From 6ff8f3a75f48d9ed771d5e346f64b359e94049ad Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Wed, 5 Jun 2024 10:28:13 +0200 Subject: [PATCH] [Rule Tuning] Shell Configuration Creation or Modification (#3732) * [Rule Tuning] Shell Configuration Creation or Modification * Incompatible endgame field * Update rules/linux/persistence_shell_configuration_modification.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> (cherry picked from commit 5f36f3a03eab0b0f129477b4c33b4291d4d11126) --- ...ence_shell_configuration_modification.toml | 81 ++++++++++--------- 1 file changed, 41 insertions(+), 40 deletions(-) diff --git a/rules/linux/persistence_shell_configuration_modification.toml b/rules/linux/persistence_shell_configuration_modification.toml index bbdb5484c..3388a5669 100644 --- a/rules/linux/persistence_shell_configuration_modification.toml +++ b/rules/linux/persistence_shell_configuration_modification.toml @@ -2,22 +2,22 @@ creation_date = "2024/04/30" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/05/31" [rule] author = ["Elastic"] description = """ -This rule monitors the creation/alteration of a shell configuration by a previously unknown process executable using the -new terms rule type. Unix systems use shell configuration files to set environment variables, create aliases, and -customize the user's environment. Adversaries may modify or add a shell configuration file to execute malicious code and -gain persistence in the system. This behavior is consistent with the Kaiji malware family. +This rule monitors the creation/alteration of a shell configuration file. Unix systems use shell configuration files to +set environment variables, create aliases, and customize the user's environment. Adversaries may modify or add a shell +configuration file to execute malicious code and gain persistence in the system. This behavior is consistent with the +Kaiji malware family. """ false_positives = ["Legitimate user shell modification activity."] from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*"] -language = "kuery" +index = ["logs-endpoint.events.file*"] +language = "eql" license = "Elastic License v2" -name = "Shell Configuration Modification" +name = "Shell Configuration Creation or Modification" references = ["https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/"] risk_score = 47 rule_id = "28f6f34b-8e16-487a-b5fd-9d22eb903db8" @@ -52,57 +52,58 @@ tags = [ "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", + "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" -type = "new_terms" - +type = "eql" query = ''' -event.category:file and host.os.type:linux and -event.action:(creation or file_create_event or rename or file_rename_event) and file.path:( - "/etc/profile" or "/etc/profile.local" or "/etc/bashrc" or "/etc/bash.bashrc" or "/etc/bash.bashrc.local" or - "/etc/zshenv" or "/etc/zprofile" or "/etc/zlogin" or "/etc/zlogout" or "/root/.profile" or "/root/.bash_logout" or - "/root/.bashrc" or "/root/.bash_login" or /etc/profile.d/* or /home/*/.profile or /home/*/.bash_logout or - /home/*/.bashrc or /home/*/.bash_login +file where host.os.type == "linux" and event.action in ("rename", "creation") and file.path : ( + // system-wide configurations + "/etc/profile", "/etc/profile.d/*", "/etc/bash.bashrc", "/etc/zsh/*", + "/etc/csh.cshrc", "/etc/csh.login", "/etc/fish/config.fish", "/etc/ksh.kshrc", + // root and user configurations + "/home/*/.profile", "/home/*/.bashrc", "/home/*/.bash_login", "/home/*/.bash_logout", + "/root/.profile", "/root/.bashrc", "/root/.bash_login", "/root/.bash_logout", + "/home/*/.zprofile", "/home/*/.zshrc", "/root/.zprofile", "/root/.zshrc", + "/home/*/.cshrc", "/home/*/.login", "/home/*/.logout", "/root/.cshrc", "/root/.login", "/root/.logout", + "/home/*/.config/fish/config.fish", "/root/.config/fish/config.fish", + "/home/*/.kshrc", "/root/.kshrc" ) and not ( - (process.executable: ( - "/bin/dpkg" or "/usr/bin/dpkg" or "/bin/useradd" or "/usr/sbin/useradd" or "/bin/adduser" or "/usr/sbin/adduser" or - "/bin/dockerd" or "/usr/bin/dockerd" or "/bin/microdnf" or "/usr/bin/microdnf" or "/bin/rpm" or "/usr/bin/rpm" or - "/bin/snapd" or "/usr/bin/snapd" or "/bin/yum" or "/usr/bin/yum" or "/bin/dnf" or "/usr/bin/dnf" or "/bin/podman" or - "/usr/bin/podman" or "/bin/dnf-automatic" or "/usr/bin/dnf-automatic" or "/bin/pacman" or "/usr/bin/pacman" - ) -) or - (file.extension:("swp" or "swpx")) or - (process.executable:("/bin/sed" or "/usr/bin/sed") and file.name:sed*) or - (process.executable:("/bin/perl" or "/usr/bin/perl") and file.name:e2scrub_all.tmp*) + process.executable in ( + "/bin/dpkg", "/usr/bin/dpkg", "/bin/dockerd", "/usr/bin/dockerd", "/usr/sbin/dockerd", "/bin/microdnf", + "/usr/bin/microdnf", "/bin/rpm", "/usr/bin/rpm", "/bin/snapd", "/usr/bin/snapd", "/bin/yum", "/usr/bin/yum", + "/bin/dnf", "/usr/bin/dnf", "/bin/podman", "/usr/bin/podman", "/bin/dnf-automatic", "/usr/bin/dnf-automatic", + "/bin/pacman", "/usr/bin/pacman", "/usr/bin/dpkg-divert", "/bin/dpkg-divert", "/sbin/apk", "/usr/sbin/apk", + "/usr/local/sbin/apk", "/usr/bin/apt", "/usr/sbin/pacman", "/bin/podman", "/usr/bin/podman", "/usr/bin/puppet", + "/bin/puppet", "/opt/puppetlabs/puppet/bin/puppet", "/usr/bin/chef-client", "/bin/chef-client", + "/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/dev/fd/*", "/usr/bin/pamac-daemon", + "/bin/pamac-daemon", "/usr/lib/snapd/snapd", "/usr/sbin/adduser", "/usr/sbin/useradd", "/usr/local/bin/dockerd" + ) or + file.extension in ("swp", "swpx", "swx", "dpkg-remove") or + file.Ext.original.extension == "dpkg-new" or + process.executable : ( + "/nix/store/*", "/var/lib/dpkg/*", "/tmp/vmis.*", "/snap/*", "/dev/fd/*", "/usr/lib/virtualbox/*" + ) or + process.executable == null or + (process.name == "sed" and file.name : "sed*") or + (process.name == "perl" and file.name : "e2scrub_all.tmp*") ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique.subtechnique]] id = "T1546.004" name = "Unix Shell Configuration Modification" reference = "https://attack.mitre.org/techniques/T1546/004/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - -[rule.new_terms] -field = "new_terms_fields" -value = ["host.id", "user.id", "process.executable"] -[[rule.new_terms.history_window_start]] -field = "history_window_start" -value = "now-10d" - -