Azure Security Center (ASC) is now extending its Linux threat detection preview program, both on cloud and on-premise. New capabilities include detection of suspicious processes, suspect login attempts, and anomalous kernel module loads. Security Center is using auditd for collecting machines’ events, which is one of the most common frameworks for auditing on Linux. Auditd has the advantage of having been around for a long time and living in the mainline kernel. Any Linux machine that runs auditd by default and is covered by Security Center will benefit from this public preview. For a little more detail on how the collection works, check out our private preview announcement from October.

In addition to building up Linux-specific detections, we have also reviewed the applicability of our current detections originally developed for Windows. Attackers also like to be OS-agnostic, especially for large-scale attacks and will reuse tools and techniques where they can. In such circumstances, the same detection is also applicable across operating systems. Happily, several of our analytics worked with minimal tuning. Today, I’ll walk you through an analytic example in the form of malicious crypto coin mining.

The expanding threat of malicious crypto coin miners

The Windows Defender Research team published a blog post last month talking about the increasing threat of crypto currency miners. These resource thieves have become more of an issue as cryptocurrencies have increased in number and value. The Windows Defender team notes that it appears some cybercriminals are pivoting from ransomware attacks to installing and running their own mining tools on victim machines. Between September 2017 and January 2018, they saw an average of 644,000 unique computers encountering coin mining malware. The post goes on to talk about some of the different coin mining malware we have seen, how they operate, and how enterprises can defend themselves using both System Center Configuration Manager and Windows Defender Advanced Threat Protection.

Also last month, the Windows Defender team talked about how, on March 6, Windows Defender Antivirus identified, within milliseconds, and blocked nearly 500,000 instances of a Dofoil malware campaign. This malware also contained a coin mining payload. Later, it was discovered and reported that the initial infection vector was a poisoned peer-to-peer application. The peer-to-peer application was classified as a potentially unwanted application (PUA). Windows Defender AV customers who had enabled the PUA protection feature, benefited as that vector was already blocked.

Azure Security Center threat detections for Linux

So how does this relate to Azure and the public preview of our new Azure Security Center threat detections for Linux? One year ago, Jessen Kurien posted about how we are detecting crypto currency mining attacks in ASC for Windows machines. In the crypto currency malware industry, a lot of cybercriminals are using portable tools that will install and run on different operating systems based on where they get dropped. They are also utilizing common techniques across systems which means there is an opportunity to write common detections.



In February, FireEye published a blog post that very neatly shows how these mining tools and techniques are spanning both the Windows and Linux worlds. In their overview, you can see both Windows-based PowerShell commands and Bash shell script commands for downloading additional malware, scheduling tasks, and deleting competing malware. Analysis of our own data shows the same thing. These common techniques give us the opportunity to create analytics that either work for both Windows and Linux machines.

When creating analytics, we also try to identify the malicious behavior at multiple points in its lifecycle which increases the likelihood of a detection. Our crypto currency mining analytic is a good example of this. We started with simple executable or command matching then gradually increased the level of sophistication of the analytic and created detections that look for coin mining behavior. One of our more recent analytics tries to detect when a system is being optimized for coin mining.

Linux alerts in Azure Security Center

So how do we see these crypto coin mining alerts in Linux? Azure Security Center customers that have Linux machines running auditd will be able to see these alerts alongside other Azure Security Center alerts. Just go into the Azure Security Center Overview page.

Then, either click into your subscription alerts through New Alerts & Incidents, Detections, or dive right into a specific resource.

The alert for crypto coin malware will show up as the Suspicious Process Executed alert that you can see below.

When you click through into the alert, you will see the process and command line that triggered the alert, as well as suggested remediation steps.

As you can see, this event triggered as a Suspicious Process execution. You can see the command that was run in the Description and the specific command line down below. Also, because we recognize this as crypto coin mining behavior, we have linked to a report on Bitcoin Miners.

More resources

That is a quick introduction to the new Linux analytics for Azure Security Center by way of a crypto currency example. Many of the things you are used to from the Windows side carry over and should seem familiar. For more information about how Azure Security Center works see the following: