-
Notifications
You must be signed in to change notification settings - Fork 514
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[New Rule] Suspicious File Modification (#3746)
* [New Rule] Suspicious File Modification * Update persistence_suspicious_file_modifications.toml * Update rules/linux/persistence_suspicious_file_modifications.toml Co-authored-by: Jonhnathan <[email protected]> * Update rules/linux/persistence_suspicious_file_modifications.toml Co-authored-by: Jonhnathan <[email protected]> * Updates * Update rules/integrations/fim/persistence_suspicious_file_modifications.toml --------- Co-authored-by: Jonhnathan <[email protected]> Co-authored-by: Justin Ibarra <[email protected]>
- Loading branch information
3 people
authored
Jun 11, 2024
1 parent
c87c4c9
commit ec223a4
Showing
4 changed files
with
195 additions
and
0 deletions.
There are no files selected for viewing
Binary file not shown.
Binary file not shown.
194 changes: 194 additions & 0 deletions
194
rules/integrations/fim/persistence_suspicious_file_modifications.toml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,194 @@ | ||
| [metadata] | ||
| creation_date = "2024/06/03" | ||
| maturity = "production" | ||
| integration = ["fim"] | ||
| updated_date = "2024/06/03" | ||
|
|
||
| [rule] | ||
| author = ["Elastic"] | ||
| description = """ | ||
| This rule leverages the File Integrity Monitoring (FIM) integration to detect file modifications of files that are | ||
| commonly used for persistence on Linux systems. The rule detects modifications to files that are commonly used for | ||
| cron jobs, systemd services, message-of-the-day (MOTD), SSH configurations, shell configurations, runtime control, | ||
| init daemon, passwd/sudoers/shadow files, Systemd udevd, and XDG/KDE autostart entries. To leverage this rule, the | ||
| paths specified in the query need to be added to the FIM policy in the Elastic Security app. | ||
| """ | ||
| from = "now-9m" | ||
| index = ["logs-fim.event-*", "auditbeat-*"] | ||
| language = "eql" | ||
| license = "Elastic License v2" | ||
| name = "Potential Persistence via File Modification" | ||
| risk_score = 21 | ||
| rule_id = "192657ba-ab0e-4901-89a2-911d611eee98" | ||
| setup = """ | ||
| ## Setup | ||
| This rule requires data coming in from the Elastic File Integrity Monitoring (FIM) integration. | ||
| ### Elastic FIM Integration Setup | ||
| To configure the Elastic FIM integration, follow these steps: | ||
| 1. Install and configure the Elastic Agent on your Linux system. You can refer to the [Elastic Agent documentation](https://www.elastic.co/guide/en/ingest-management/current/agent-configuration.html) for detailed instructions. | ||
| 2. Once the Elastic Agent is installed, navigate to the Elastic Security app in Kibana. | ||
| 3. In the Kibana home page, click on "Integrations" in the left sidebar. | ||
| 4. Search for "File Integrity Monitoring" in the search bar and select the integration. | ||
| 6. Provide a name and optional description for the integration. | ||
| 7. Select the appropriate agent policy for your Linux system or create a new one. | ||
| 8. Configure the FIM policy by specifying the paths that you want to monitor for file modifications. You can use the same paths mentioned in the `query` field of the rule. Note that FIM does not accept wildcards in the paths, so you need to specify the exact paths you want to monitor. | ||
| 9. Save the configuration and the Elastic Agent will start monitoring the specified paths for file modifications. | ||
| For more details on configuring the Elastic FIM integration, you can refer to the [Elastic FIM documentation](https://docs.elastic.co/integrations/fim). | ||
| """ | ||
| severity = "low" | ||
| tags = [ | ||
| "Domain: Endpoint", | ||
| "OS: Linux", | ||
| "Use Case: Threat Detection", | ||
| "Tactic: Persistence", | ||
| "Tactic: Privilege Escalation", | ||
| "Data Source: File Integrity Monitoring" | ||
| ] | ||
| timestamp_override = "event.ingested" | ||
| type = "eql" | ||
| query = ''' | ||
| file where host.os.type == "linux" and event.dataset == "fim.event" and event.action == "updated" and | ||
| file.path : ( | ||
| // cron, anacron & at | ||
| "/etc/cron.d/*", "/etc/cron.daily/*", "/etc/cron.hourly/*", "/etc/cron.monthly/*", | ||
| "/etc/cron.weekly/*", "/etc/crontab", "/var/spool/cron/crontabs/*", "/etc/cron.allow", | ||
| "/etc/cron.deny", "/var/spool/anacron/*", "/var/spool/cron/atjobs/*", | ||
| // systemd services & timers | ||
| "/etc/systemd/system/*", "/usr/local/lib/systemd/system/*", "/lib/systemd/system/*", | ||
| "/usr/lib/systemd/system/*", "/home/*/.config/systemd/user/*", "/home/*/.local/share/systemd/user/*", | ||
| "/root/.config/systemd/user/*", "/root/.local/share/systemd/user/*", | ||
| // LD_PRELOAD | ||
| "/etc/ld.so.preload", "/etc/ld.so.conf.d/*", "/etc/ld.so.conf", | ||
| // message-of-the-day (MOTD) | ||
| "/etc/update-motd.d/*", | ||
| // SSH | ||
| "/home/*/.ssh/*", "/root/.ssh/*", "/etc/ssh/*", | ||
| // system-wide shell configurations | ||
| "/etc/profile", "/etc/profile.d/*", "/etc/bash.bashrc", "/etc/zsh/*", "/etc/csh.cshrc", | ||
| "/etc/csh.login", "/etc/fish/config.fish", "/etc/ksh.kshrc", | ||
| // root and user shell configurations | ||
| "/home/*/.profile", "/home/*/.bashrc", "/home/*/.bash_login", "/home/*/.bash_logout", | ||
| "/root/.profile", "/root/.bashrc", "/root/.bash_login", "/root/.bash_logout", | ||
| "/home/*/.zprofile", "/home/*/.zshrc", "/root/.zprofile", "/root/.zshrc", | ||
| "/home/*/.cshrc", "/home/*/.login", "/home/*/.logout", "/root/.cshrc", "/root/.login", "/root/.logout", | ||
| "/home/*/.config/fish/config.fish", "/root/.config/fish/config.fish", | ||
| "/home/*/.kshrc", "/root/.kshrc", | ||
| // runtime control | ||
| "/etc/rc.common", "/etc/rc.local", | ||
| // init daemon | ||
| "/etc/init.d/*", | ||
| // passwd/sudoers/shadow | ||
| "/etc/passwd", "/etc/shadow", "/etc/sudoers", "/etc/sudoers.d/*", | ||
| // Systemd udevd | ||
| "/lib/udev/*", "/etc/udev/rules.d/*", "/usr/lib/udev/rules.d/*", "/run/udev/rules.d/*", | ||
| // XDG/KDE autostart entries | ||
| "/home/*/.config/autostart/*", "/root/.config/autostart/*", "/etc/xdg/autostart/*", "/usr/share/autostart/*", | ||
| "/home/*/.kde/Autostart/*", "/root/.kde/Autostart/*", | ||
| "/home/*/.kde4/Autostart/*", "/root/.kde4/Autostart/*", | ||
| "/home/*/.kde/share/autostart/*", "/root/.kde/share/autostart/*", | ||
| "/home/*/.kde4/share/autostart/*", "/root/.kde4/share/autostart/*", | ||
| "/home/*/.local/share/autostart/*", "/root/.local/share/autostart/*", | ||
| "/home/*/.config/autostart-scripts/*", "/root/.config/autostart-scripts/*" | ||
| ) and not ( | ||
| file.path : ( | ||
| "/var/spool/cron/crontabs/tmp.*", "/run/udev/rules.d/*rules.*", "/home/*/.ssh/known_hosts.*", "/root/.ssh/known_hosts.*" | ||
| ) or | ||
| file.extension in ("dpkg-new", "dpkg-remove", "SEQ") | ||
| ) | ||
| ''' | ||
|
|
||
| [[rule.threat]] | ||
| framework = "MITRE ATT&CK" | ||
|
|
||
| [[rule.threat.technique]] | ||
| id = "T1037" | ||
| name = "Boot or Logon Initialization Scripts" | ||
| reference = "https://attack.mitre.org/techniques/T1037/" | ||
|
|
||
| [[rule.threat.technique.subtechnique]] | ||
| id = "T1037.004" | ||
| name = "RC Scripts" | ||
| reference = "https://attack.mitre.org/techniques/T1037/004/" | ||
|
|
||
| [[rule.threat.technique]] | ||
| id = "T1543" | ||
| name = "Create or Modify System Process" | ||
| reference = "https://attack.mitre.org/techniques/T1543/" | ||
|
|
||
| [[rule.threat.technique.subtechnique]] | ||
| id = "T1543.002" | ||
| name = "Systemd Service" | ||
| reference = "https://attack.mitre.org/techniques/T1543/002/" | ||
|
|
||
| [[rule.threat.technique]] | ||
| id = "T1556" | ||
| name = "Modify Authentication Process" | ||
| reference = "https://attack.mitre.org/techniques/T1556/" | ||
|
|
||
| [[rule.threat.technique]] | ||
| id = "T1574" | ||
| name = "Hijack Execution Flow" | ||
| reference = "https://attack.mitre.org/techniques/T1574/" | ||
|
|
||
| [[rule.threat.technique.subtechnique]] | ||
| id = "T1574.006" | ||
| name = "Dynamic Linker Hijacking" | ||
| reference = "https://attack.mitre.org/techniques/T1574/006/" | ||
|
|
||
| [[rule.threat.technique]] | ||
| id = "T1136" | ||
| name = "Create Account" | ||
| reference = "https://attack.mitre.org/techniques/T1136/" | ||
|
|
||
| [[rule.threat.technique.subtechnique]] | ||
| id = "T1136.001" | ||
| name = "Local Account" | ||
| reference = "https://attack.mitre.org/techniques/T1136/001/" | ||
|
|
||
| [rule.threat.tactic] | ||
| id = "TA0003" | ||
| name = "Persistence" | ||
| reference = "https://attack.mitre.org/tactics/TA0003/" | ||
|
|
||
| [[rule.threat]] | ||
| framework = "MITRE ATT&CK" | ||
|
|
||
| [[rule.threat.technique]] | ||
| id = "T1053" | ||
| name = "Scheduled Task/Job" | ||
| reference = "https://attack.mitre.org/techniques/T1053/" | ||
|
|
||
| [[rule.threat.technique.subtechnique]] | ||
| id = "T1053.003" | ||
| name = "Cron" | ||
| reference = "https://attack.mitre.org/techniques/T1053/003/" | ||
|
|
||
| [[rule.threat.technique]] | ||
| id = "T1548" | ||
| name = "Abuse Elevation Control Mechanism" | ||
| reference = "https://attack.mitre.org/techniques/T1548/" | ||
|
|
||
| [[rule.threat.technique.subtechnique]] | ||
| id = "T1548.003" | ||
| name = "Sudo and Sudo Caching" | ||
| reference = "https://attack.mitre.org/techniques/T1548/003/" | ||
|
|
||
| [rule.threat.tactic] | ||
| id = "TA0004" | ||
| name = "Privilege Escalation" | ||
| reference = "https://attack.mitre.org/tactics/TA0004/" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters