diff --git a/rules/linux/persistence_dynamic_linker_backup.toml b/rules/linux/persistence_dynamic_linker_backup.toml index f2b8cf4fc..54d217271 100644 --- a/rules/linux/persistence_dynamic_linker_backup.toml +++ b/rules/linux/persistence_dynamic_linker_backup.toml @@ -3,13 +3,16 @@ creation_date = "2022/07/12" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2023/12/19" integration = ["endpoint"] [rule] author = ["Elastic"] description = """ -Detects the copying of the Linux dynamic loader binary and subsequent file creation for the purpose of creating a backup copy. This technique was seen recently being utilized by Linux malware prior to patching the dynamic loader in order to inject and preload a malicious shared object file. This activity should never occur and if it does then it should be considered highly suspicious or malicious. +Detects the copying of the Linux dynamic loader binary and subsequent file creation for the purpose of creating a +backup copy. This technique was seen recently being utilized by Linux malware prior to patching the dynamic loader in +order to inject and preload a malicious shared object file. This activity should never occur and if it does then it +should be considered highly suspicious or malicious. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -48,18 +51,29 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Orbit", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Threat: Orbit", + "Data Source: Elastic Defend" + ] type = "eql" query = ''' sequence by process.entity_id with maxspan=1m -[process where host.os.type == "linux" and event.type == "start" and process.name : ("cp", "rsync") and - process.args : ("/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2", "/etc/ld.so.preload")] +[process where host.os.type == "linux" and event.type == "start" and process.name in ("cp", "rsync") and + process.args in ( + "/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2", "/etc/ld.so.preload", "/lib64/ld-linux-x86-64.so.2", + "/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2", "/usr/lib64/ld-linux-x86-64.so.2" + )] [file where host.os.type == "linux" and event.action == "creation" and file.extension == "so"] ''' [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow"