sigma-rules/rta/linux_compress_sensitive_files.py

# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
# or more contributor license agreements. Licensed under the Elastic License
# 2.0; you may not use this file except in compliance with the Elastic License
# 2.0.

# Name: Compression of sensitive files
# RTA: linux_compress_sensitive_files.py
# Description: Uses built-in commands for *nix operating systems to compress known sensitive
#              files, such as etc/shadow and etc/passwd
from . import common
from . import RtaMetadata


metadata = RtaMetadata(
    uuid="f3ffa89b-de47-4e17-ac8e-385e0e7f8253",
    platforms=["linux"],
    endpoint=[],
    siem=[{"rule_id": "6b84d470-9036-4cc0-a27c-6d90bbfe81ab", "rule_name": "Sensitive Files Compression"}],
    techniques=["T1560", "T1552"],
)


@common.requires_os(*metadata.platforms)
def main():
    common.log("Compressing sensitive files")
    files = ["totally-legit.tar", "official-business.zip", "expense-reports.gz"]

    # we don't want/need these to actually work, since the rule is only looking for command line, so no need for sudo
    commands = [
        ["tar", "-cvf", files[0], "/etc/shadow"],
        ["zip", files[1], "/etc/passwd"],
        ["gzip", "/etc/group", files[2]],
    ]
    for command in commands:
        try:
            common.execute(command)
        except OSError as exc:
            # command doesn't exist on distro - the rule only needs one to trigger
            # also means we will eventually need to explore per distro ground truth when we expand as counts will vary
            common.log(str(exc))


if __name__ == "__main__":
    main()