[Rule Tuning] Shell Configuration Creation or Modification (#3732)
* [Rule Tuning] Shell Configuration Creation or Modification
* Incompatible endgame field
* Update rules/linux/persistence_shell_configuration_modification.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
(cherry picked from commit 5f36f3a03e)
This commit is contained in:
Ruben Groenewoud
committed by
github-actions[bot]
github-actions[bot]
parent
1b3ccdd1d5
commit
6ff8f3a75f
@@ -2,22 +2,22 @@
|
||||
creation_date = "2024/04/30"
|
||||
integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2024/05/31"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
This rule monitors the creation/alteration of a shell configuration by a previously unknown process executable using the
|
||||
new terms rule type. Unix systems use shell configuration files to set environment variables, create aliases, and
|
||||
customize the user's environment. Adversaries may modify or add a shell configuration file to execute malicious code and
|
||||
gain persistence in the system. This behavior is consistent with the Kaiji malware family.
|
||||
This rule monitors the creation/alteration of a shell configuration file. Unix systems use shell configuration files to
|
||||
set environment variables, create aliases, and customize the user's environment. Adversaries may modify or add a shell
|
||||
configuration file to execute malicious code and gain persistence in the system. This behavior is consistent with the
|
||||
Kaiji malware family.
|
||||
"""
|
||||
false_positives = ["Legitimate user shell modification activity."]
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*", "endgame-*"]
|
||||
language = "kuery"
|
||||
index = ["logs-endpoint.events.file*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Shell Configuration Modification"
|
||||
name = "Shell Configuration Creation or Modification"
|
||||
references = ["https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/"]
|
||||
risk_score = 47
|
||||
rule_id = "28f6f34b-8e16-487a-b5fd-9d22eb903db8"
|
||||
@@ -52,57 +52,58 @@ tags = [
|
||||
"OS: Linux",
|
||||
"Use Case: Threat Detection",
|
||||
"Tactic: Persistence",
|
||||
"Data Source: Elastic Endgame",
|
||||
"Data Source: Elastic Defend",
|
||||
"Data Source: Elastic Defend"
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "new_terms"
|
||||
|
||||
type = "eql"
|
||||
query = '''
|
||||
event.category:file and host.os.type:linux and
|
||||
event.action:(creation or file_create_event or rename or file_rename_event) and file.path:(
|
||||
"/etc/profile" or "/etc/profile.local" or "/etc/bashrc" or "/etc/bash.bashrc" or "/etc/bash.bashrc.local" or
|
||||
"/etc/zshenv" or "/etc/zprofile" or "/etc/zlogin" or "/etc/zlogout" or "/root/.profile" or "/root/.bash_logout" or
|
||||
"/root/.bashrc" or "/root/.bash_login" or /etc/profile.d/* or /home/*/.profile or /home/*/.bash_logout or
|
||||
/home/*/.bashrc or /home/*/.bash_login
|
||||
file where host.os.type == "linux" and event.action in ("rename", "creation") and file.path : (
|
||||
// system-wide configurations
|
||||
"/etc/profile", "/etc/profile.d/*", "/etc/bash.bashrc", "/etc/zsh/*",
|
||||
"/etc/csh.cshrc", "/etc/csh.login", "/etc/fish/config.fish", "/etc/ksh.kshrc",
|
||||
// root and user configurations
|
||||
"/home/*/.profile", "/home/*/.bashrc", "/home/*/.bash_login", "/home/*/.bash_logout",
|
||||
"/root/.profile", "/root/.bashrc", "/root/.bash_login", "/root/.bash_logout",
|
||||
"/home/*/.zprofile", "/home/*/.zshrc", "/root/.zprofile", "/root/.zshrc",
|
||||
"/home/*/.cshrc", "/home/*/.login", "/home/*/.logout", "/root/.cshrc", "/root/.login", "/root/.logout",
|
||||
"/home/*/.config/fish/config.fish", "/root/.config/fish/config.fish",
|
||||
"/home/*/.kshrc", "/root/.kshrc"
|
||||
) and not (
|
||||
(process.executable: (
|
||||
"/bin/dpkg" or "/usr/bin/dpkg" or "/bin/useradd" or "/usr/sbin/useradd" or "/bin/adduser" or "/usr/sbin/adduser" or
|
||||
"/bin/dockerd" or "/usr/bin/dockerd" or "/bin/microdnf" or "/usr/bin/microdnf" or "/bin/rpm" or "/usr/bin/rpm" or
|
||||
"/bin/snapd" or "/usr/bin/snapd" or "/bin/yum" or "/usr/bin/yum" or "/bin/dnf" or "/usr/bin/dnf" or "/bin/podman" or
|
||||
"/usr/bin/podman" or "/bin/dnf-automatic" or "/usr/bin/dnf-automatic" or "/bin/pacman" or "/usr/bin/pacman"
|
||||
)
|
||||
) or
|
||||
(file.extension:("swp" or "swpx")) or
|
||||
(process.executable:("/bin/sed" or "/usr/bin/sed") and file.name:sed*) or
|
||||
(process.executable:("/bin/perl" or "/usr/bin/perl") and file.name:e2scrub_all.tmp*)
|
||||
process.executable in (
|
||||
"/bin/dpkg", "/usr/bin/dpkg", "/bin/dockerd", "/usr/bin/dockerd", "/usr/sbin/dockerd", "/bin/microdnf",
|
||||
"/usr/bin/microdnf", "/bin/rpm", "/usr/bin/rpm", "/bin/snapd", "/usr/bin/snapd", "/bin/yum", "/usr/bin/yum",
|
||||
"/bin/dnf", "/usr/bin/dnf", "/bin/podman", "/usr/bin/podman", "/bin/dnf-automatic", "/usr/bin/dnf-automatic",
|
||||
"/bin/pacman", "/usr/bin/pacman", "/usr/bin/dpkg-divert", "/bin/dpkg-divert", "/sbin/apk", "/usr/sbin/apk",
|
||||
"/usr/local/sbin/apk", "/usr/bin/apt", "/usr/sbin/pacman", "/bin/podman", "/usr/bin/podman", "/usr/bin/puppet",
|
||||
"/bin/puppet", "/opt/puppetlabs/puppet/bin/puppet", "/usr/bin/chef-client", "/bin/chef-client",
|
||||
"/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/dev/fd/*", "/usr/bin/pamac-daemon",
|
||||
"/bin/pamac-daemon", "/usr/lib/snapd/snapd", "/usr/sbin/adduser", "/usr/sbin/useradd", "/usr/local/bin/dockerd"
|
||||
) or
|
||||
file.extension in ("swp", "swpx", "swx", "dpkg-remove") or
|
||||
file.Ext.original.extension == "dpkg-new" or
|
||||
process.executable : (
|
||||
"/nix/store/*", "/var/lib/dpkg/*", "/tmp/vmis.*", "/snap/*", "/dev/fd/*", "/usr/lib/virtualbox/*"
|
||||
) or
|
||||
process.executable == null or
|
||||
(process.name == "sed" and file.name : "sed*") or
|
||||
(process.name == "perl" and file.name : "e2scrub_all.tmp*")
|
||||
)
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
|
||||
[[rule.threat.technique]]
|
||||
id = "T1546"
|
||||
name = "Event Triggered Execution"
|
||||
reference = "https://attack.mitre.org/techniques/T1546/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1546.004"
|
||||
name = "Unix Shell Configuration Modification"
|
||||
reference = "https://attack.mitre.org/techniques/T1546/004/"
|
||||
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0003"
|
||||
name = "Persistence"
|
||||
reference = "https://attack.mitre.org/tactics/TA0003/"
|
||||
|
||||
[rule.new_terms]
|
||||
field = "new_terms_fields"
|
||||
value = ["host.id", "user.id", "process.executable"]
|
||||
[[rule.new_terms.history_window_start]]
|
||||
field = "history_window_start"
|
||||
value = "now-10d"
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user