Adversaries may exploit known Linux kernel vulnerabilities (CVE-2012-0056 and CVE-2016-5195) to gain unauthorized access or escalate privileges on affected systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise from legacy vulnerabilities that may persist in their environment.
YARA Rule
rule Linux_DirtyCow_Exploit {
meta:
description = "Detects Linux Dirty Cow Exploit - CVE-2012-0056 and CVE-2016-5195"
author = "Florian Roth"
reference = "http://dirtycow.ninja/"
date = "2016-10-21"
strings:
$a1 = { 48 89 D6 41 B9 00 00 00 00 41 89 C0 B9 02 00 00 00 BA 01 00 00 00 BF 00 00 00 00 }
$b1 = { E8 ?? FC FF FF 48 8B 45 E8 BE 00 00 00 00 48 89 C7 E8 ?? FC FF FF 48 8B 45 F0 BE 00 00 00 00 48 89 }
$b2 = { E8 ?? FC FF FF B8 00 00 00 00 }
$source1 = "madvise(map,100,MADV_DONTNEED);"
$source2 = "=open(\"/proc/self/mem\",O_RDWR);"
$source3 = ",map,SEEK_SET);"
$source_printf1 = "mmap %x"
$source_printf2 = "procselfmem %d"
$source_printf3 = "madvise %d"
$source_printf4 = "[-] failed to patch payload"
$source_printf5 = "[-] failed to win race condition..."
$source_printf6 = "[*] waiting for reverse connect shell..."
$s1 = "/proc/self/mem"
$s2 = "/proc/%d/mem"
$s3 = "/proc/self/map"
$s4 = "/proc/%d/map"
$p1 = "pthread_create" fullword ascii
$p2 = "pthread_join" fullword ascii
condition:
( uint16(0) == 0x457f and $a1 ) or
all of ($b*) or
3 of ($source*) or
( uint16(0) == 0x457f and 1 of ($s*) and all of ($p*) and filesize < 20KB )
}This YARA rule can be deployed in the following contexts:
This rule contains 18 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled job (e.g., systemd-tmpfiles-setup, logrotate, or cron job) is performing file system operations that could trigger the rule due to memory mapping or file modification.
Filter/Exclusion: Check for processes associated with known system maintenance tools or cron jobs, e.g., process.name = logrotate or process.name = systemd-tmpfiles-setup.
Scenario: Kernel Module Loading or Unloading
Description: A system administrator is manually loading or unloading a kernel module (e.g., using modprobe), which may involve memory mapping and could be flagged by the rule.
Filter/Exclusion: Exclude processes involving modprobe or insmod, e.g., process.name = modprobe or process.name = insmod.
Scenario: Application Memory Mapping for Large Files
Description: An application (e.g., ffmpeg, gunicorn, or nginx) is mapping large files into memory for processing, which could resemble the behavior of the Dirty Cow exploit.
Filter/Exclusion: Filter by known application binaries, e.g., process.name = ffmpeg or process.name = gunicorn.
Scenario: Security Tool or EDR Agent Activity
Description: A security tool (e.g., OSSEC, CrowdStrike Falcon, or SentinelOne) is performing memory analysis or integrity checks, which may involve memory mapping and trigger the rule.
Filter/Exclusion: Exclude processes associated with security tools, e.g., process.name = ossec or process.name = falcon.
Scenario: User-Initiated File Copy or Move Operations
Description: A user is copying or moving large files using tools like cp, mv,