LoFP / debugging or legitimate software testing

Techniques

• t1055
• t1055.009
• t1562
• t1562.001

Sample rules

ASLR Disabled Via Sysctl or Direct Syscall - Linux

• source: sigma
• technicques:
  • t1055
  • t1055.009
  • t1562
  • t1562.001

Description

Detects actions that disable Address Space Layout Randomization (ASLR) in Linux, including:

• Use of the personality syscall with the ADDR_NO_RANDOMIZE flag (0x0040000)
• Modification of the /proc/sys/kernel/randomize_va_space file
• Execution of the sysctl command to set kernel.randomize_va_space=0 Disabling ASLR is often used by attackers during exploit development or to bypass memory protection mechanisms. A successful use of these methods can reduce the effectiveness of ASLR and make memory corruption attacks more reliable.

Detection logic

condition: 1 of selection_*
selection_syscall:
  a0: 40000
  syscall: personality
  type: SYSCALL
selection_sysctl:
  a0: sysctl
  a1: -w
  a2: kernel.randomize_va_space=0
  type: EXECVE