From 5f447a63a2f3f0ea6947801640b587cdee800295 Mon Sep 17 00:00:00 2001 From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Wed, 11 May 2022 12:18:55 -0400 Subject: [PATCH] [New Rule] Executable Launched from Shared Memory Directory (#1961) * new rule to check for executables launched from shared memory directory * added references and false positive instances * Update rules/linux/execution_shared_memory_executable.toml * Update rules/linux/execution_shared_memory_executable.toml * Update rules/linux/execution_shared_memory_executable.toml * adjusted process to account for var run and lock directories * TOML lint and query formatting * TOML lint and query formatting * Update rules/linux/execution_process_started_in_shared_memory_directory.toml * Update rules/linux/execution_process_started_in_shared_memory_directory.toml * Update rules/linux/execution_process_started_in_shared_memory_directory.toml * Update rules/linux/execution_process_started_in_shared_memory_directory.toml * added BPFDoor tag to be threat specific * TOML linting and adjusted risk because of root requirement Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> --- ...ss_started_in_shared_memory_directory.toml | 60 +++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 rules/linux/execution_process_started_in_shared_memory_directory.toml diff --git a/rules/linux/execution_process_started_in_shared_memory_directory.toml b/rules/linux/execution_process_started_in_shared_memory_directory.toml new file mode 100644 index 000000000..6926a05d9 --- /dev/null +++ b/rules/linux/execution_process_started_in_shared_memory_directory.toml @@ -0,0 +1,60 @@ +[metadata] +creation_date = "2022/05/10" +maturity = "production" +updated_date = "2022/05/11" + +[rule] +author = ["Elastic"] +description = """ +Identifies the execution of a binary by root in Linux shared memory directories: (/dev/shm/, /run/shm/, /var/run/, +/var/lock/). This activity is to be considered highly abnormal and should be investigated. Threat actors have placed +executables used for persistence on high-uptime servers in these directories as system backdoors. +""" +false_positives = [ + """ + Directories /dev/shm and /run/shm are temporary file storage directories in Linux. They are intended to appear as a + mounted file system, but uses virtual memory instead of a persistent storage device and thus are used for mounting + file systems in legitimate purposes. + """, +] +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Binary Executed from Shared Memory Directory" +references = [ + "https://linuxsecurity.com/features/fileless-malware-on-linux", + "https://twitter.com/GossiTheDog/status/1522964028284411907", +] +risk_score = 73 +rule_id = "3f3f9fe2-d095-11ec-95dc-f661ea17fbce" +severity = "high" +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "BPFDoor"] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where event.type == "start" and + event.action == "exec" and user.name == "root" and + process.executable : ( + "/dev/shm/*", + "/run/shm/*", + "/var/run/*", + "/var/lock/*" + ) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" +