[Rule Tuning] rc.local/rc.common File Creation (#3805)
(cherry picked from commit e941645b2f)
This commit is contained in:
Ruben Groenewoud
committed by
github-actions[bot]
github-actions[bot]
parent
2f292dacb4
commit
4b88408acf
@@ -2,7 +2,7 @@
|
||||
creation_date = "2023/02/28"
|
||||
integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2024/06/20"
|
||||
|
||||
[transform]
|
||||
[[transform.osquery]]
|
||||
@@ -24,24 +24,23 @@ SELECT * FROM file WHERE (path = '/run/systemd/generator/multi-user.target.wants
|
||||
label = "Osquery - Retrieve Crontab Information"
|
||||
query = "SELECT * FROM crontab"
|
||||
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
This rule monitors the creation/alteration of the rc.local file by a previously unknown process executable through the
|
||||
use of the new terms rule type. The /etc/rc.local file is used to start custom applications, services, scripts or
|
||||
commands during start-up. The rc.local file has mostly been replaced by Systemd. However, through the
|
||||
"systemd-rc-local-generator", rc.local files can be converted to services that run at boot. Adversaries may alter
|
||||
rc.local to execute malicious code at start-up, and gain persistence onto the system.
|
||||
This rule monitors the creation/alteration of the rc.local/rc.common file. The /etc/rc.local file is used to start
|
||||
custom applications, services, scripts or commands during start-up. The rc.local file has mostly been replaced by
|
||||
Systemd. However, through the "systemd-rc-local-generator", rc.local files can be converted to services that run at
|
||||
boot. Adversaries may alter rc.local/rc.common to execute malicious code at start-up, and gain persistence onto the
|
||||
system.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*", "endgame-*"]
|
||||
language = "kuery"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Potential Persistence Through Run Control Detected"
|
||||
name = "rc.local/rc.common File Creation"
|
||||
note = """## Triage and analysis
|
||||
|
||||
### Investigating Potential Persistence Through Run Control Detected
|
||||
### Investigating rc.local/rc.common File Creation
|
||||
|
||||
The `rc.local` file executes custom commands or scripts during system startup on Linux systems. `rc.local` has been deprecated in favor of the use of `systemd services`, and more recent Unix distributions no longer leverage this method of on-boot script execution.
|
||||
|
||||
@@ -136,45 +135,50 @@ tags = [
|
||||
"OS: Linux",
|
||||
"Use Case: Threat Detection",
|
||||
"Tactic: Persistence",
|
||||
"Data Source: Elastic Endgame",
|
||||
"Resources: Investigation Guide",
|
||||
"Data Source: Elastic Defend",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "new_terms"
|
||||
type = "eql"
|
||||
|
||||
query = '''
|
||||
host.os.type : "linux" and event.category : "file" and
|
||||
event.type : ("change" or "file_modify_event" or "creation" or "file_create_event") and
|
||||
file.path : "/etc/rc.local" and not process.name : (
|
||||
"dockerd" or "docker" or "dnf" or "dnf-automatic" or "yum" or "rpm" or "dpkg"
|
||||
) and not file.extension : ("swp" or "swpx")
|
||||
file where host.os.type == "linux" and event.action in ("rename", "creation") and
|
||||
file.path in ("/etc/rc.local", "/etc/rc.common") and not (
|
||||
process.executable in (
|
||||
"/bin/dpkg", "/usr/bin/dpkg", "/bin/dockerd", "/usr/bin/dockerd", "/usr/sbin/dockerd", "/bin/microdnf",
|
||||
"/usr/bin/microdnf", "/bin/rpm", "/usr/bin/rpm", "/bin/snapd", "/usr/bin/snapd", "/bin/yum", "/usr/bin/yum",
|
||||
"/bin/dnf", "/usr/bin/dnf", "/bin/podman", "/usr/bin/podman", "/bin/dnf-automatic", "/usr/bin/dnf-automatic",
|
||||
"/bin/pacman", "/usr/bin/pacman", "/usr/bin/dpkg-divert", "/bin/dpkg-divert", "/sbin/apk", "/usr/sbin/apk",
|
||||
"/usr/local/sbin/apk", "/usr/bin/apt", "/usr/sbin/pacman", "/bin/podman", "/usr/bin/podman", "/usr/bin/puppet",
|
||||
"/bin/puppet", "/opt/puppetlabs/puppet/bin/puppet", "/usr/bin/chef-client", "/bin/chef-client",
|
||||
"/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/dev/fd/*", "/usr/bin/pamac-daemon",
|
||||
"/bin/pamac-daemon", "/usr/lib/snapd/snapd", "/usr/local/bin/dockerd"
|
||||
) or
|
||||
file.extension in ("swp", "swpx", "swx", "dpkg-remove") or
|
||||
file.Ext.original.extension == "dpkg-new" or
|
||||
process.executable : (
|
||||
"/nix/store/*", "/var/lib/dpkg/*", "/snap/*", "/dev/fd/*", "/usr/lib/virtualbox/*"
|
||||
) or
|
||||
process.executable == null or
|
||||
(process.name == "sed" and file.name : "sed*") or
|
||||
(process.name == "perl" and file.name : "e2scrub_all.tmp*")
|
||||
)
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
|
||||
[[rule.threat.technique]]
|
||||
id = "T1037"
|
||||
name = "Boot or Logon Initialization Scripts"
|
||||
reference = "https://attack.mitre.org/techniques/T1037/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1037.004"
|
||||
name = "RC Scripts"
|
||||
reference = "https://attack.mitre.org/techniques/T1037/004/"
|
||||
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0003"
|
||||
name = "Persistence"
|
||||
reference = "https://attack.mitre.org/tactics/TA0003/"
|
||||
|
||||
[rule.new_terms]
|
||||
field = "new_terms_fields"
|
||||
value = ["host.id", "process.executable", "user.id"]
|
||||
[[rule.new_terms.history_window_start]]
|
||||
field = "history_window_start"
|
||||
value = "now-7d"
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user