Adversaries may attempt to exploit the DHCP remote code command injection vulnerability (CVE-2018-1111) by injecting malicious commands into process arguments, leveraging DynoRoot for persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential command injection attacks targeting Linux systems.
KQL Query
DeviceProcessEvents
| where InitiatingProcessCommandLine contains "/etc/NetworkManager/dispatcher.d/"
and InitiatingProcessCommandLine contains "-dhclient"
and isnotempty(ProcessCommandLine)
and FileName !endswith ".exe"
| project Timestamp, DeviceName , FileName, ProcessCommandLine, InitiatingProcessCommandLine
id: 445a1251-b7ad-44db-8b86-51d79b34e726
name: Linux-DynoRoot-CVE-2018-1111
description: |
The query checks process command lines arguments and parent/child combinations to find machines where there have been.
Attempts to exploit a DHCP remote code command injection CVE-2018-1111.
DynoRoot is a remote command injection present in a script included by the DHCP client in Red Hat Enterprise Linux 6 and 7.
Using it, a malicious attacker could use this flaw to execute arbitrary commands with root privileges.
CVE: CVE-2018-1111.
Read more here:.
Https://access.redhat.com/security/cve/cve-2018-1111.
Https://www.cvedetails.com/cve/CVE-2018-1111.
Tags: #exploit #CVE-2018-1111 #DynoRoot.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
query: |
DeviceProcessEvents
| where InitiatingProcessCommandLine contains "/etc/NetworkManager/dispatcher.d/"
and InitiatingProcessCommandLine contains "-dhclient"
and isnotempty(ProcessCommandLine)
and FileName !endswith ".exe"
| project Timestamp, DeviceName , FileName, ProcessCommandLine, InitiatingProcessCommandLine
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using dhcpd to configure a DHCP server, and the dhcpd.conf file is being edited with a legitimate configuration directive that includes a quoted string.
Filter/Exclusion: Check for the presence of dhcpd.conf in the command line or parent process, and exclude processes with /etc/dhcp/ in their path.
Scenario: A scheduled job runs dhclient to renew the IP lease on a server, which includes a legitimate script that uses eval to handle dynamic arguments.
Filter/Exclusion: Exclude processes where the command line includes /sbin/dhclient and the parent process is a system service like systemd or init.
Scenario: A developer is testing a custom script that uses eval to dynamically execute commands for debugging purposes, and the script is named dyno.sh and is run with elevated privileges.
Filter/Exclusion: Exclude processes where the command line includes /tmp/dyno.sh or any script located in a user-owned directory with write permissions.
Scenario: A security tool like auditd or syslog-ng is configured to log system events, and one of the log messages includes a quoted string that matches the detection pattern.
Filter/Exclusion: Exclude processes where the command line includes /usr/sbin/auditd or /usr/sbin/syslog-ng, and filter out log-related processes.
Scenario: A DevOps team is using Ansible to manage configurations and runs a playbook that includes a command with eval to dynamically generate configuration files.
Filter/Exclusion: Exclude processes where the command line includes ansible-playbook and the parent process is an Ansible controller or a service managed by systemd.