Phantom Attack: Evading System Call Monitoring

Overview

Phantom Attack: Evading System Call Monitoring

Phantom attack is a collection of attacks that evade Linux system call monitoring. A user mode program does not need any special privileges or capabilities to reliably evade system call monitoring using Phantom attack by exploiting insecure tracing implementations.

After adversaries gain an initial foothold on a Linux system, they typically perform post-exploitation activities such as reconnaissance, execution, privilege escalation, persistence, etc. It is extremely difficult if not impossible to perform any non-trivial adversarial activities without using Linux system calls.

Security monitoring solutions on Linux endpoints typically offer system call monitoring to effectively detect attacks. Modern solutions often use either ebpf-based programs or kernel modules to monitor system calls through tracepoint and/or kprobe. Any adversary operations including abnormal and/or suspicious system calls reveal additional information to the defenders and can trigger detection alerts.

This github project hosts the POC code for Phantom Attack. More details can be found in :

  1. DEFCON 29 website
  2. DEFCON 29 slides
  3. DEFCON 29 youtube recording

Evaluation

Target Software

Falco < v0.29.1

Tracee <= v0.4.0

Note that Falco's mitigation is detecting userfaultfd syscall from non-root user, so you may still be able to perform the TOCTOU on newer versions but it will get detected because of the use of userfaultfd. We did not evaluate newer version of Tracee and they may still be vulnerable.

Platform

Phantom Attack was tested on the following configurations:

OS Hypervisior CPU Cores
Ubuntu 20.04 wmware workstation pro 2 cores
Ubuntu 18.04 vmware workstation pro 4 cores

If you are testing on 2 cores, remember to change the CPU mask in the POC.

Files

.
├── phantom_v1 
│   ├── attack_connect.c ---------------------------# phantom v1 attack on connect
│   ├── attack_openat.c  ---------------------------# phantom v1 attack on openat
│   ├── Makefile 
│   └── run.sh           ---------------------------# add CAP_SYS_NICE for binary (e.g., openat)
├── phantom_v2
│   └── run.sh           ---------------------------# phantom v2 attack on file link
├── Phantom attack evading system call monitoring.pdf ---# DEFCON 29 slides
├── README.md
└── LICENSE

attack_connect.c: POC attack code on evading the connect call monitoring The attack program connect to 1.1.1.1, it tries to make the agent thinks it is connecting to any benign looking IP. E.g., 13.107.42.14. The interrupt used is IPI interrupt.

attack_openat.c: POC attack code on evading the openat call monitoring The attack program opens file with name "malicious_file" in the current working directory, it tries to make agent thinks it is opening a benign looking file with name "benign_file". The interrupt used is hardware interrupt so you need to identify the CPU core that handles the ethernet hardware interrupt on your set up and change the VICTIM_CPU accordingly.

Getting Started:

To compile:

$ cd phantom_v1

$ make

Phantom v1 attack on connect system call

  1. open one terminal and use tcpdump to monitor the traffic to port 80. Change the ethernet interface based on your machine in the command below

$ sudo tcpdump -i ens33 port 80

  1. run the syscall monitoring software to monitor connect call

  2. run the attack and see the tcpdump will report traffic to 1.1.1.1 while sysdig open source agent will report attack_connect program connect to 13.107.42.14

$ ./attack_connect

Phantom v1 attack on openat system call

You can run the attack manually and inspect the file artifact and system call monitoring software results manually.

NOTE: Since sometimes the overwrite thread writes the filename faster than the kernel thread, syscall will only opens the benign file. So you may want to run the attack in a loop to automatically check the results for multiple runs as demonstrated in the DEFCON talk.

  1. run system call monitoring software and monitor openat syscall

  2. You will most likely need CAP_SYS_NICE

$ ./run.sh attack_openat

  1. Run the attack $ ./attack_openat

  2. check whether the file created is diff from the file reported by the agent

Phantom v2 attack on file link

  1. run system call monitoring software and monitor openat syscall

  2. run commands below

$ cd phantom_v2

$ ./run.sh

You might also like...
jvm-monitor is a lightweight monitoring tool that logs all the local variables whenever exceptions occur.

jvm-monitor jvm-monitor is a Java agent attached to a Java VM (virtual machine), which logs all the local variables when exceptions occur. Rationales

Detours is a software package for monitoring and instrumenting API calls on Windows.

Detours is a software package for monitoring and instrumenting API calls on Windows. It is distributed in source code form.

Exploring possibilities of ESP32 platform to attack on nearby Wi-Fi networks.
Exploring possibilities of ESP32 platform to attack on nearby Wi-Fi networks.

ESP32 Wi-Fi Penetration Tool This project introduces an universal tool for ESP32 platform for implementing various Wi-Fi attacks. It provides some com

Resources for DFIR Professionals Responding to the REvil Ransomware Kaseya Supply Chain Attack

Resources for DFIR Professionals Responding to the REvil Ransomware Kaseya Supply Chain Attack Yesterday Sophos and Huntress Labs identified that Kase

King Hamlet is a simple tool, which allows you to perform a Process Ghosting Attack

KingHamlet Process Ghosting Tool - 64 bits Only! King Hamlet is a simple tool, which allows you to perform a Process Ghosting Attack

🎮 Plants vs. Zombies multiplayer battle, developed via reverse engineering, inline hook and dynamic-link library injection. Two online players defend and attack as the plant side and zombie side respectively.
🎮 Plants vs. Zombies multiplayer battle, developed via reverse engineering, inline hook and dynamic-link library injection. Two online players defend and attack as the plant side and zombie side respectively.

Plants vs. Zombies Online Battle This project has two original repositories: https://github.com/czs108/Plants-vs.-Zombies-Online-Battle https://github

Living off the Land Attack in Linux, load an anonymous file in memory.
Living off the Land Attack in Linux, load an anonymous file in memory.

ELFMemoryLoader Living off the Land Attack in Linux。 Linux场景下的核心载荷不落地攻击。 Loader get elf data from remote server, then use file descriptor to run elf i

This is Script tools from all attack Denial of service by C programming

RemaxDos Paltfrom Attack RemaxDos This is Script tools from all attack Denial of service Remax Box Team !. Features ! Cam overflow Syn Flooding. Smurf

Implementation of the key recovery attack against GEA-1 keys (Eurocrypt 2021)

GEA1_break This tool implements the attack against the GEA-1 described in Cryptanalysis of the GPRS Encryption Algorithms GEA-1 and GEA-2. GEA-1 is on

Comments
  • Undefined constants in Phantom_v3 traffic drop module

    Undefined constants in Phantom_v3 traffic drop module

    Hello Rex, Thank you for great research!

    I'm trying to compile traffic drop module for phantom_v3 attack, however, some of the constants used are not defined in xdp_prog_kern.c and xdp_load_and_stats.c, hence the source code isn't compiling:

    • KEY_DROP_FREQ
    • KEY_DROP_CURR
    • DEFAULT_DROP_FREQ

    Could you please provide the configuration for this?

    Additionally, xdp_load_and_stats.c in line 369 has long value = cfg.dropnum; However, config structure doesn't have 'dropnum' field.

    struct config cfg = { .xdp_flags = XDP_FLAGS_UPDATE_IF_NOEXIST | XDP_FLAGS_DRV_MODE, .ifindex = -1, .do_unload = false, };

    opened by ttmyst 0
  • Attacking kprobe?

    Attacking kprobe?

    Hi Rex. I'm a DefCon30 attendee. I'm excited for this project. I was wondering if you know how to use TOCTOU to attack kprobe when entry handler and post handler of kprobe are both present?

    opened by AlexYaoRuihao 3
Owner
Rex Guo
Rex Guo
Automatic plant growing and monitoring system using Arduino

Plant Automatic Growing and Monitoring System Roadmap Read sensors Ambient Temperature Ambient Moisture Ambient Light Soil Moisture LCD with custom ch

Diego Santos Seabra 1 Oct 7, 2021
SQL powered operating system instrumentation, monitoring, and analytics.

osquery osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. Available for Linux, macOS, Windows, and FreeB

osquery 19.8k Jan 3, 2023
Linux System Optimizer and Monitoring - https://oguzhaninan.github.io/Stacer-Web

Linux System Optimizer and Monitoring Reviews Required Packages curl, systemd PPA Repository (for ubuntu) sudo add-apt-repository ppa:oguzhaninan/stac

Oguzhan Inan 8.2k Dec 31, 2022
Implementation of mmap system call in xv6

NOTE: we have stopped maintaining the x86 version of xv6, and switched our efforts to the RISC-V version (https://github.com/mit-pdos/xv6-riscv.git)

Rohit Chaudhari 6 May 18, 2021
An efficient and versatile system call hook mechanism

Zpoline: hooking system calls without pain Zpoline is a novel system call hook mechanism that offers the following advantages. 100 times faster than p

null 109 Dec 28, 2022
Add a new system call.

Linux kernel ============ There are several guides for kernel developers and users. These guides can be rendered in a number of formats, like HTML an

SamFu1113 2 Nov 19, 2022
Single-Cell Li-Ion Battery Charger with Monitoring

TinyCharger - Single Cell Li-Ion Battery Charger with Monitoring TinyCharger is an ATtiny25/45/85-based, single-cell Li-ion battery charger with selec

Stefan Wagner 26 Dec 30, 2022
An R package for monitoring the trend of daily COVID-19 positive cases in Tokyo

R Package TokyoCovidMonitor A simple RStan-based package for monitoring daily COVID-19 positive cases in Tokyo Overview This package offers a simple m

Takashi J. OZAKI 14 Mar 15, 2022
multispectral monitoring of a sourdough starter; esp32 eink module, scd30 co2 sensor, vl6180 distance sensor

EINK STARTER MONITOR See full blogpost here Tracks height of starter with a VL6180 i2c distance sensor, and CO2/temperature/humidity with an SCD30. A

AKA 15 Feb 16, 2022
Monitoring Radeon GPU temperature on macOS

RadeonSensor - Kext and Gadget to show Radeon GPU temperature on macOS The kext is based on FakeSMCs RadeonMonitor to provide GPU temperature to a ded

Aluveitie 192 Jan 5, 2023