Start a new topic
Discussions Sandfly Community Community Support
Solved

Strange looking alert

Hi everyone.
I keep seeing these alerts pop up for one of my Debian 12 boxes.
The thing, that stands out to me most is the empty mode field.
Looks more like a bug, rather than a detection.
Not sure tho. Any ideas?

 

 

{
  "exec_seconds": 0,
  "start_time": "2024-02-02T20:38:29Z",
  "end_time": "2024-02-02T20:38:29Z",
  "name": "process_running_hidden_proc_dir_writable",
  "status": "alert",
  "status_msg": "ok",
  "severity": 3,
  "tags": [
    "attack.id.T1564.001",
    "attack.tactic.defense_evasion",
    "attack.tactic.persistence",
    "process"
  ],
  "type": "process",
  "engine": "sandfly_engine_dir",
  "key_data": "/proc/548533",
  "results": {
    "directory": {
      "path": "/proc/548533",
      "path_root": "/proc/",
      "path_link": "",
      "name": "548533",
      "extension": "",
      "date": {
        "created": "",
        "created_minutes": 0,
        "modified": "",
        "modified_minutes": 0,
        "accessed": "",
        "accessed_minutes": 0
      },
      "inode": 0,
      "device": 0,
      "rdevice": 0,
      "nlink": 0,
      "count": 0,
      "count_mismatch": false,
      "mode": "",
      "uid": 0,
      "username": "",
      "gid": 0,
      "groupname": "",
      "size": 0,
      "flags": {
        "link": false,
        "sticky": false,
        "hidden": false,
        "deleted": true
      }
    },
    "explanation": "The /proc entry '/proc/548533' shows a permission mode of '' which allows writing to the directory. This is an unusual permission for this directory as normally the PID directories under /proc should be read only. This type of permission can be associated with someone mounting a filesystem on top of the /proc/PID directory to redirect to a spoofed area to conceal a process.  Please inspect the mount table or /proc/mounts for entries such as '/proc/PID' mounted inside the /proc area that is out of place.",
    "match_hashes": {
      "version": 1,
      "strict": "1740cd32678fa3d2503281af1c5f385bcff86cfa296c3068b9fabda2ff86a64884e27f462aa94594a8162c348d22fd8fb5f9cd4273f3e30c673c9bec0a5994db",
      "moderate": "130ede20aa862e7acee4b573abcac14ecdbf70eee8a8c774b92798178e28c7bed184fdfe39920ff648ebd07197210c1d7e416e6ea9b1aa652395891c3c3732bc",
      "permissive": "07601ea38be2cdc56f2f5564859c25decc8c974f395669531342b96f5b0cc1b6757d0ea863337dc72f4ee2ff17ba9e5e80008884619552dd18d4421dbbd1e7a6"
    }
  }
}

 

2 CommentsSorted by Oldest First

Hello Milan Köhler,

Thank you for using the Sandfly Support forums regarding the process_running_hidden_proc_dir_writable sandfly.

That Sandfly was added in version 4.6.1, however, it has since been completely removed in future versions of Sandfly due to producing false positives. We advise you to disable that sandfly (along with process_running_hidden_proc_dir_spoofing_2) until Sandfly can be upgraded.

Please see the Activating and Deactivating Sandflies documentation for details on how to do that.



Sincerely,
Sandfly Security Customer Service

1 person likes this

 Thanks

Login or Signup to post a comment
More topics in Community Support