From 1746897359805c17ea4f68f8867780adfa01e314 Mon Sep 17 00:00:00 2001 From: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Date: Mon, 25 Jul 2022 08:48:19 -0500 Subject: [PATCH] [New Rule] Suspcious Etc File Creation (#2160) * [New Rule] Suspcious Etc File Creation * Update rules/linux/persistence_etc_file_creation.toml * Update MITRE syntax * Update rules/linux/persistence_etc_file_creation.toml * Update rules/linux/persistence_etc_file_creation.toml * Update rules/linux/persistence_etc_file_creation.toml --- .../linux/persistence_etc_file_creation.toml | 104 ++++++++++++++++++ 1 file changed, 104 insertions(+) create mode 100644 rules/linux/persistence_etc_file_creation.toml diff --git a/rules/linux/persistence_etc_file_creation.toml b/rules/linux/persistence_etc_file_creation.toml new file mode 100644 index 000000000..142560477 --- /dev/null +++ b/rules/linux/persistence_etc_file_creation.toml @@ -0,0 +1,104 @@ +[metadata] +creation_date = "2022/07/22" +maturity = "production" +updated_date = "2022/07/22" + +[rule] +author = ["Elastic"] +description = """ +Detects the manual creation of files in specific etc directories, via user root, used by Linux malware to persist and elevate privileges on compromised systems. File creation in these directories should not be entirely common and could indicate a malicious binary or script installing persistence for long term access. +""" +from = "now-9m" +index = ["logs-*"] +language = "eql" +license = "Elastic License v2" +name = "Suspicious File Creation in /etc for Persistence" +references = [ + "https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/", + "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/" +] +risk_score = 80 +rule_id = "1c84dd64-7e6c-4bad-ac73-a5014ee37042" +severity = "medium" +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Orbit", "Lightning Framework"] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +file where event.action == "creation" and user.name == "root" and file.path : ("/etc/ld.so.conf.d/*", "/etc/cron.d/*", "/etc/sudoers.d/*", "/etc/rc.d/init.d/*", "/etc/systemd/system/*") and not process.executable : ("*/dpkg", "*/yum", "*/apt", "*/dnf", "*/systemd") +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat.technique]] +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" + +[[rule.threat.technique.subtechnique]] +id = "T1037.004" +name = "RC Scripts" +reference = "https://attack.mitre.org/techniques/T1037/004/" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique.subtechnique]] +id = "T1543.002" +name = "Systemd Service" +reference = "https://attack.mitre.org/techniques/T1543/002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat.technique]] +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" + +[[rule.threat.technique.subtechnique]] +id = "T1053.003" +name = "Cron" +reference = "https://attack.mitre.org/techniques/T1053/003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.003" +name = "Sudo and Sudo Caching" +reference = "https://attack.mitre.org/techniques/T1548/003/" +