Expand Process data model to include environment variables

Question

Expand Process data model to include environment variables

ForensicITGuy opened this issue 4 years ago · comments

Proposed Change

The proposed change is to extend the Process data model to include environment variables set for a process at the time of execution. This could be included as a field in the Process model.

Justification

The justification is to monitor for process injection via LD_PRELOAD environment variables. A sample analytic for this would be:

SELECT process_envs.pid as source_process_id, process_envs.key as environment_variable_key, process_envs.value as environment_variable_value, processes.name as source_process, processes.path as file_path, processes.cmdline as source_process_commandline, processes.cwd as current_working_directory, 'T1055' as event_attack_id, 'Process Injection' as event_attack_technique, 'Defense Evasion, Privilege Escalation' as event_attack_tactic FROM process_envs join processes USING (pid) WHERE key = 'LD_PRELOAD';

Ivan Kirillov · Answer 1 · Sat Feb 29 2020 05:04:22 GMT+0800 (China Standard Time)

@ForensicITGuy do you have any example events that contain environment variables? Also, looks like this is only captured by a few sensors at the moment, such as OSquery, is that right?

Tony M Lambert · Answer 2 · Sun Mar 08 2020 00:16:38 GMT+0800 (China Standard Time)

Hey @ikiril01, sorry I should've responded sooner. OSquery is the only sensor I know of so far that will retrieve environment variable information (maybe also Velociraptor). In this case I don't think it's even continuously monitoring (unlike the eventing tables), but is query-based only. The only use case I have for environment vars so far would be hunting for process injection via LD_PRELOAD.

https://cybersecurity.att.com/blogs/labs-research/hunting-for-linux-library-injection-with-osquery

Ivan Kirillov · Answer 3 · Wed Mar 11 2020 04:47:55 GMT+0800 (China Standard Time)

@ForensicITGuy no worries! Thanks for the clarification. One other question we've had about capturing environment variables is with regards to inheritance - i.e., since a child process can inherit env vars from its parent, is this something we need to explicitly identify or not? Although this might be a bit of a moot point, since CAR's current process object doesn't cleanly distinguish between parent/child processes.

Tony M Lambert · Answer 4 · Wed Mar 18 2020 02:47:31 GMT+0800 (China Standard Time)

From the continuous monitoring/detection perspective, I don't think it matters as much. If we're doing live forensics it might matter, but dead box forensics won't have as much use.

I will say that a parent/child relationship would be useful in a larger model outside of just environment variables to enable suspicious process relationships (winword.exe > PowerShell) for example.

Ivan Kirillov · Answer 5 · Thu May 28 2020 21:39:05 GMT+0800 (China Standard Time)

Added via 0b1ca90