From 3fc4aaec0fc91538b39937cf39c66835efaf2246 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Thu, 28 Jan 2021 19:46:30 +0100 Subject: [PATCH] [New Rule] Modification of OpenSSH Binaries (#747) * [New Rule] Modification of SSH Binaries * Update persistence_credential_access_modify_ssh_binaries.toml * exclude unrelated auditbeat FP events * updated TIDs and Tactics * fix order of TIDs and Tactics * relinted * added libkeyutils.so used by Ebury Backdoor loaded by all OpenSSH processes * renamed * conv to kql and added one FP * Update rules/linux/persistence_credential_access_modify_ssh_binaries.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/linux/persistence_credential_access_modify_ssh_binaries.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> --- ...credential_access_modify_ssh_binaries.toml | 56 +++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 rules/linux/persistence_credential_access_modify_ssh_binaries.toml diff --git a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml new file mode 100644 index 000000000..dbb704766 --- /dev/null +++ b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml @@ -0,0 +1,56 @@ +[metadata] +creation_date = "2020/12/21" +maturity = "production" +updated_date = "2020/12/21" + +[rule] +author = ["Elastic"] +description = """ +Adversaries may modify SSH related binaries for persistence or credential access by patching sensitive functions to +enable unauthorized access or by logging SSH credentials for exfiltration. +""" +false_positives = ["Trusted OpenSSH executable updates. It's recommended to verify the integrity of OpenSSH binary changes."] +from = "now-9m" +index = ["auditbeat-*", "logs-endpoint.events.*"] +language = "kuery" +license = "Elastic License" +name = "Modification of OpenSSH Binaries" +references = ["https://blog.angelalonso.es/2016/09/anatomy-of-real-linux-intrusion-part-ii.html"] +risk_score = 47 +rule_id = "0415f22a-2336-45fa-ba07-618a5942e22c" +severity = "medium" +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Credential Access", "Persistence"] +type = "query" + +query = ''' +event.category:file and event.type:change and + process.name:* and + (file.path:(/usr/sbin/sshd or /usr/bin/ssh or /usr/bin/sftp or /usr/bin/scp) or file.name:libkeyutils.so) and + not process.executable:/usr/bin/dpkg +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/"