The detection of ELF Linux/Httpsd i686 binaries may indicate the presence of malicious or unauthorized software being executed on Linux systems, potentially used for persistence or data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise of Linux hosts within their environment.
YARA Rule
rule Linux_Httpsd_malware_i686 {
meta:
description = "Detects ELF Linux/Httpsd i686"
date = "2018-01-02"
strings:
$hexsts01 = { 8d 4c 24 04 83 e4 f0 ff 71 fc 55 89 e5 57 56 53 } // main
$hexsts02 = { 55 89 e5 57 56 53 81 ec 14 2c 00 00 68 7a 83 05 } // self-rclocal
$hexsts03 = { 55 89 e5 57 56 53 81 ec 10 04 00 00 68 00 04 00 } // copy-self
condition:
all of them
and is__elf
and is__LinuxHttpsdStrings
and filesize < 200KB
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: A system administrator is manually compiling a custom HTTP server binary using gcc on a Linux system.
Filter/Exclusion: Check for gcc in the process command line or use a filter like process.name != "gcc".
Scenario: A scheduled job runs a legitimate script that temporarily loads a 32-bit ELF binary for compatibility with an older application (e.g., compat-elf or 32-bit lib).
Filter/Exclusion: Filter by process.name != "compat-elf" or process.name != "ld-linux.so.2".
Scenario: A developer is testing a 32-bit version of a web server (e.g., httpd or nginx) in a development environment.
Filter/Exclusion: Use a filter like process.name != "httpd" or process.name != "nginx" in the detection rule.
Scenario: A system update or package installation (e.g., via yum or apt) temporarily executes a 32-bit ELF binary as part of the installation process.
Filter/Exclusion: Filter by process.parent.name != "yum" or process.parent.name != "apt".
Scenario: A security tool or SIEM agent (e.g., osquery, sysdig, or ELK) runs a 32-bit helper binary for data collection.
Filter/Exclusion: Exclude known security tool binaries using process.name != "osqueryd" or process.name != "sysdig".