hunting/linux/docs/persistence_via_message_of_the_day.md

# Persistence via Message-of-the-Day

---

## Metadata

- **Author:** Elastic
- **Description:** This hunt identifies potential persistence mechanisms via the message-of-the-day (motd) on Linux systems. It monitors for file creation or modification events in the /etc/update-motd.d directory and processes started by these motd scripts. These scripts launch on SSH/terminal connection events, and execute the scripts as root. These activities can indicate attempts to establish persistence through motd modifications.

- **UUID:** `5984a354-d76c-43e6-bdd9-228456f1b371`
- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint)
- **Language:** `[ES|QL, SQL]`
- **Source File:** [Persistence via Message-of-the-Day](../queries/persistence_via_message_of_the_day.toml)

## Query

```sql
from logs-endpoint.events.file-*
| where @timestamp > now() - 30 day
| where host.os.type == "linux" and event.type in ("creation", "change") and file.path like "/etc/update-motd.d/*" and
not process.name in ("dpkg", "dockerd", "yum", "dnf", "snapd", "pacman")
| eval persistence = case(file.path like "/etc/update-motd.d/*", process.name, null)
| stats pers_count = count(persistence), agent_count = count_distinct(agent.id) by process.executable, file.path
| where pers_count > 0 and pers_count <= 20 and agent_count <= 5
| sort pers_count asc
| limit 100
```

```sql
from logs-endpoint.events.process-*
| where @timestamp > now() - 30 day
| where host.os.type == "linux" and event.action == "exec" and event.type == "start" and process.parent.executable like "/etc/update-motd.d/*" and
not process.args like "/tmp/tmp.*"
| stats cc = count(), host_count = count_distinct(host.name) by process.executable, process.parent.executable
| where host_count <= 5
| sort cc asc
| limit 100
```

```sql
SELECT
    f.filename,
    f.path,
    u.username AS file_owner,
    g.groupname AS group_owner,
    datetime(f.atime, 'unixepoch') AS file_last_access_time,
    datetime(f.mtime, 'unixepoch') AS file_last_modified_time,
    datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,
    datetime(f.btime, 'unixepoch') AS file_created_time,
    f.size AS size_bytes,
    h.md5
FROM
    file f
LEFT JOIN
    users u ON f.uid = u.uid
LEFT JOIN
    groups g ON f.gid = g.gid
LEFT JOIN
    hash h ON f.path = h.path
WHERE
    f.directory IN ('/etc/update-motd.d/')
ORDER BY
    f.mtime DESC;
```

## Notes

- This hunt includes multiple ES|QL and OSQuery queries to identify potential persistence mechanisms via the message-of-the-day (motd) on Linux systems.
- Detects file creation or modification events in the /etc/update-motd.d directory, which is used for message-of-the-day scripts.
- Excludes common legitimate processes to minimize false positives.
- Uses EVAL to tag potential persistence events and counts occurrences to identify unusual activity.
- Monitors processes started by motd scripts to detect potential persistence mechanisms.
- OSQuery query is provided to complement the detection by retrieving detailed file information related to motd scripts.

## MITRE ATT&CK Techniques

- [T1036.005](https://attack.mitre.org/techniques/T1036/005)
- [T1546.003](https://attack.mitre.org/techniques/T1546/003)

## License

- `Elastic License v2`
[New Hunt] Add Initial Linux Hunting Files (#3847 ) 2024-07-05 14:01:12 -04:00			`# Persistence via Message-of-the-Day`

			`---`

			`## Metadata`

			`- Author: Elastic`
			`- Description: This hunt identifies potential persistence mechanisms via the message-of-the-day (motd) on Linux systems. It monitors for file creation or modification events in the /etc/update-motd.d directory and processes started by these motd scripts. These scripts launch on SSH/terminal connection events, and execute the scripts as root. These activities can indicate attempts to establish persistence through motd modifications.`

			- UUID: `5984a354-d76c-43e6-bdd9-228456f1b371`
			`- Integration: [endpoint](https://docs.elastic.co/integrations/endpoint)`
			- Language: `[ES\|QL, SQL]`
[Bug] Normalize Hunting Index Link Generation (#3872 ) 2024-07-10 11:01:59 -04:00			`- Source File: [Persistence via Message-of-the-Day](../queries/persistence_via_message_of_the_day.toml)`
[New Hunt] Add Initial Linux Hunting Files (#3847 ) 2024-07-05 14:01:12 -04:00
			`## Query`

			```sql
			`from logs-endpoint.events.file-*`
			`\| where @timestamp > now() - 30 day`
			`\| where host.os.type == "linux" and event.type in ("creation", "change") and file.path like "/etc/update-motd.d/*" and`
			`not process.name in ("dpkg", "dockerd", "yum", "dnf", "snapd", "pacman")`
			`\| eval persistence = case(file.path like "/etc/update-motd.d/*", process.name, null)`
			`\| stats pers_count = count(persistence), agent_count = count_distinct(agent.id) by process.executable, file.path`
			`\| where pers_count > 0 and pers_count <= 20 and agent_count <= 5`
			`\| sort pers_count asc`
			`\| limit 100`
			```

			```sql
			`from logs-endpoint.events.process-*`
			`\| where @timestamp > now() - 30 day`
			`\| where host.os.type == "linux" and event.action == "exec" and event.type == "start" and process.parent.executable like "/etc/update-motd.d/*" and`
			`not process.args like "/tmp/tmp.*"`
			`\| stats cc = count(), host_count = count_distinct(host.name) by process.executable, process.parent.executable`
			`\| where host_count <= 5`
			`\| sort cc asc`
			`\| limit 100`
			```

			```sql
			`SELECT`
			`f.filename,`
			`f.path,`
			`u.username AS file_owner,`
			`g.groupname AS group_owner,`
			`datetime(f.atime, 'unixepoch') AS file_last_access_time,`
			`datetime(f.mtime, 'unixepoch') AS file_last_modified_time,`
			`datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,`
			`datetime(f.btime, 'unixepoch') AS file_created_time,`
			`f.size AS size_bytes,`
			`h.md5`
			`FROM`
			`file f`
			`LEFT JOIN`
			`users u ON f.uid = u.uid`
			`LEFT JOIN`
			`groups g ON f.gid = g.gid`
			`LEFT JOIN`
			`hash h ON f.path = h.path`
			`WHERE`
			`f.directory IN ('/etc/update-motd.d/')`
			`ORDER BY`
			`f.mtime DESC;`
			```

			`## Notes`

			`- This hunt includes multiple ES\|QL and OSQuery queries to identify potential persistence mechanisms via the message-of-the-day (motd) on Linux systems.`
			`- Detects file creation or modification events in the /etc/update-motd.d directory, which is used for message-of-the-day scripts.`
			`- Excludes common legitimate processes to minimize false positives.`
			`- Uses EVAL to tag potential persistence events and counts occurrences to identify unusual activity.`
			`- Monitors processes started by motd scripts to detect potential persistence mechanisms.`
			`- OSQuery query is provided to complement the detection by retrieving detailed file information related to motd scripts.`
[Bug] Normalize Hunting Index Link Generation (#3872 ) 2024-07-10 11:01:59 -04:00
[New Hunt] Add Initial Linux Hunting Files (#3847 ) 2024-07-05 14:01:12 -04:00			`## MITRE ATT&CK Techniques`

			`- [T1036.005](https://attack.mitre.org/techniques/T1036/005)`
			`- [T1546.003](https://attack.mitre.org/techniques/T1546/003)`

			`## License`

			- `Elastic License v2`