security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Dynamic Linker Copy (#3349)

Browse Source 
(cherry picked from commit df86882036)
This commit is contained in:
Ruben Groenewoud
2024-01-08 10:56:31 +01:00
committed by github-actions[bot]
parent 14faea2175
commit 19c6cbf075
1 changed files with 19 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/persistence_dynamic_linker_backup.toml
+19 -5
View File
@@ -3,13 +3,16 @@ creation_date = "2022/07/12"
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/11/02"
updated_date = "2023/12/19"
integration = ["endpoint"]
[rule]
author = ["Elastic"]
description = """
Detects the copying of the Linux dynamic loader binary and subsequent file creation for the purpose of creating a backup copy. This technique was seen recently being utilized by Linux malware prior to patching the dynamic loader in order to inject and preload a malicious shared object file. This activity should never occur and if it does then it should be considered highly suspicious or malicious.
Detects the copying of the Linux dynamic loader binary and subsequent file creation for the purpose of creating a
backup copy. This technique was seen recently being utilized by Linux malware prior to patching the dynamic loader in
order to inject and preload a malicious shared object file. This activity should never occur and if it does then it
should be considered highly suspicious or malicious.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
@@ -48,18 +51,29 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "high"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Orbit", "Data Source: Elastic Defend"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Persistence",
"Threat: Orbit",
"Data Source: Elastic Defend"
]
type = "eql"
query = '''
sequence by process.entity_id with maxspan=1m
[process where host.os.type == "linux" and event.type == "start" and process.name : ("cp", "rsync") and
process.args : ("/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2", "/etc/ld.so.preload")]
[process where host.os.type == "linux" and event.type == "start" and process.name in ("cp", "rsync") and
process.args in (
"/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2", "/etc/ld.so.preload", "/lib64/ld-linux-x86-64.so.2",
"/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2", "/usr/lib64/ld-linux-x86-64.so.2"
)]
[file where host.os.type == "linux" and event.action == "creation" and file.extension == "so"]
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1574"
name = "Hijack Execution Flow"