stat	6431f1372f237455978ffa78e54c0c44868775929988d9ee57c061943cc62d10.elf
File opened for reading	/proc/3/status	pkill
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/218/stat	6431f1372f237455978ffa78e54c0c44868775929988d9ee57c061943cc62d10.elf
File opened for reading	/proc/840/stat	6431f1372f237455978ffa78e54c0c44868775929988d9ee57c061943cc62d10.elf
File opened for reading	/proc/849/stat	6431f1372f237455978ffa78e54c0c44868775929988d9ee57c061943cc62d10.elf
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/self/stat	systemctl

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	7	Go-http-client/1.1

/tmp/6431f1372f237455978ffa78e54c0c44868775929988d9ee57c061943cc62d10.elf
/tmp/6431f1372f237455978ffa78e54c0c44868775929988d9ee57c061943cc62d10.elf
1⤵
- Enumerates kernel/hardware configuration
PID:645
- /bin/sh
  sh -c "/etc/32678&"
  2⤵
  - Executes dropped EXE
  PID:662
- /usr/sbin/service
  service crond start
  2⤵
  PID:663
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:667
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:674
- - /bin/systemctl
    systemctl --quiet is-active multi-user.target
    3⤵
    PID:678
- - /bin/sed
    sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
    3⤵
    PID:686
- - /bin/systemctl
    systemctl list-unit-files --full "--type=socket"
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:685
- - /bin/systemctl
    systemctl -p Triggers show dbus.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:690
- - /bin/systemctl
    systemctl -p Triggers show ssh.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:709
- - /bin/systemctl
    systemctl -p Triggers show syslog.socket
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:710
- - /bin/systemctl
    systemctl -p Triggers show systemd-fsckd.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:711
- - /bin/systemctl
    systemctl -p Triggers show systemd-initctl.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:712
- - /bin/systemctl
    systemctl -p Triggers show systemd-journald-audit.socket
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:716
- - /bin/systemctl
    systemctl -p Triggers show systemd-journald-dev-log.socket
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:718
- - /bin/systemctl
    systemctl -p Triggers show systemd-journald.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:719
- - /bin/systemctl
    systemctl -p Triggers show systemd-networkd.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:720
- - /bin/systemctl
    systemctl -p Triggers show systemd-rfkill.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:725
- - /bin/systemctl
    systemctl -p Triggers show systemd-udevd-control.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:729
- - /bin/systemctl
    systemctl -p Triggers show systemd-udevd-kernel.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:733
- /tmp/6431f1372f237455978ffa78e54c0c44868775929988d9ee57c061943cc62d10.elf
  /tmp/6431f1372f237455978ffa78e54c0c44868775929988d9ee57c061943cc62d10.elf " "
  2⤵
  - Modifies Watchdog functionality
  - Creates/modifies environment variables
  - Modifies init.d
  - Write file to user bin folder
  - Modifies Bash startup script
  - Changes its process name
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:664
- - /usr/sbin/update-rc.d
    update-rc.d linux_kill defaults
    3⤵
    PID:679
  - - /usr/local/sbin/systemctl
      systemctl daemon-reload
      4⤵
      PID:689
  - - /usr/local/bin/systemctl
      systemctl daemon-reload
      4⤵
      PID:689
  - - /usr/sbin/systemctl
      systemctl daemon-reload
      4⤵
      PID:689
  - - /usr/bin/systemctl
      systemctl daemon-reload
      4⤵
      PID:689
  - - /sbin/systemctl
      systemctl daemon-reload
      4⤵
      PID:689
  - - /bin/systemctl
      systemctl daemon-reload
      4⤵
      Enumerates kernel/hardware configuration
      PID:689
- - /bin/bash
    bash -c "echo \"*/1 * * * * root /.img \" >> /etc/crontab"
    3⤵
    - Creates/modifies Cron job
    PID:714
- - /usr/bin/renice
    renice -20 664
    3⤵
    PID:723
- - /bin/mount
    mount -o bind /tmp/ /proc/664
    3⤵
    PID:724
- - /usr/sbin/service
    service cron start
    3⤵
    PID:727
  - - /usr/bin/basename
      basename /usr/sbin/service
      4⤵
      PID:728
  - - /usr/bin/basename
      basename /usr/sbin/service
      4⤵
      PID:730
  - - /bin/systemctl
      systemctl --quiet is-active multi-user.target
      4⤵
      Enumerates kernel/hardware configuration
      PID:732
  - - /bin/sed
      sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
      4⤵
      PID:737
  - - /bin/systemctl
      systemctl list-unit-files --full "--type=socket"
      4⤵
      PID:736
  - - /bin/systemctl
      systemctl -p Triggers show dbus.socket
      4⤵
      Enumerates kernel/hardware configuration
      PID:741
  - - /bin/systemctl
      systemctl -p Triggers show ssh.socket
      4⤵
      Enumerates kernel/hardware configuration
      PID:743
  - - /bin/systemctl
      systemctl -p Triggers show syslog.socket
      4⤵
      Enumerates kernel/hardware configuration
      PID:745
  - - /bin/systemctl
      systemctl -p Triggers show systemd-fsckd.socket
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:748
  - - /bin/systemctl
      systemctl -p Triggers show systemd-initctl.socket
      4⤵
      Enumerates kernel/hardware configuration
      PID:750
  - - /bin/systemctl
      systemctl -p Triggers show systemd-journald-audit.socket
      4⤵
      Enumerates kernel/hardware configuration
      PID:752
  - - /bin/systemctl
      systemctl -p Triggers show systemd-journald-dev-log.socket
      4⤵
      Enumerates kernel/hardware configuration
      PID:755
  - - /bin/systemctl
      systemctl -p Triggers show systemd-journald.socket
      4⤵
      Enumerates kernel/hardware configuration
      PID:757
  - - /bin/systemctl
      systemctl -p Triggers show systemd-networkd.socket
      4⤵
      Enumerates kernel/hardware configuration
      PID:759
  - - /bin/systemctl
      systemctl -p Triggers show systemd-rfkill.socket
      4⤵
      Enumerates kernel/hardware configuration
      PID:762
  - - /bin/systemctl
      systemctl -p Triggers show systemd-udevd-control.socket
      4⤵
      Reads runtime system information
      PID:765
  - - /bin/systemctl
      systemctl -p Triggers show systemd-udevd-kernel.socket
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:767
- - /usr/local/sbin/systemctl
    systemctl start cron.service
    3⤵
    PID:727
- - /usr/local/bin/systemctl
    systemctl start cron.service
    3⤵
    PID:727
- - /usr/sbin/systemctl
    systemctl start cron.service
    3⤵
    PID:727
- - /usr/bin/systemctl
    systemctl start cron.service
    3⤵
    PID:727
- - /sbin/systemctl
    systemctl start cron.service
    3⤵
    PID:727
- - /bin/systemctl
    systemctl start cron.service
    3⤵
    - Enumerates kernel/hardware configuration
    PID:727
- - /bin/systemctl
    systemctl start crond.service
    3⤵
    - Enumerates kernel/hardware configuration
    PID:770

/etc/32678
/etc/32678
1⤵
- Executes dropped EXE
PID:666
- /bin/sleep
  sleep 60
  2⤵
  PID:673
- /etc/id.services.conf
  /etc/id.services.conf
  2⤵
  - Executes dropped EXE
  PID:845
- - /usr/bin/pkill
    pkill -9 32678
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:849
- - /bin/sh
    sh -c "/etc/32678&"
    3⤵
    - Executes dropped EXE
    PID:850
- - /usr/sbin/service
    service crond start
    3⤵
    PID:851
  - - /usr/bin/basename
      basename /usr/sbin/service
      4⤵
      PID:853
  - - /usr/bin/basename
      basename /usr/sbin/service
      4⤵
      PID:855
  - - /bin/systemctl
      systemctl --quiet is-active multi-user.target
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:860
  - - /bin/sed
      sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
      4⤵
      PID:863
  - - /bin/systemctl
      systemctl list-unit-files --full "--type=socket"
      4⤵
      Enumerates kernel/hardware configuration
      PID:862
  - - /bin/systemctl
      systemctl -p Triggers show dbus.socket
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:864
  - - /bin/systemctl
      systemctl -p Triggers show ssh.socket
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:865
  - - /bin/systemctl
      systemctl -p Triggers show syslog.socket
      4⤵
      Enumerates kernel/hardware configuration
      PID:872
  - - /bin/systemctl
      systemctl -p Triggers show systemd-fsckd.socket
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:873
  - - /bin/systemctl
      systemctl -p Triggers show systemd-initctl.socket
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:874
  - - /bin/systemctl
      systemctl -p Triggers show systemd-journald-audit.socket
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:875
  - - /bin/systemctl
      systemctl -p Triggers show systemd-journald-dev-log.socket
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:876
  - - /bin/systemctl
      systemctl -p Triggers show systemd-journald.socket
      4⤵
      Enumerates kernel/hardware configuration
      PID:877
  - - /bin/systemctl
      systemctl -p Triggers show systemd-networkd.socket
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:878
  - - /bin/systemctl
      systemctl -p Triggers show systemd-rfkill.socket
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:879
  - - /bin/systemctl
      systemctl -p Triggers show systemd-udevd-control.socket
      4⤵
      Enumerates kernel/hardware configuration
      PID:880
  - - /bin/systemctl
      systemctl -p Triggers show systemd-udevd-kernel.socket
      4⤵
      Enumerates kernel/hardware configuration
      PID:881
- - /etc/id.services.conf
    /etc/id.services.conf " "
    3⤵
    - Enumerates kernel/hardware configuration
    PID:852

/usr/local/sbin/systemctl
systemctl start crond.service
1⤵
PID:663

/usr/local/bin/systemctl
systemctl start crond.service
1⤵
PID:663

/usr/sbin/systemctl
systemctl start crond.service
1⤵
PID:663

/usr/bin/systemctl
systemctl start crond.service
1⤵
PID:663

/sbin/systemctl
systemctl start crond.service
1⤵
PID:663

/bin/systemctl
systemctl start crond.service
1⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:663

/etc/32678
/etc/32678
1⤵
- Executes dropped EXE
PID:854
- /bin/sleep
  sleep 60
  2⤵
  PID:859
- /etc/id.services.conf
  /etc/id.services.conf
  2⤵
  - Executes dropped EXE
  - Enumerates kernel/hardware configuration
  PID:895
- - /usr/bin/pkill
    pkill -9 32678
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:899
- - /bin/sh
    sh -c "/etc/32678&"
    3⤵
    - Executes dropped EXE
    PID:900
- - /usr/sbin/service
    service crond start
    3⤵
    PID:901
  - - /usr/bin/basename
      basename /usr/sbin/service
      4⤵
      PID:904
  - - /usr/bin/basename
      basename /usr/sbin/service
      4⤵
      PID:906
  - - /bin/systemctl
      systemctl --quiet is-active multi-user.target
      4⤵
      Enumerates kernel/hardware configuration
      PID:910
  - - /bin/systemctl
      systemctl list-unit-files --full "--type=socket"
      4⤵
      Enumerates kernel/hardware configuration
      PID:912
  - - /bin/sed
      sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
      4⤵
      PID:913
  - - /bin/systemctl
      systemctl -p Triggers show dbus.socket
      4⤵
      Enumerates kernel/hardware configuration
      PID:914
  - - /bin/systemctl
      systemctl -p Triggers show ssh.socket
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:915
  - - /bin/systemctl
      systemctl -p Triggers show syslog.socket
      4⤵
      Enumerates kernel/hardware configuration
      PID:916
  - - /bin/systemctl
      systemctl -p Triggers show systemd-fsckd.socket
      4⤵
      Enumerates kernel/hardware configuration
      PID:917
  - - /bin/systemctl
      systemctl -p Triggers show systemd-initctl.socket
      4⤵
      Enumerates kernel/hardware configuration
      PID:920
  - - /bin/systemctl
      systemctl -p Triggers show systemd-journald-audit.socket
      4⤵
      Enumerates kernel/hardware configuration
      PID:923
  - - /bin/systemctl
      systemctl -p Triggers show systemd-journald-dev-log.socket
      4⤵
      Enumerates kernel/hardware configuration
      PID:924
  - - /bin/systemctl
      systemctl -p Triggers show systemd-journald.socket
      4⤵
      Enumerates kernel/hardware configuration
      PID:925
  - - /bin/systemctl
      systemctl -p Triggers show systemd-networkd.socket
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:926
  - - /bin/systemctl
      systemctl -p Triggers show systemd-rfkill.socket
      4⤵
      Enumerates kernel/hardware configuration
      PID:927
  - - /bin/systemctl
      systemctl -p Triggers show systemd-udevd-control.socket
      4⤵
      Enumerates kernel/hardware configuration
      PID:930
  - - /bin/systemctl
      systemctl -p Triggers show systemd-udevd-kernel.socket
      4⤵
      Enumerates kernel/hardware configuration
      PID:931
- - /etc/id.services.conf
    /etc/id.services.conf " "
    3⤵
    - Enumerates kernel/hardware configuration
    PID:902

/usr/local/sbin/systemctl
systemctl start crond.service
1⤵
PID:851

/usr/local/bin/systemctl
systemctl start crond.service
1⤵
PID:851

/usr/sbin/systemctl
systemctl start crond.service
1⤵
PID:851

/usr/bin/systemctl
systemctl start crond.service
1⤵
PID:851

/sbin/systemctl
systemctl start crond.service
1⤵
PID:851

/bin/systemctl
systemctl start crond.service
1⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:851

/etc/32678
/etc/32678
1⤵
PID:903
- /bin/sleep
  sleep 60
  2⤵
  PID:905

/usr/local/sbin/systemctl
systemctl start crond.service
1⤵
PID:901

/usr/local/bin/systemctl
systemctl start crond.service
1⤵
PID:901

/usr/sbin/systemctl
systemctl start crond.service
1⤵
PID:901

/usr/bin/systemctl
systemctl start crond.service
1⤵
PID:901

/sbin/systemctl
systemctl start crond.service
1⤵
PID:901

/bin/systemctl
systemctl start crond.service
1⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:901

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

Persistence

Boot or Logon Autostart Execution

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Event Triggered Execution

T1546

Unix Shell Configuration Modification

T1546.004

Hijack Execution Flow

T1574

Path Interception by PATH Environment Variable

Scheduled Task/Job

T1053

Cron

Privilege Escalation

Boot or Logon Autostart Execution

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Event Triggered Execution

T1546

Unix Shell Configuration Modification

T1546.004

Hijack Execution Flow

T1574

Path Interception by PATH Environment Variable

Scheduled Task/Job

T1053

Cron

Defense Evasion

Hijack Execution Flow

T1574

Path Interception by PATH Environment Variable