[New Rule] Executable Launched from Shared Memory Directory (#1961)

* new rule to check for executables launched from shared memory directory * added references and false positive instances * Update rules/linux/execution_shared_memory_executable.toml * Update rules/linux/execution_shared_memory_executable.toml * Update rules/linux/execution_shared_memory_executable.toml * adjusted process to account for var run and lock directories * TOML lint and query formatting * TOML lint and query formatting * Update rules/linux/execution_process_started_in_shared_memory_directory.toml * Update rules/linux/execution_process_started_in_shared_memory_directory.toml * Update rules/linux/execution_process_started_in_shared_memory_directory.toml * Update rules/linux/execution_process_started_in_shared_memory_directory.toml * added BPFDoor tag to be threat specific * TOML linting and adjusted risk because of root requirement Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
2022-05-11 12:18:55 -04:00
parent c031bb501d
commit 5f447a63a2
1 changed files with 60 additions and 0 deletions
@@ -0,0 +1,60 @@
+[metadata]
+creation_date = "2022/05/10"
+maturity = "production"
+updated_date = "2022/05/11"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies the execution of a binary by root in Linux shared memory directories: (/dev/shm/, /run/shm/, /var/run/,
+/var/lock/). This activity is to be considered highly abnormal and should be investigated. Threat actors have placed
+executables used for persistence on high-uptime servers in these directories as system backdoors.
+"""
+false_positives = [
+    """
+    Directories /dev/shm and /run/shm are temporary file storage directories in Linux. They are intended to appear as a
+    mounted file system, but uses virtual memory instead of a persistent storage device and thus are used for mounting
+    file systems in legitimate purposes.
+    """,
+]
+from = "now-9m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Binary Executed from Shared Memory Directory"
+references = [
+    "https://linuxsecurity.com/features/fileless-malware-on-linux",
+    "https://twitter.com/GossiTheDog/status/1522964028284411907",
+]
+risk_score = 73
+rule_id = "3f3f9fe2-d095-11ec-95dc-f661ea17fbce"
+severity = "high"
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "BPFDoor"]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where event.type == "start" and 
+    event.action == "exec" and user.name == "root" and 
+    process.executable : (
+        "/dev/shm/*",
+        "/run/shm/*",
+        "/var/run/*",
+        "/var/lock/*"
+    )
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1059"
+name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+