diff --git a/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml b/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml new file mode 100644 index 000000000..f974b4585 --- /dev/null +++ b/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml @@ -0,0 +1,30 @@ +title: Detects Suspicious edit of .bash_profile and .bashrc on Linux systems +status: experimental +description: Detects change of user environment. Adversaries can insert code into these files to gain persistence each time a user logs in or opens a new shell. +references: + - 'MITRE Attack technique T1156; .bash_profile and .bashrc. ' +date: 2019/05/12 +tags: + - attack.s0003 + - attack.t1156 + - attack.persistence +author: Peter Matkovski +logsource: + product: linux + service: auditd +detection: + selection: + type: 'PATH' + name: + - '/home/*/.bashrc' + - '/home/*/.bash_profile' + - '/home/*/.profile' + - '/etc/profile' + - '/etc/shells' + - '/etc/bashrc' + - '/etc/csh.cshrc' + - '/etc/csh.login' + condition: selection +falsepositives: + - Admin or User activity +level: medium diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py index 2c93283a8..cfcd12af7 100644 --- a/tools/sigma/backends/elasticsearch.py +++ b/tools/sigma/backends/elasticsearch.py @@ -249,7 +249,10 @@ class ElasticsearchDSLBackend(RulenameCommentMixin, ElasticsearchWildcardHandlin dateField = self.sigmaconfig.config['dateField'] if self.interval: if 'bool' not in self.queries[-1]['query']['constant_score']['filter']: + saved_simple_query = self.queries[-1]['query']['constant_score']['filter'] self.queries[-1]['query']['constant_score']['filter'] = {'bool': {'must': []}} + if len(saved_simple_query.keys()) > 0: + self.queries[-1]['query']['constant_score']['filter']['bool']['must'].append(saved_simple_query) if 'must' not in self.queries[-1]['query']['constant_score']['filter']['bool']: self.queries[-1]['query']['constant_score']['filter']['bool']['must'] = []