When monitoring system activity through auditd, particularly EXECVE events, we often encounter seemingly random hexadecimal strings passed as arguments. These typically appear when commands are executed through bash -c with encoded parameters:
type=EXECVE msg=audit(1425426965.480:57967): argc=3 a0="bash" a1="-c" a2=6C73202F657463...
The hexadecimal strings in these logs represent ASCII characters when converted. For example, let's decode the first example:
echo 6C73202F6574632F696E69742E64207C2067726570202D4520275B302D39612D7A5D7B31307D27207C2061776B20277B7072696E742024317D27207C207861726773206B696C6C616C6C | xxd -r -p
This outputs:
ls /etc/init.d | grep -E '[0-9a-z]{10}' | awk '{print $1}' | xargs killall
For efficient analysis, we can create a bash script to automatically decode these entries:
#!/bin/bash
function decode_audit_hex() {
echo "$1" | xxd -r -p
}
# Example usage:
audit_log='6B696C6C616C6C20373737206874747064'
decoded=$(decode_audit_hex "$audit_log")
echo "Decoded command: $decoded" # Outputs: killall 777 httpd
From the examples provided, we can identify several malicious patterns:
- Killing processes (killall 777 httpd)
- Cleaning traces (rm -f /tmp/httpd*)
- Process enumeration and mass termination
Here's a Python script to monitor and alert on suspicious decoded commands:
import re
from subprocess import check_output
def decode_hex(hex_str):
return bytes.fromhex(hex_str).decode('utf-8')
SUSPICIOUS_PATTERNS = [
r'killall',
r'rm -rf',
r'chmod 777',
r'/tmp/'
]
def analyze_audit_log(log_line):
match = re.search(r'a2=([0-9a-fA-F]+)', log_line)
if match:
command = decode_hex(match.group(1))
for pattern in SUSPICIOUS_PATTERNS:
if re.search(pattern, command):
return f"Suspicious command detected: {command}"
return None
For deeper investigation, consider:
- Creating a command execution timeline
- Mapping process parent-child relationships
- Cross-referencing with network connection logs
- Building behavior profiles for common attack sequences
Example timeline generation:
grep 'type=EXECVE' /var/log/audit/audit.log | \
awk -F'msg=audit\\(' '{print $2}' | \
awk -F'\\)' '{print $1,$2}' | \
sort -n | \
while read timestamp entry; do
echo "$(date -d @${timestamp%%.*} '+%Y-%m-%d %H:%M:%S') $entry"
done
When monitoring Linux systems with auditd, you'll frequently encounter EXECVE events containing suspicious hexadecimal strings passed to bash -c. These represent attackers attempting to obfuscate their commands. Let's decode a real-world example:
type=EXECVE msg=audit(1425426965.480:57967):
argc=3 a0="bash" a1="-c"
a2=6C73202F6574632F696E69742E64207C2067726570202D4520275B302D39612D7A5D7B31307D27207C2061776B20277B7072696E742024317D27207C207861726773206B696C6C616C6C
We can use this Python snippet to decode the hex string:
import binascii
hex_str = "6C73202F6574632F696E69742E64207C2067726570202D4520275B302D39612D7A5D7B31307D27207C2061776B20277B7072696E742024317D27207C207861726773206B696C6C616C6C"
decoded = binascii.unhexlify(hex_str).decode('utf-8')
print(decoded)
Output reveals the actual command:
ls /etc/init.d | grep -E '[0-9a-z]{10}' | awk '{print $1}' | xargs killallFor security monitoring, we should create a parser. Here's a Bash version:
#!/bin/bash
parse_auditd_execve() {
while read -r line; do
if [[ $line =~ a2=([0-9a-f]+) ]]; then
hex=${BASH_REMATCH[1]}
echo -n "Hex: $hex → "
echo "$hex" | xxd -r -p
echo
fi
done
}
# Usage example:
cat /var/log/audit/audit.log | grep 'type=EXECVE.*a2=' | parse_auditd_execve
From the examples provided, we see several malicious patterns:
- Killing processes (killall 777 httpd)
- Cleaning traces (rm -f /tmp/httpd*)
- Targeting specific services (/etc/init.d manipulation)
For OSSEC, this rule would help detect such attacks:
<rule id="100101" level="10">
<decoded_as>hex2string</decoded_as>
<match>bash -c [0-9a-f]{20,}</match>
<description>Hex-encoded command execution attempt</description>
</rule>
Consider these hardening measures:
# Prevent command-line hex execution attempts
sysctl -w kernel.yama.ptrace_scope=2
sysctl -w kernel.randomize_va_space=2
# Enhanced auditd rules:
-w /bin/bash -p x -k suspicious-shell
-a always,exit -F arch=b64 -S execve -F exe=/bin/bash -F a1=-c -k bash_hex_command