security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Message-of-the-Day (MOTD) (#3730)

Browse Source 
* [Rule Tuning] Message-of-the-Day (MOTD)

* Update persistence_message_of_the_day_creation.toml

* ++

* Incompatible endgame field

* Update rules/linux/persistence_message_of_the_day_creation.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/persistence_message_of_the_day_execution.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit e41a57f2ad)
This commit is contained in:
Ruben Groenewoud
2024-06-05 10:18:30 +02:00
committed by github-actions[bot]
parent 2d55e67da7
commit 1b3ccdd1d5
2 changed files with 64 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/persistence_message_of_the_day_creation.toml
+39 -39
View File
@@ -2,7 +2,7 @@
creation_date = "2023/02/28"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/05/31"
[transform]
[[transform.osquery]]
@@ -11,7 +11,7 @@ query = "SELECT * FROM file WHERE path = {{file.path}}"
[[transform.osquery]]
label = "Osquery - Retrieve File Listing Information"
query = "SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')"
query = "SELECT * FROM file WHERE path LIKE '/etc/update-motd.d/%'"
[[transform.osquery]]
label = "Osquery - Retrieve Additional File Listing Information"
@@ -19,8 +19,7 @@ query = """
SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS
file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS
file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT
JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE
'/usr/lib/update-notifier/%')
JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE path LIKE '/etc/update-motd.d/%'
"""
[[transform.osquery]]
@@ -31,31 +30,30 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u
label = "Osquery - Retrieve Crontab Information"
query = "SELECT * FROM crontab"
[rule]
author = ["Elastic"]
description = """
Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or
a serial connection. Linux systems contain several default MOTD files located in the "/etc/update-motd.d/" and
"/usr/lib/update-notifier/" directories. These scripts run as the root user every time a user connects over SSH or a
serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a
user connects to the system by executing a backdoor script or command. This rule detects the creation of potentially
malicious files within the default MOTD file directories.
This rule detects the creation of potentially malicious files within the default MOTD file directories. Message of the
day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial
connection. Linux systems contain several default MOTD files located in the "/etc/update-motd.d/" directory. These
scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create
malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing
a backdoor script or command.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*"]
language = "kuery"
index = ["logs-endpoint.events.file*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Persistence Through MOTD File Creation Detected"
name = "Message-of-the-Day (MOTD) File Creation"
note = """## Triage and analysis
### Investigating Potential Persistence Through MOTD File Creation Detected
### Investigating Message-of-the-Day (MOTD) File Creation
The message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux.
Attackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directory. Executable files in these directories automatically run with root privileges.
Attackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` directory. Executable files in these directories automatically run with root privileges.
This rule identifies the creation of new files within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories.
This rule identifies the creation of new files within the `/etc/update-motd.d/` directory.
> **Note**:
> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.
@@ -65,7 +63,7 @@ This rule identifies the creation of new files within the `/etc/update-motd.d/`
- Investigate the file that was created or modified.
- $osquery_0
- Investigate whether any other files in the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories have been altered.
- Investigate whether any other files in the `/etc/update-motd.d/` directory have been altered.
- $osquery_1
- $osquery_2
- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.
@@ -84,7 +82,7 @@ This rule identifies the creation of new files within the `/etc/update-motd.d/`
### Related Rules
- Suspicious Process Spawned from MOTD Detected - 4ec47004-b34a-42e6-8003-376a123ea447
- Process Spawned from Message-of-the-Day (MOTD) - 4ec47004-b34a-42e6-8003-376a123ea447
### False positive analysis
@@ -141,42 +139,44 @@ tags = [
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Persistence",
"Data Source: Elastic Endgame",
"Resources: Investigation Guide",
"Data Source: Elastic Defend",
]
timestamp_override = "event.ingested"
type = "new_terms"
type = "eql"
query = '''
host.os.type :linux and event.action:(creation or file_create_event or rename or file_rename_event) and
file.path : (/etc/update-motd.d/* or /usr/lib/update-notifier/*) and not process.name : (
dpkg or dockerd or rpm or executor or dnf or podman or ln or yum
) and not (
(process.name:mv and file.extension:dpkg-remove) or
(file.extension:(swp or swpx))
file where host.os.type == "linux" and event.action in ("rename", "creation") and
file.path : "/etc/update-motd.d/*" and not (
process.executable in (
"/bin/dpkg", "/usr/bin/dpkg", "/bin/dockerd", "/usr/bin/dockerd", "/usr/sbin/dockerd", "/bin/microdnf",
"/usr/bin/microdnf", "/bin/rpm", "/usr/bin/rpm", "/bin/snapd", "/usr/bin/snapd", "/bin/yum", "/usr/bin/yum",
"/bin/dnf", "/usr/bin/dnf", "/bin/podman", "/usr/bin/podman", "/bin/dnf-automatic", "/usr/bin/dnf-automatic",
"/bin/pacman", "/usr/bin/pacman", "/usr/bin/dpkg-divert", "/bin/dpkg-divert", "/sbin/apk", "/usr/sbin/apk",
"/usr/local/sbin/apk", "/usr/bin/apt", "/usr/sbin/pacman", "/bin/podman", "/usr/bin/podman", "/usr/bin/puppet",
"/bin/puppet", "/opt/puppetlabs/puppet/bin/puppet", "/usr/bin/chef-client", "/bin/chef-client",
"/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/dev/fd/*", "/usr/bin/pamac-daemon",
"/bin/pamac-daemon", "/usr/lib/snapd/snapd", "/usr/local/bin/dockerd"
) or
file.extension in ("swp", "swpx", "swx", "dpkg-remove") or
file.Ext.original.extension == "dpkg-new" or
process.executable : (
"/nix/store/*", "/var/lib/dpkg/*", "/tmp/vmis.*", "/snap/*", "/dev/fd/*", "/usr/lib/virtualbox/*"
) or
process.executable == null or
(process.name == "sed" and file.name : "sed*") or
(process.name == "perl" and file.name : "e2scrub_all.tmp*")
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1037"
name = "Boot or Logon Initialization Scripts"
reference = "https://attack.mitre.org/techniques/T1037/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[rule.new_terms]
field = "new_terms_fields"
value = ["host.id", "file.path", "process.executable"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-10d"
rules/linux/persistence_message_of_the_day_execution.toml
+25 -25
View File
@@ -2,7 +2,7 @@
creation_date = "2023/02/28"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/05/31"
[transform]
[[transform.osquery]]
@@ -11,7 +11,7 @@ query = "SELECT * FROM file WHERE path = {{file.path}}"
[[transform.osquery]]
label = "Osquery - Retrieve File Listing Information"
query = "SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')"
query = "SELECT * FROM file WHERE path LIKE '/etc/update-motd.d/%'"
[[transform.osquery]]
label = "Osquery - Retrieve Additional File Listing Information"
@@ -19,8 +19,7 @@ query = """
SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS
file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS
file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT
JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE
'/usr/lib/update-notifier/%')
JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE path LIKE '/etc/update-motd.d/%'
"""
[[transform.osquery]]
@@ -31,29 +30,28 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u
label = "Osquery - Retrieve Crontab Information"
query = "SELECT * FROM crontab"
[rule]
author = ["Elastic"]
description = """
Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or
a serial connection. Linux systems contain several default MOTD files located in the "/etc/update-motd.d/" and
"/usr/lib/update-notifier/" directories. These scripts run as the root user every time a user connects over SSH or a
serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a
user connects to the system by executing a backdoor script or command. This rule detects the execution of potentially
malicious processes through the MOTD utility.
a serial connection. Linux systems contain several default MOTD files located in the "/etc/update-motd.d/" directory.
These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create
malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing
a backdoor script or command. This rule detects the execution of potentially malicious processes through the MOTD
utility.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*"]
index = ["logs-endpoint.events.process*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
name = "Suspicious Process Spawned from MOTD Detected"
name = "Process Spawned from Message-of-the-Day (MOTD)"
note = """## Triage and analysis
### Investigating Suspicious Process Spawned from MOTD Detected
### Investigating Process Spawned from Message-of-the-Day (MOTD)
The message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux.
Attackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directory. Files in these directories will automatically run with root privileges when they are made executable.
Attackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` directory. Files in these directories will automatically run with root privileges when they are made executable.
This rule identifies the execution of potentially malicious processes from a MOTD script, which is not likely to occur as default benign behavior.
@@ -65,7 +63,7 @@ This rule identifies the execution of potentially malicious processes from a MOT
- Investigate the file that was created or modified from which the suspicious process was executed.
- $osquery_0
- Investigate whether any other files in the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories have been altered.
- Investigate whether any other files in the `/etc/update-motd.d/` directory have been altered.
- $osquery_1
- $osquery_2
- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.
@@ -84,7 +82,7 @@ This rule identifies the execution of potentially malicious processes from a MOT
### Related Rules
- Potential Persistence Through MOTD File Creation Detected - 96d11d31-9a79-480f-8401-da28b194608f
- Message-of-the-Day (MOTD) File Creation - 96d11d31-9a79-480f-8401-da28b194608f
### False positive analysis
@@ -147,10 +145,9 @@ tags = [
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where event.type == "start" and host.os.type == "linux" and event.action : ("exec", "exec_event") and
process.parent.executable : ("/etc/update-motd.d/*", "/usr/lib/update-notifier/*") and (
process.parent.executable : "/etc/update-motd.d/*" and (
(process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and (
(process.args : ("-i", "-l")) or (process.parent.name == "socat" and process.parent.args : "*exec*"))) or
(process.name : ("nc", "ncat", "netcat", "nc.openbsd") and process.args_count >= 3 and
@@ -169,26 +166,29 @@ process where event.type == "start" and host.os.type == "linux" and event.action
)) or
(process.name : "php*" and process.args : "-r" and process.args : "*fsockopen*" and process.args : "*/bin/*sh*") or
(process.name : ("awk", "gawk", "mawk", "nawk") and process.args : "*/inet/tcp/*") or
(process.name in ("openssl", "telnet"))
(process.name in ("openssl", "telnet")) or
(process.args : (
"./*", "/boot/*", "/dev/shm/*", "/etc/cron.*/*", "/etc/init.d/*", "/etc/update-motd.d/*", "/run/*", "/srv/*",
"/tmp/*", "/var/tmp/*", "/var/log/*", "/opt/*"
) and process.args_count == 1
)
) and
not (
(process.parent.args : "--force") or
(process.args : ("/usr/games/lolcat", "/usr/bin/screenfetch")) or
(process.parent.name == "system-crash-notification")
process.parent.args == "--force" or
process.args in ("/usr/games/lolcat", "/usr/bin/screenfetch") or
process.parent.name == "system-crash-notification"
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1037"
name = "Boot or Logon Initialization Scripts"
reference = "https://attack.mitre.org/techniques/T1037/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"