Anatomy of a Linux Hack: Skidmap Leverages Cron Jobs, PAM, Kernel Modules, and More

Webinar Registration

In this “Anatomy of a Hack” episode, we turn to the Linux world and dissect Skidmap malware. Skidmap is technically a cryptominer, but it’s very valuable as an example of typical Linux attack methods that any attacker could use, including:

  • Cron jobs
  • Pluggable authentication modules
  • Kernel modules
  • Secure shell keys
  • Scripts

In this real-training-for-free event, we will show you how Skidmap works and explore its behavior and the details of its various elements. We will map elements of Skidmap to 8 different MITRE ATT&CK techniques across 5 tactics:

TID

Tactic

Technique

T1168

Persistence, Execution

Local Job Scheduling

T1215

Persistence

Kernel Modules and Extensions

T1045

Defense Evasion

Software Packing

T1089

Defense Evasion

Disabling Security Tools

T1036

Defense Evasion

Masquerading

T1014

Defense Evasion

Rootkit

T1071

Command And Control

Standard Application Layer Protocol

T1496

Impact

Resource Hijacking

As you can see, Skidmap employs 4 different techniques to evade detection. In particular, it’s interesting how Skidmap hides the high CPU usage that cryptomining causes. We will be using an integrated version of OSQuery to look for artifacts like those left by Skidmap in VMware Carbon Black Audit & Remediation. 

This will be a very technical and interesting session with insights from VMware Carbon Black’s Threat Analysis Unit (TAU). VMware Carbon Black is our sponsor, and Staff Solution Engineer Jon Nelson will briefly show you how, with VMware Carbon Black Enterprise EDR, you can detect techniques used by Skidmap to disable system protections and hides its network traffic. Jon will also demonstrate how you can use similar techniques to discover webshells with VMware Carbon Black Enterprise EDR.

Please join us for this real training for free session.

First Name:   
Last Name:   
Work Email:  
Phone:  
Job Title:  
Organization:  
Country:    
State:  
Zip/Postal Code:  
Industry:  
 

Your information will be shared with the sponsor.

By clicking "Submit", you're agreeing to our Privacy Policy and consenting to be contacted by us.

 

 

Additional Resources