HIDS Tampering & Evasion

TL;DR

Host Intrusion Detection Systems (HIDS) are vulnerable to attacks where malicious software tries to disable or hide from them on the same machine. This guide explains common attack methods and how to protect your HIDS.

Understanding the Problem

A HIDS monitors system files, processes, and logs for suspicious activity. If an attacker gains control of a machine, they can directly target the HIDS itself to prevent detection. This is often done by modifying HIDS files, killing its processes, or manipulating log data.

Common Attack Methods

1. File Modification: Attackers alter critical HIDS files (rulesets, binaries) to stop it from working correctly.
2. Process Killing/Stopping: The attacker stops the HIDS process so it can’t monitor anything.
3. Log Tampering: Attackers modify or delete log entries to hide their tracks.
4. Rootkit Installation: Rootkits hide malicious processes and files from detection, including those of the HIDS.
5. Kernel Module Manipulation (Linux): Attackers can unload or replace kernel modules used by the HIDS.
6. API Hooking: Malicious code intercepts calls to functions used by the HIDS to alter its behaviour.

Protecting Your HIDS

Here’s how to make your HIDS more resilient:

1. File Integrity Monitoring (FIM)

1. Hash-Based FIM: Regularly calculate and store hashes of critical HIDS files. Compare current hashes against known good values. Any change indicates tampering.

   md5sum /path/to/hids_file

2. Use a Trusted Database: Store the hash database securely, preferably on read-only media or a separate system.
3. Monitor Configuration Files: Include HIDS configuration files in your FIM checks.

2. Process Protection

1. Restrict Access: Limit which users and processes can modify or kill the HIDS process.

   chown root:root /path/to/hids_binary

   chmod 755 /path/to/hids_binary

2. Process Monitoring: Monitor for unexpected child processes of the HIDS.
3. Anti-Tampering Checks: Implement checks within the HIDS itself to verify its own integrity (e.g., checksums of critical sections).

3. Log Integrity

1. Centralized Logging: Send logs to a secure, central logging server that is separate from the monitored machine.
   This makes it harder for attackers to tamper with logs locally.
2. Log Rotation & Archiving: Regularly rotate and archive logs to prevent them from being overwritten.
3. Digital Signatures: Use digital signatures on log files to verify their authenticity.

4. Rootkit Detection

1. Regular Scans: Run rootkit scanners regularly (e.g., rkhunter, chkrootkit).
2. Integrity Checks: Compare system binaries and kernel modules against known good versions.

   rkhunter --checkall

5. Kernel Module Protection (Linux)

1. Module Signing: Require all kernel modules to be digitally signed.
2. Disable Unnecessary Modules: Remove any unused or unnecessary kernel modules.

   lsmod

   rmmod module_name

3. Monitor Module Loading/Unloading: Log all attempts to load or unload kernel modules.

6. API Hooking Detection

1. Code Integrity Checks: Regularly scan for unexpected modifications to system libraries and binaries.
2. System Call Monitoring: Monitor for suspicious patterns in system call activity that might indicate API hooking.

7. HIDS Configuration

1. Regular Rule Updates: Keep your HIDS rulesets up-to-date with the latest threat intelligence.
2. Whitelisting: Use whitelisting wherever possible to define allowed behaviour and reduce false positives.