{"description": "Enterprise techniques used by BPFDoor, ATT&CK software S1161 (v1.1)", "name": "BPFDoor (S1161)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.004", "comment": "[BPFDoor](https://attack.mitre.org/software/S1161) can create a reverse shell and supports vt100 emulator formatting.(Citation: Sandfly BPFDoor 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1480", "comment": "[BPFDoor](https://attack.mitre.org/software/S1161) creates a zero byte PID file at `/var/run/haldrund.pid`. [BPFDoor](https://attack.mitre.org/software/S1161) uses this file to determine if it is already running on a system to ensure only one instance is executing at a time.(Citation: Sandfly BPFDoor 2022) ", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1480.002", "comment": "When executed, [BPFDoor](https://attack.mitre.org/software/S1161) attempts to create and lock a runtime file, `/var/run/initd.lock`, and exits if it fails using the specified file, resulting in a makeshift mutex.(Citation: Deep Instinct BPFDoor 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.011", "comment": "[BPFDoor](https://attack.mitre.org/software/S1161) set's it's process to ignore the following signals; `SIGHUP`, `SIGINT`, `SIGQUIT`, `SIGPIPE`, `SIGCHLD`, `SIGTTIN`, and `SIGTTOU`.(Citation: Deep Instinct BPFDoor 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.003", "comment": "[BPFDoor](https://attack.mitre.org/software/S1161) sets the `MYSQL_HISTFILE` and `HISTFILE` to `/dev/null` preventing the shell and MySQL from logging history in `/proc//environ`.(Citation: Sandfly BPFDoor 2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1562.004", "comment": "[BPFDoor](https://attack.mitre.org/software/S1161) starts a shell on a high TCP port starting at 42391 up to 43391, then changes the local `iptables` rules to redirect all packets from the attacker to the shell port.(Citation: Sandfly BPFDoor 2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "comment": "[BPFDoor](https://attack.mitre.org/software/S1161) clears the file location `/proc//environ` removing all environment variables for the process.(Citation: Sandfly BPFDoor 2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "After initial setup, [BPFDoor](https://attack.mitre.org/software/S1161)'s original execution process deletes the dropped binary and exits.(Citation: Sandfly BPFDoor 2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.006", "comment": "[BPFDoor](https://attack.mitre.org/software/S1161) uses the `utimes()` function to change the executable's timestamp.(Citation: Sandfly BPFDoor 2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.009", "comment": "After initial execution, [BPFDoor](https://attack.mitre.org/software/S1161) forks itself and runs the fork with the `--init` flag, which allows it to execute secondary clean up operations. The parent process terminates leaving the forked process to be inherited by the legitimate process init.(Citation: Sandfly BPFDoor 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036.011", "comment": "[BPFDoor](https://attack.mitre.org/software/S1161) overwrites the `argv[0]` value used by the Linux `/proc` filesystem to determine the command line and command name to display for each process. [BPFDoor](https://attack.mitre.org/software/S1161) selects a name from 10 hardcoded names that resemble Linux system daemons, such as; `/sbin/udevd -d`, `dbus-daemon --system`, `avahi-daemon: chroot helper`, `/sbin/auditd -n`, and `/usr/lib/systemd/systemd-journald`.(Citation: Sandfly BPFDoor 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027", "comment": "[BPFDoor](https://attack.mitre.org/software/S1161) can require a password to activate the backdoor and uses RC4 encryption or static library encryption `libtomcrypt`.(Citation: Sandfly BPFDoor 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1205", "showSubtechniques": true}, {"techniqueID": "T1205.002", "comment": "[BPFDoor](https://attack.mitre.org/software/S1161) uses BPF bytecode to attach a filter to a network socket to view ICMP, UDP, or TCP packets coming through ports 22 (ssh), 80 (http), and 443 (https). When [BPFDoor](https://attack.mitre.org/software/S1161)  finds a packet containing its \u201cmagic\u201d bytes, it parses out two fields and forks itself. The parent process continues to monitor filtered traffic while the child process executes the instructions from the parsed fields.(Citation: Sandfly BPFDoor 2022)(Citation: Deep Instinct BPFDoor 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by BPFDoor", "color": "#66b1ff"}]}