Ubuntu Machines showing "indicator of compromise" for nmap bash-completion

[void_rabbit]

Hi,

We are running a backup job for some Ubuntu VMs inside VmWare and we have enabled the "Malware Detection" and "File Detection/Indicators of compromise detection".
Starting since a couple of days ago, it does report

Code: Select all

nmap TA0007 Discovery - Linux command-line executable of a network scanner.: 1

Checking the log you can then see that it actually detects a false positive on the the bash-completion for nmap:

Code: Select all

[some-date-here]    <57> Warning (3)    SERVER-NAME:some-id-here-and-here:/snap/core20/2496/usr/share/bash-completion/completions/nmap

not sure if that is supposed to happen?

[Gostev]

Hi, only you can say if it's normal for your environment to have this tool used on production machines as a part of some standard activities. And if so then you should simply exclude this particular item from Indicators of Compromise monitoring by Veeam. Thanks

[TechMinerUK]

Hi,

We are running a backup job for some Ubuntu VMs inside VmWare and we have enabled the "Malware Detection" and "File Detection/Indicators of compromise detection".
Starting since a couple of days ago, it does report

Code: Select all

nmap TA0007 Discovery - Linux command-line executable of a network scanner.: 1

Checking the log you can then see that it actually detects a false positive on the the bash-completion for nmap:

Code: Select all

[some-date-here]    <57> Warning (3)    SERVER-NAME:some-id-here-and-here:/snap/core20/2496/usr/share/bash-completion/completions/nmap

not sure if that is supposed to happen?

I noticed this as well on the 18th and the on the 19th for three systems in my lab, looks like Ubuntu did an update for snap as a dependency for LXD

Still investigating what it is but it's curious as unless its a dependency for something else there is no reason for any of those VMs to be using LXD

[TechMinerUK]

Looking into this, for us I found that nmap was present as part of an LXD package previously used by some old monitoring software however checking our backups the file was present on the server for 42 backups so it doesn't explain as to why it has been flagged now all of a sudden

[Gostev]

Indeed, IoC detection only marks new occurrences (IoC that didn't exist on the system before but then suddenly appeared).

The history of guest indexes is kept for a few days so our Support should be able to demonstrate/prove that some IoC match has appeared in the system that didn't exist before. Otherwise it will mean there's some bug!

[TechMinerUK]

I think it may be a slight bug in the sense that nmap already existed but now Veeam decided to pickup on it but then again it may be that the package got updated in a way that veeam thought it was suspicious.

Overall I must admit I like the malware detection feature however on Ubuntu systems it seems to have more false positives but it has come on quite far since I first tested it in the lab

[Dima P.]

Hello Daniel,

Can you please clarify:

1. How frequently you backup machine in the question?
2. Any chances that indexing or/and file system activity detection setting were enabled / changed?

If you have a case ID please let me know, we will look at the logs. Thank you for the feedback!

[MB_VT]

I'm also seeing this message with "nmap" on specifically on ubuntuservers.
I do not think its anything to worry about tbh.

[Gostev]

IoC Detection should never flag anything that pre-existed on the system, including nmap. It should only flag the appearance of any tools commonly used by hackers during cyberattack on the system. However, Dima will investigate the particular situation above as it may have to deal with bash autocompletion functionality and it may appear we should handle this specific path differently.

[TechMinerUK]

Hello Daniel,

Can you please clarify:

1. How frequently you backup machine in the question?
2. Any chances that indexing or/and file system activity detection setting were enabled / changed?

If you have a case ID please let me know, we will look at the logs. Thank you for the feedback!

Hi Dima,

The VMs are backed up nightly and the only bit that was changed was a few weeks ago I added some exclusions for trusted files into the detection console (but this was over a week prior to the alert popping up)

The VMs are in a lab so I don't have support on them and I dont expect a investigation or extra support since its just my homelab but it was just a curious event since nmap, snap and lxc had been on for a while

If you would like any logs let me know and I can open a case if needed to send them over. I've removed the files from the VMs now anyway since that particular monitoring tool hasn't been used in a few months so those components aren't needed anymore by me

In terms of the files, they were present in all 42 restore points I have along with the specific nmap file Veeam picked up on so it had been there a while, maybe the update I did to the trusted files triggered something or an update potentially?

[TechMinerUK]

I'm also seeing this message with "nmap" on specifically on ubuntuservers.
I do not think its anything to worry about tbh.

I think based on the VMs I have that triggered it that it is down to snap and potentially various monitoring solutions downloading components from snap. That's what the files were for me as I even deep scanned the affected VMs and picked them apart just incase something was weird (that being said they arent public facing and are away from other infra in the lab)

[Dima P.]

If you would like any logs let me know and I can open a case if needed to send them over. I've removed the files from the VMs now anyway since that particular monitoring tool hasn't been used in a few months so those components aren't needed anymore by me

In terms of the files, they were present in all 42 restore points I have along with the specific nmap file Veeam picked up on so it had been there a while, maybe the update I did to the trusted files triggered something or an update potentially?

Possibly. Can you upload the logs to support and share the case ID with us - that would help us to understand the root cause. Thank you!

[TechMinerUK]

I've created a case now (07616077) using my NFR license, I've added the logs for three VMs from my homelab all of which had the nmap file present in the restore points going back several days without alert so feel free to have a look through them

It's only an NFR license so I appreciate you taking the time out to investigate this however whatever we find from the lab I'm hoping will be useful to anyone who has a similar case in production as well

[Gostev]

No worries, in this case license type doesn't matter as Devs are interested to see the logs. Support case is merely a media to conveniently exchange them. Thanks for taking time to collect and upload the package.

[Dima P.]

We've shared the case ID with RnD folks, its being investigated. Thank you Daniel!

[Dima P.]

The issue with /bash-completion/ analytics is now reviewed and being addressed, B&R will not add /bash-completion/ output to the guest file analytics analytics and that will stop mentioned false-positives. The change will take effect automatically with the next IoC definitions update. Thank you for the report!