Bypassing the Neo23x0 (Florian Roth) auditd Configuration Using the fexecve Systemcall

Listen to this Post

Featured Image
Security Researcher Milad Cheraghi has demonstrated a Proof of Concept (PoC) showcasing how the `fexecve` system call can bypass the Neo23x0 auditd configuration for process execution monitoring. This technique allows attackers to evade detection by leveraging alternative syscalls not properly monitored by standard audit rules.

The Neo23x0 auditd ruleset is widely used to track security-critical activities on Linux systems, particularly process executions via the `execve` syscall. However, fexecve—which executes binaries from an open file descriptor without requiring a full path—provides a stealthy alternative. Attackers using `fexecve` can avoid triggering traditional process execution logs.

You Should Know:

1. Understanding `fexecve` vs. `execve`

  • execve: Requires a file path, logged by auditd.
  • fexecve: Uses a file descriptor (fd), bypassing path-based monitoring.

2. PoC Execution Steps

Clone the PoC repository:

git clone https://github.com/CheraghiMilad/bypass-Neo23x0-auditd-config.git 
cd bypass-Neo23x0-auditd-config 

Compile and run the bypass:

gcc fexecve_bypass.c -o fexecve_bypass 
./fexecve_bypass /path/to/malicious_binary 

3. Detecting `fexecve` Bypass Attempts

Modify auditd rules to monitor `fexecve`:

sudo auditctl -a always,exit -F arch=b64 -S fexecve -k fexecve_exec 

Verify logs:

sudo ausearch -k fexecve_exec 

4. Mitigation Strategies

  • Update auditd rules: Include `fexecve` monitoring.
  • Use eBPF/LSM hooks: Deploy additional kernel-level monitoring.
  • Enable Sysmon for Linux: Monitor atypical syscalls.

5. Key Commands for Analysis

Check loaded audit rules:

sudo auditctl -l 

Monitor active processes:

ps aux | grep -i "suspicious_process" 

Inspect file descriptors:

ls -la /proc/<PID>/fd 

What Undercode Say

The `fexecve` bypass highlights a critical gap in traditional auditd configurations. While `execve` is heavily monitored, attackers increasingly exploit lesser-known syscalls. Defenders must:
– Expand syscall coverage in audit rules.
– Implement behavioral detection (e.g., anomalous process execution chains).
– Leverage kernel security modules like SELinux/AppArmor.

Relevant Commands for Hardening:

  • Restrict `fexecve` via seccomp:
    sudo sysctl -w kernel.seccomp.actions_logged=1 
    
  • Audit all exec-related syscalls:
    sudo auditctl -a always,exit -F arch=b64 -S execve -S execveat -S fexecve -k process_exec 
    

Expected Output:

type=SYSCALL msg=audit(1625097600.123:456): arch=c000003e syscall=326 (fexecve) success=yes exit=0 a0=3 a1=7ffd1234 a2=7ffd5678 a3=0 items=2 ppid=1234 pid=5678 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 key="fexecve_exec" 

Reference:

References:

Reported By: Miladcheraghi Bypassing – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram