From a973da1a6b7a90bdd74b8e46974b340e1c545812 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Wed, 7 Jan 2026 16:18:38 +0100 Subject: [PATCH] [Rule Tuning] Linux DR Tuning - 9 (#5508) * [Rule Tuning] Linux DR Tuning - 9 * Update rules/linux/persistence_apt_package_manager_file_creation.toml * Fix formatting in persistence_boot_file_copy.toml * Update persistence_chkconfig_service_add.toml * Change user.id values to string format in TOML * Fix condition for Java process working directory * Fix logical operator in OpenSSL passwd hash rule * Fix syntax for working_directory check * Fix condition for original file name check * Update persistence_web_server_unusual_command_execution.toml * Add cloud CLI tools to persistence rules --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> --- ...istence_apt_package_manager_execution.toml | 46 +++-- ...nce_apt_package_manager_file_creation.toml | 164 ++++++++++-------- ...ersistence_apt_package_manager_netcon.toml | 87 +++++----- rules/linux/persistence_at_job_creation.toml | 90 +++++----- rules/linux/persistence_boot_file_copy.toml | 56 +++--- .../persistence_bpf_probe_write_user.toml | 10 +- .../persistence_chkconfig_service_add.toml | 13 +- ...credential_access_modify_ssh_binaries.toml | 39 +++-- .../linux/persistence_cron_job_creation.toml | 19 +- .../persistence_dbus_service_creation.toml | 25 ++- ...e_dbus_unsual_daemon_parent_execution.toml | 33 +++- ..._package_manager_plugin_file_creation.toml | 17 +- ...kage_installation_from_unusual_parent.toml | 88 +++++----- .../persistence_dpkg_unusual_execution.toml | 101 ++++++----- .../persistence_dracut_module_creation.toml | 24 +-- .../persistence_dynamic_linker_backup.toml | 14 +- ...ersistence_extract_initramfs_via_cpio.toml | 5 +- .../linux/persistence_git_hook_execution.toml | 19 +- .../persistence_git_hook_file_creation.toml | 22 +-- rules/linux/persistence_git_hook_netcon.toml | 91 +++++----- ...ersistence_git_hook_process_execution.toml | 45 +++-- ...rsistence_grub_configuration_creation.toml | 14 +- rules/linux/persistence_grub_makeconfig.toml | 21 ++- .../persistence_init_d_file_creation.toml | 30 ++-- ...persistence_insmod_kernel_module_load.toml | 29 ++-- ...ersistence_kde_autostart_modification.toml | 57 +++--- ...stence_kernel_driver_load_by_non_root.toml | 84 +++++---- ...rsistence_kernel_object_file_creation.toml | 91 +++++----- ...ce_kubernetes_sensitive_file_activity.toml | 7 +- .../persistence_kworker_file_creation.toml | 27 ++- ...sistence_linux_backdoor_user_creation.toml | 19 +- .../persistence_linux_group_creation.toml | 16 +- ...e_linux_shell_activity_via_web_server.toml | 73 ++++---- ...rsistence_linux_user_account_creation.toml | 17 +- ..._linux_user_added_to_privileged_group.toml | 26 ++- ...tence_lkm_configuration_file_creation.toml | 102 +++++------ .../persistence_manual_dracut_execution.toml | 21 ++- ...rsistence_message_of_the_day_creation.toml | 21 +-- ...sistence_message_of_the_day_execution.toml | 98 +++++------ ...etwork_manager_dispatcher_persistence.toml | 26 +-- ...stence_openssl_passwd_hash_generation.toml | 20 +-- ...ggable_authentication_module_creation.toml | 130 +++++++------- ...cation_module_creation_in_unusual_dir.toml | 18 +- ...ication_module_pam_exec_backdoor_exec.toml | 28 ++- ...authentication_module_source_download.toml | 58 +++---- .../persistence_polkit_policy_creation.toml | 23 +-- ...persistence_script_executable_bit_set.toml | 17 +- ...nce_process_capability_set_via_setcap.toml | 16 +- .../linux/persistence_pth_file_creation.toml | 16 +- ...persistence_rc_local_error_via_syslog.toml | 87 +++++----- ...ence_rc_local_service_already_running.toml | 87 +++++----- .../linux/persistence_rc_script_creation.toml | 18 +- ...kage_installation_from_unusual_parent.toml | 93 +++++----- ...sistence_setuid_setgid_capability_set.toml | 25 ++- .../persistence_shadow_file_modification.toml | 83 +++++---- .../persistence_shared_object_creation.toml | 21 ++- ...ence_shell_configuration_modification.toml | 94 +++++----- ...simple_web_server_connection_accepted.toml | 75 ++++---- ...ersistence_simple_web_server_creation.toml | 28 +-- ...site_and_user_customize_file_creation.toml | 10 +- rules/linux/persistence_ssh_netcon.toml | 83 +++++---- ...stence_ssh_via_backdoored_system_user.toml | 100 ++++++----- ..._web_server_unusual_command_execution.toml | 4 +- 63 files changed, 1536 insertions(+), 1385 deletions(-) diff --git a/rules/linux/persistence_apt_package_manager_execution.toml b/rules/linux/persistence_apt_package_manager_execution.toml index 2c8f3af09..121bf3507 100644 --- a/rules/linux/persistence_apt_package_manager_execution.toml +++ b/rules/linux/persistence_apt_package_manager_execution.toml @@ -2,7 +2,7 @@ creation_date = "2024/02/01" integration = ["endpoint", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/10/17" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -54,7 +54,7 @@ The APT package manager is a vital tool for managing software on Debian-based Li - Monitor the affected host and network for any signs of re-infection or further suspicious activity, focusing on the execution of shell scripts and unauthorized network connections. - Escalate the incident to the security operations team for further investigation and to determine if additional systems have been compromised.""" references = ["https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms"] -risk_score = 47 +risk_score = 21 rule_id = "ad959eeb-2b7b-4722-ba08-a45f6622f005" setup = """## Setup @@ -82,7 +82,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -severity = "medium" +severity = "low" tags = [ "Domain: Endpoint", "OS: Linux", @@ -96,7 +96,6 @@ tags = [ "Data Source: Crowdstrike", ] type = "eql" - query = ''' sequence by host.id with maxspan=5s [process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "start", "ProcessRollup2") and @@ -104,16 +103,39 @@ sequence by host.id with maxspan=5s "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish" ) and not process.executable == "/usr/lib/venv-salt-minion/bin/python.original" ] by process.entity_id - [process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "start", "ProcessRollup2") and process.name : ( + [process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "start", "ProcessRollup2") and process.name like ( "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk" - ) + ) and not ( + ?process.parent.executable like ( + "/run/k3s/containerd*", "/tmp/newroot/*", "/usr/share/debconf/frontend", "/var/tmp/buildah*", "./merged/*", + "./*/vz/root/*", "/usr/bin/adequate" + ) or + process.executable like ("/usr/lib/venv-salt-minion/bin/python.original", "./merged/var/lib/containers/*") or + process.command_line in ( + "python3 /usr/sbin/omv-mkaptidx", "python3 /usr/local/bin/abr-upgrade --upgrade", + "sh -c apt-get indextargets -o Dir::State::lists=/var/lib/apt/lists/ --format='$(FILENAME)' 'Created-By: Packages'", + "/usr/bin/perl /usr/sbin/dpkg-preconfigure --apt", "/bin/sh -e /usr/lib/update-notifier/update-motd-updates-available", + "/usr/bin/python3 /usr/lib/cnf-update-db", "/usr/bin/python3 /usr/bin/apt-listchanges --apt", + "/usr/bin/perl -w /usr/sbin/dpkg-preconfigure --apt", "/bin/sh /usr/lib/needrestart/apt-pinvoke", + "/bin/sh /usr/bin/kali-check-apt-sources", "/bin/sh /usr/lib/needrestart/apt-pinvoke -m u", + "/usr/bin/perl /usr/sbin/needrestart", "/usr/bin/perl -w /usr/bin/apt-show-versions -i", + "/usr/bin/perl -w /usr/bin/apt-show-versions -i", "/usr/bin/perl -w /bin/apt-show-versions -i", + "/usr/bin/perl /bin/adequate --help", "/usr/bin/perl /usr/sbin/needrestart -m u", + "/usr/bin/perl -w /usr/share/debconf/frontend /usr/sbin/needrestart", + "/usr/bin/python3 /sbin/katello-tracer-upload", + "/usr/bin/python3 /usr/bin/package-profile-upload" + ) or + ?process.parent.command_line like ("sh -c if [ -x*", "sh -c -- if [ -x*") or + process.args in ("/usr/sbin/needrestart", "/usr/lib/needrestart/apt-pinvoke", "/usr/share/proxmox-ve/pve-apt-hook", "/usr/bin/dpkg-source") or + ?process.parent.args == "/usr/share/debconf/frontend" + ) ] by process.parent.entity_id ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" @@ -123,39 +145,40 @@ reference = "https://attack.mitre.org/techniques/T1543/" id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique.subtechnique]] id = "T1546.016" name = "Installer Packages" reference = "https://attack.mitre.org/techniques/T1546/016/" - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -163,4 +186,3 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/persistence_apt_package_manager_file_creation.toml b/rules/linux/persistence_apt_package_manager_file_creation.toml index 244bc4781..6fa37d13b 100644 --- a/rules/linux/persistence_apt_package_manager_file_creation.toml +++ b/rules/linux/persistence_apt_package_manager_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/03" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/24" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -18,77 +18,6 @@ index = ["logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" name = "APT Package Manager Configuration File Creation" -references = [ - "https://packetstormsecurity.com/files/152668/APT-Package-Manager-Persistence.html", - "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms", -] -risk_score = 47 -rule_id = "7c2e1297-7664-42bc-af11-6d5d35220b6b" -setup = """## Setup - -This rule requires data coming in from Elastic Defend. - -### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. - -#### Prerequisite Requirements: -- Fleet is required for Elastic Defend. -- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). - -#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click "Add integrations". -- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. -- Click "Add Elastic Defend". -- Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". -- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. -For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click "Save and Continue". -- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. -For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). -""" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -file where host.os.type == "linux" and event.action in ("rename", "creation") and -file.path : "/etc/apt/apt.conf.d/*" and not ( - process.executable in ( - "/bin/dpkg", "/usr/bin/dpkg", "/bin/dockerd", "/usr/bin/dockerd", "/usr/sbin/dockerd", "/bin/microdnf", - "/usr/bin/microdnf", "/bin/rpm", "/usr/bin/rpm", "/bin/snapd", "/usr/bin/snapd", "/bin/yum", "/usr/bin/yum", - "/bin/dnf", "/usr/bin/dnf", "/bin/podman", "/usr/bin/podman", "/bin/dnf-automatic", "/usr/bin/dnf-automatic", - "/bin/pacman", "/usr/bin/pacman", "/usr/bin/dpkg-divert", "/bin/dpkg-divert", "/sbin/apk", "/usr/sbin/apk", - "/usr/local/sbin/apk", "/usr/bin/apt", "/usr/sbin/pacman", "/bin/podman", "/usr/bin/podman", "/usr/bin/puppet", - "/bin/puppet", "/opt/puppetlabs/puppet/bin/puppet", "/usr/bin/chef-client", "/bin/chef-client", - "/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/dev/fd/*", "/usr/bin/pamac-daemon", - "/bin/pamac-daemon", "/usr/lib/snapd/snapd", "/usr/local/bin/dockerd", "/usr/libexec/netplan/generate", - "/usr/local/bin/apt-get", "/usr/bin/apt-get" - ) or - file.path :("/etc/apt/apt.conf.d/*.tmp*") or - file.extension in ("swp", "swpx", "swx", "dpkg-remove") or - file.Ext.original.extension == "dpkg-new" or - process.executable : ( - "/nix/store/*", "/var/lib/dpkg/*", "/tmp/vmis.*", "/snap/*", "/dev/fd/*", "/usr/lib/*", "/usr/libexec/*", - "/etc/kernel/*" - ) or - process.executable == null or - process.name in ("pveupdate", "perl", "executor", "crio", "docker-init", "dockerd", "pvedaemon") or - (process.name == "sed" and file.name : "sed*") or - (process.name == "perl" and file.name : "e2scrub_all.tmp*") -) -''' note = """## Triage and analysis > **Disclaimer**: @@ -124,10 +53,96 @@ APT is a crucial tool for managing software on Debian-based Linux systems, handl - Perform a comprehensive scan of the system using updated antivirus or endpoint detection tools to identify and remove any additional malware or unauthorized changes. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring and logging for the APT configuration directory and related processes to detect similar threats in the future.""" +references = [ + "https://packetstormsecurity.com/files/152668/APT-Package-Manager-Persistence.html", + "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms", +] +risk_score = 21 +rule_id = "7c2e1297-7664-42bc-af11-6d5d35220b6b" +setup = """## Setup +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +file where host.os.type == "linux" and event.action in ("rename", "creation") and +file.path : "/etc/apt/apt.conf.d/*" and not ( + process.executable in ( + "/bin/dpkg", "/usr/bin/dpkg", "/bin/dockerd", "/usr/bin/dockerd", "/usr/sbin/dockerd", "/bin/microdnf", + "/usr/bin/microdnf", "/bin/rpm", "/usr/bin/rpm", "/bin/snapd", "/usr/bin/snapd", "/bin/yum", "/usr/bin/yum", + "/bin/dnf", "/usr/bin/dnf", "/bin/podman", "/usr/bin/podman", "/bin/dnf-automatic", "/usr/bin/dnf-automatic", + "/bin/pacman", "/usr/bin/pacman", "/usr/bin/dpkg-divert", "/bin/dpkg-divert", "/sbin/apk", "/usr/sbin/apk", + "/usr/local/sbin/apk", "/usr/bin/apt", "/usr/sbin/pacman", "/bin/podman", "/usr/bin/podman", "/usr/bin/puppet", + "/bin/puppet", "/opt/puppetlabs/puppet/bin/puppet", "/usr/bin/chef-client", "/bin/chef-client", + "/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/dev/fd/*", "/usr/bin/pamac-daemon", + "/bin/pamac-daemon", "/usr/lib/snapd/snapd", "/usr/local/bin/dockerd", "/usr/libexec/netplan/generate", + "/usr/local/bin/apt-get", "/usr/bin/apt-get", "./usr/bin/podman", "/usr/bin/buildah", "/.envbuilder/bin/envbuilder", + "/opt/puppetlabs/puppet/bin/ruby", "/usr/bin/pvedaemon", "/usr/bin/percona-release", "/usr/bin/crio" + ) or + file.path :("/etc/apt/apt.conf.d/*.tmp*") or + file.extension in ("swp", "swpx", "swx", "dpkg-remove", "dpkg-new") or + file.Ext.original.extension == "dpkg-new" or + file.Ext.original.name == ".source" or + process.executable : ( + "/nix/store/*", "/var/lib/dpkg/*", "/tmp/vmis.*", "/snap/*", "/dev/fd/*", "/usr/lib/*", "/usr/libexec/*", + "/etc/kernel/*", "/opt/saltstack/salt/bin/python*" + ) or + process.executable == null or + process.name in ("pveupdate", "perl", "executor", "crio", "docker-init", "dockerd", "pvedaemon") or + (process.name == "sed" and file.name : "sed*") or + (process.name == "perl" and file.name : "e2scrub_all.tmp*") or + /* adding known file paths to reduce false positives */ + file.path in ( + "/etc/apt/apt.conf.d/50unattended-upgrades", + "/etc/apt/apt.conf.d/02autoremove-postgresql", + "/etc/apt/apt.conf.d/99rain-noautoupgrades", + "/etc/apt/apt.conf.d/99no-check-valid-until", + "/etc/apt/apt.conf.d/50isar-apt", + "/etc/apt/apt.conf.d/99gitlab-ci-cache", + "/etc/apt/apt.conf.d/50unattended-upgrades.ucf-dist", + "/etc/apt/apt.conf.d/01autoremove-kernels", + "/etc/apt/apt.conf.d/01autoremove", + "/etc/apt/apt.conf.d/95proxies", + "/etc/apt/apt.conf.d/99-noninteractive" + ) +) +''' [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" @@ -137,22 +152,22 @@ reference = "https://attack.mitre.org/techniques/T1543/" id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique.subtechnique]] id = "T1546.016" name = "Installer Packages" reference = "https://attack.mitre.org/techniques/T1546/016/" - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -160,4 +175,3 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/persistence_apt_package_manager_netcon.toml b/rules/linux/persistence_apt_package_manager_netcon.toml index 0dffc185e..7e83bb830 100644 --- a/rules/linux/persistence_apt_package_manager_netcon.toml +++ b/rules/linux/persistence_apt_package_manager_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2024/02/01" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -18,6 +18,41 @@ index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Suspicious APT Package Manager Network Connection" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Suspicious APT Package Manager Network Connection + +The APT package manager is crucial for managing software on Debian-based Linux systems. Adversaries may exploit APT by injecting malicious scripts, gaining persistence and control. The detection rule identifies suspicious APT-triggered shell executions followed by unusual network connections, flagging potential backdoor activities and unauthorized access attempts. + +### Possible investigation steps + +- Review the process details to confirm the parent process is indeed 'apt' and check the command-line arguments for any unusual or unauthorized scripts being executed. +- Investigate the network connection details, focusing on the destination IP address to determine if it is known to be malicious or associated with suspicious activity. Cross-reference with threat intelligence sources. +- Examine the process tree to identify any child processes spawned by the suspicious shell execution, which may provide further insight into the attacker's actions or intentions. +- Check the system logs for any other recent unusual activities or alerts that might correlate with the suspicious APT activity, such as unauthorized user logins or file modifications. +- Assess the system for any signs of persistence mechanisms that may have been established, such as cron jobs or modified startup scripts, which could indicate a backdoor installation. +- If possible, capture and analyze network traffic to and from the destination IP to understand the nature of the communication and identify any data exfiltration or command and control activities. + +### False positive analysis + +- Legitimate administrative scripts executed by APT may trigger the rule if they involve shell commands followed by network connections. Users can create exceptions for known scripts by specifying their paths or hashes. +- Automated system updates or package installations that involve network connections might be flagged. Users should monitor and whitelist these routine operations by identifying the specific processes and network destinations involved. +- Network connections to internal or trusted IP addresses not covered by the existing CIDR exclusions could be mistakenly flagged. Users can expand the CIDR list to include additional trusted IP ranges specific to their environment. +- Use of alternative shell environments or custom scripts that invoke APT with network operations may cause false positives. Users should document and exclude these specific use cases by process name or command-line arguments. +- Non-standard APT configurations or third-party tools that interact with APT and initiate network connections might be misidentified. Users should review and whitelist these tools by their executable paths or process names. + +### Response and remediation + +- Isolate the affected host immediately to prevent further unauthorized network connections and potential lateral movement within the network. +- Terminate any suspicious processes identified as being executed by the APT package manager, especially those involving shell executions. +- Conduct a thorough review of the APT configuration files and scripts to identify and remove any injected malicious code or unauthorized modifications. +- Revert any unauthorized changes to the system or software packages by restoring from a known good backup, ensuring the integrity of the system. +- Update all system packages and apply security patches to close any vulnerabilities that may have been exploited by the attacker. +- Monitor network traffic for any further suspicious connections or activities originating from the affected host, using enhanced logging and alerting mechanisms. +- Escalate the incident to the security operations team for further investigation and to determine if additional systems have been compromised, ensuring a comprehensive response.""" references = ["https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms"] risk_score = 47 rule_id = "eaef8a35-12e0-4ac0-bc14-81c72b6bd27c" @@ -59,13 +94,12 @@ tags = [ "Resources: Investigation Guide", ] type = "eql" - query = ''' sequence by host.id with maxspan=5s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and - process.parent.name == "apt" and process.args == "-c" and process.name in ( - "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish" - ) + process.parent.name == "apt" and process.args == "-c" and + process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and + not process.args == "/usr/bin/apt-listbugs apt" ] by process.entity_id [network where host.os.type == "linux" and event.action == "connection_attempted" and event.type == "start" and not ( destination.ip == null or destination.ip == "0.0.0.0" or cidrmatch( @@ -78,45 +112,10 @@ sequence by host.id with maxspan=5s ) and not process.executable == "/usr/bin/apt-listbugs" ] by process.parent.entity_id ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Suspicious APT Package Manager Network Connection - -The APT package manager is crucial for managing software on Debian-based Linux systems. Adversaries may exploit APT by injecting malicious scripts, gaining persistence and control. The detection rule identifies suspicious APT-triggered shell executions followed by unusual network connections, flagging potential backdoor activities and unauthorized access attempts. - -### Possible investigation steps - -- Review the process details to confirm the parent process is indeed 'apt' and check the command-line arguments for any unusual or unauthorized scripts being executed. -- Investigate the network connection details, focusing on the destination IP address to determine if it is known to be malicious or associated with suspicious activity. Cross-reference with threat intelligence sources. -- Examine the process tree to identify any child processes spawned by the suspicious shell execution, which may provide further insight into the attacker's actions or intentions. -- Check the system logs for any other recent unusual activities or alerts that might correlate with the suspicious APT activity, such as unauthorized user logins or file modifications. -- Assess the system for any signs of persistence mechanisms that may have been established, such as cron jobs or modified startup scripts, which could indicate a backdoor installation. -- If possible, capture and analyze network traffic to and from the destination IP to understand the nature of the communication and identify any data exfiltration or command and control activities. - -### False positive analysis - -- Legitimate administrative scripts executed by APT may trigger the rule if they involve shell commands followed by network connections. Users can create exceptions for known scripts by specifying their paths or hashes. -- Automated system updates or package installations that involve network connections might be flagged. Users should monitor and whitelist these routine operations by identifying the specific processes and network destinations involved. -- Network connections to internal or trusted IP addresses not covered by the existing CIDR exclusions could be mistakenly flagged. Users can expand the CIDR list to include additional trusted IP ranges specific to their environment. -- Use of alternative shell environments or custom scripts that invoke APT with network operations may cause false positives. Users should document and exclude these specific use cases by process name or command-line arguments. -- Non-standard APT configurations or third-party tools that interact with APT and initiate network connections might be misidentified. Users should review and whitelist these tools by their executable paths or process names. - -### Response and remediation - -- Isolate the affected host immediately to prevent further unauthorized network connections and potential lateral movement within the network. -- Terminate any suspicious processes identified as being executed by the APT package manager, especially those involving shell executions. -- Conduct a thorough review of the APT configuration files and scripts to identify and remove any injected malicious code or unauthorized modifications. -- Revert any unauthorized changes to the system or software packages by restoring from a known good backup, ensuring the integrity of the system. -- Update all system packages and apply security patches to close any vulnerabilities that may have been exploited by the attacker. -- Monitor network traffic for any further suspicious connections or activities originating from the affected host, using enhanced logging and alerting mechanisms. -- Escalate the incident to the security operations team for further investigation and to determine if additional systems have been compromised, ensuring a comprehensive response.""" - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" @@ -126,22 +125,22 @@ reference = "https://attack.mitre.org/techniques/T1543/" id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique.subtechnique]] id = "T1546.016" name = "Installer Packages" reference = "https://attack.mitre.org/techniques/T1546/016/" - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -149,6 +148,7 @@ framework = "MITRE ATT&CK" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -156,4 +156,3 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/persistence_at_job_creation.toml b/rules/linux/persistence_at_job_creation.toml index 6f5313142..c0e77855a 100644 --- a/rules/linux/persistence_at_job_creation.toml +++ b/rules/linux/persistence_at_job_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/31" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/01" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -17,6 +17,41 @@ index = ["logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" name = "At Job Created or Modified" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating At Job Created or Modified + +The 'at' command in Linux schedules tasks for future execution, aiding system admins in automating routine jobs. However, attackers can exploit this for persistence, privilege escalation, or executing unauthorized commands. The detection rule identifies suspicious 'at' job creations or modifications by monitoring specific file paths and excluding benign processes, helping to flag potential malicious activities. + +### Possible investigation steps + +- Review the file path of the created or modified 'at' job to confirm it is within the monitored directory: /var/spool/cron/atjobs/*. Determine if the file path is expected or unusual for the system's typical operations. +- Identify the process that triggered the alert by examining the process.executable field. Check if the process is known and expected in the context of the system's normal operations. +- Investigate the user account associated with the process that created or modified the 'at' job. Determine if the account has legitimate reasons to schedule tasks or if it might be compromised. +- Check the contents of the 'at' job file to understand the commands or scripts scheduled for execution. Look for any suspicious or unauthorized commands that could indicate malicious intent. +- Correlate the event with other recent alerts or logs from the same host to identify any patterns or additional indicators of compromise, such as privilege escalation attempts or unauthorized access. +- Verify if there are any known vulnerabilities or exploits associated with the processes or commands involved in the alert, which could provide further context on the potential threat. + +### False positive analysis + +- System package managers like dpkg, rpm, and yum can trigger false positives when they create or modify at jobs during software installations or updates. To manage this, ensure these processes are included in the exclusion list within the detection rule. +- Automated system management tools such as Puppet and Chef may also create or modify at jobs as part of their routine operations. Add these tools to the exclusion list to prevent unnecessary alerts. +- Temporary files with extensions like swp or dpkg-remove can be mistakenly flagged. Exclude these file extensions from the rule to reduce false positives. +- Processes running from directories like /nix/store or /snap can be benign and should be considered for exclusion if they are part of regular system operations. +- If the process executable is null, it might indicate a benign system process that lacks a defined executable path. Consider reviewing these cases to determine if they are legitimate and adjust the rule accordingly. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or execution of malicious tasks. +- Terminate any suspicious processes associated with the creation or modification of 'at' jobs that are not part of the excluded benign processes. +- Review and remove any unauthorized 'at' jobs found in the /var/spool/cron/atjobs/ directory to eliminate persistence mechanisms. +- Conduct a thorough examination of the system for additional indicators of compromise, such as unauthorized user accounts or unexpected network connections. +- Restore the system from a known good backup if malicious activity is confirmed and cannot be fully remediated. +- Escalate the incident to the security operations team for further analysis and to determine if additional systems are affected. +- Implement enhanced monitoring and logging for 'at' job activities to detect similar threats in the future, ensuring that alerts are promptly reviewed and acted upon.""" references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"] risk_score = 47 rule_id = "84755a05-78c8-4430-8681-89cd6c857d71" @@ -70,7 +105,7 @@ not ( "/usr/local/sbin/apk", "/usr/bin/apt", "/usr/sbin/pacman", "/bin/podman", "/usr/bin/podman", "/usr/bin/puppet", "/bin/puppet", "/opt/puppetlabs/puppet/bin/puppet", "/usr/bin/chef-client", "/bin/chef-client", "/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/dev/fd/*", "/usr/bin/pamac-daemon", - "/bin/pamac-daemon", "/usr/local/bin/dockerd" + "/bin/pamac-daemon", "/usr/local/bin/dockerd", "./usr/bin/podman" ) or file.extension in ("swp", "swpx", "swx", "dpkg-remove") or file.Ext.original.extension == "dpkg-new" or @@ -80,92 +115,57 @@ not ( (process.name == "perl" and file.name : "e2scrub_all.tmp*") ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating At Job Created or Modified - -The 'at' command in Linux schedules tasks for future execution, aiding system admins in automating routine jobs. However, attackers can exploit this for persistence, privilege escalation, or executing unauthorized commands. The detection rule identifies suspicious 'at' job creations or modifications by monitoring specific file paths and excluding benign processes, helping to flag potential malicious activities. - -### Possible investigation steps - -- Review the file path of the created or modified 'at' job to confirm it is within the monitored directory: /var/spool/cron/atjobs/*. Determine if the file path is expected or unusual for the system's typical operations. -- Identify the process that triggered the alert by examining the process.executable field. Check if the process is known and expected in the context of the system's normal operations. -- Investigate the user account associated with the process that created or modified the 'at' job. Determine if the account has legitimate reasons to schedule tasks or if it might be compromised. -- Check the contents of the 'at' job file to understand the commands or scripts scheduled for execution. Look for any suspicious or unauthorized commands that could indicate malicious intent. -- Correlate the event with other recent alerts or logs from the same host to identify any patterns or additional indicators of compromise, such as privilege escalation attempts or unauthorized access. -- Verify if there are any known vulnerabilities or exploits associated with the processes or commands involved in the alert, which could provide further context on the potential threat. - -### False positive analysis - -- System package managers like dpkg, rpm, and yum can trigger false positives when they create or modify at jobs during software installations or updates. To manage this, ensure these processes are included in the exclusion list within the detection rule. -- Automated system management tools such as Puppet and Chef may also create or modify at jobs as part of their routine operations. Add these tools to the exclusion list to prevent unnecessary alerts. -- Temporary files with extensions like swp or dpkg-remove can be mistakenly flagged. Exclude these file extensions from the rule to reduce false positives. -- Processes running from directories like /nix/store or /snap can be benign and should be considered for exclusion if they are part of regular system operations. -- If the process executable is null, it might indicate a benign system process that lacks a defined executable path. Consider reviewing these cases to determine if they are legitimate and adjust the rule accordingly. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or execution of malicious tasks. -- Terminate any suspicious processes associated with the creation or modification of 'at' jobs that are not part of the excluded benign processes. -- Review and remove any unauthorized 'at' jobs found in the /var/spool/cron/atjobs/ directory to eliminate persistence mechanisms. -- Conduct a thorough examination of the system for additional indicators of compromise, such as unauthorized user accounts or unexpected network connections. -- Restore the system from a known good backup if malicious activity is confirmed and cannot be fully remediated. -- Escalate the incident to the security operations team for further analysis and to determine if additional systems are affected. -- Implement enhanced monitoring and logging for 'at' job activities to detect similar threats in the future, ensuring that alerts are promptly reviewed and acted upon.""" - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.002" name = "At" reference = "https://attack.mitre.org/techniques/T1053/002/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.002" name = "At" reference = "https://attack.mitre.org/techniques/T1053/002/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.002" name = "At" reference = "https://attack.mitre.org/techniques/T1053/002/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/linux/persistence_boot_file_copy.toml b/rules/linux/persistence_boot_file_copy.toml index f24308474..291d6f8ea 100644 --- a/rules/linux/persistence_boot_file_copy.toml +++ b/rules/linux/persistence_boot_file_copy.toml @@ -1,24 +1,20 @@ [metadata] creation_date = "2025/01/16" -integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/22" [rule] author = ["Elastic"] description = """ -This rule detects the process of copying or moving files from or to the `/boot` directory on Linux systems. The `/boot` +This rule detects the process of copying or moving files from or to the "/boot" directory on Linux systems. The "/boot" directory contains files that are essential for the system to boot, such as the kernel and initramfs images. Attackers -may copy or move files to the `/boot` directory to modify the boot process, which can be leveraged to maintain access to +may copy or move files to the "/boot" directory to modify the boot process, which can be leveraged to maintain access to the system. """ from = "now-9m" index = [ "logs-endpoint.events.process*", - "endgame-*", - "auditbeat-*", - "logs-auditd_manager.auditd-*", - "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*", ] language = "eql" @@ -86,29 +82,49 @@ tags = [ "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", - "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: Auditd Manager", - "Data Source: Crowdstrike", "Data Source: SentinelOne", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "eql" - query = ''' -process where host.os.type == "linux" and event.type == "start" and -event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed") and +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "start") and process.name in ("cp", "mv") and process.parent.executable != null and process.args like~ "/boot/*" and not ( process.parent.name in ("update-initramfs", "dracut", "grub-mkconfig", "shim-install", "sudo", "activate-theme", "update-grub-gfxpayload", "grub-pc.postinst") or process.parent.executable like~ ("/usr/lib/kernel/install.d/*", "/tmp/newroot/*", "/var/lib/dpkg/info/*") or - process.parent.args like~ ("/usr/bin/mkinitcpio", "/var/tmp/rpm-tmp.*") + process.parent.args like~ ("/usr/bin/mkinitcpio", "/var/tmp/rpm-tmp.*", "/var/lib/dpkg/info/*") or + process.parent.executable in ( + "/var/lib/aws-replication-agent/migration_scripts/suse_to_aws.bash", "/usr/sbin/flash-kernel", "/usr/sbin/weak-modules", + "/etc/cron.hourly/check_mau", "/usr/bin/update-microcode-initrd", "/bin/run-parts", "/usr/sbin/mkinitramfs", "/usr/sbin/grub2-mkconfig", + "/usr/bin/supermin5", "/sbin/weak-modules", "/usr/sbin/nv-update-initrd", "/usr/libexec/platform-python", "/bin/kernel-install", + "/usr/bin/oracle-database-preinstall-19c-verify", "/usr/libexec/grubby/prune_debug" + ) or + process.command_line == "/bin/cp /usr/local/ASR/Vx/scripts/vCon//Configuration.info /boot/" or + ?process.working_directory in ("/var/lib/aws-replication-agent", "/opt/sentinelone/bin", "/tmp/MobilityAgentAutoUpgrade/package") or + ( + process.name == "cp" and + process.parent.args in ( + "/etc/kernel/postrm.d/zz-proxmox-boot", "/etc/kernel/postinst.d/zz-proxmox-boot", "/usr/lib/kernel/install.d/20-grub.install", + "/usr/bin/dracut", "/bin/dracut", "/usr/sbin/shim-install", "/sbin/dracut", "/opt/McAfee/ens/esp/scripts/modversion-check.sh", + "//opt/McAfee/ens/esp/scripts//modversion-check.sh", "/usr/sbin/update-grub-legacy-ec2", "/usr/bin/foreman-generate-bootloaders", + "/usr/share/grub2/themes/SLE/activate-theme", "/usr/sbin/dracut", "/usr/sbin/flash-kernel", "/usr/lib/kernel/install.d/20-grubby.install" + ) + ) or + (process.name == "mv" and process.args == "-f" and process.parent.args == "/usr/sbin/update-initramfs") or + ( + process.name == "mv" and + process.parent.args in ( + "/usr/sbin/flash-kernel", "/usr/bin/update-microcode-initrd", "/usr/sbin/update-grub-gfxpayload", + "/usr/sbin/weak-modules", "/usr/bin/dracut" + ) + ) ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1542" name = "Pre-OS Boot" @@ -124,28 +140,29 @@ id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -153,4 +170,3 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/persistence_bpf_probe_write_user.toml b/rules/linux/persistence_bpf_probe_write_user.toml index efc2ecb55..7e66f75cc 100644 --- a/rules/linux/persistence_bpf_probe_write_user.toml +++ b/rules/linux/persistence_bpf_probe_write_user.toml @@ -2,13 +2,13 @@ creation_date = "2025/01/28" integration = ["system"] maturity = "production" -updated_date = "2025/01/28" +updated_date = "2025/12/22" [rule] author = ["Elastic"] description = """ -This rule monitors the syslog log file for messages related to instances of a program using the `bpf_probe_write_user` helper. -The `bpf_probe_write_user` helper is used to write data to user space from a BPF program. Unauthorized use of this helper can +This rule monitors the syslog log file for messages related to instances of a program using the "bpf_probe_write_user" helper. +The "bpf_probe_write_user" helper is used to write data to user space from a BPF program. Unauthorized use of this helper can be indicative of an eBPF rootkit or other malicious activity. """ from = "now-9m" @@ -52,7 +52,7 @@ The `bpf_probe_write_user` helper is a function within the eBPF (extended Berkel - Escalate the incident to the security operations team for further analysis and to determine if additional systems are affected. - Update detection mechanisms to include additional indicators of compromise related to eBPF rootkits and similar threats, enhancing future threat detection capabilities. """ -risk_score = 21 +risk_score = 73 rule_id = "c37ffc64-da75-447e-ad1c-cbc64727b3b8" setup = """## Setup @@ -75,7 +75,7 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions. - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). """ -severity = "low" +severity = "high" tags = [ "Domain: Endpoint", "OS: Linux", diff --git a/rules/linux/persistence_chkconfig_service_add.toml b/rules/linux/persistence_chkconfig_service_add.toml index 56bd686bc..554ad767f 100644 --- a/rules/linux/persistence_chkconfig_service_add.toml +++ b/rules/linux/persistence_chkconfig_service_add.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/22" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/22" [transform] [[transform.osquery]] @@ -174,30 +174,29 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.action in ("exec", "exec_event", "start") and +process.executable != null and ( (process.executable : "/usr/sbin/chkconfig" and process.args : "--add") or (process.args : "*chkconfig" and process.args : "--add") ) and not ( process.parent.name in ("rpm", "qualys-scan-util", "qualys-cloud-agent", "update-alternatives") or - process.parent.args : ("/var/tmp/rpm*", "/var/lib/waagent/*") or - process.args in ("jexec", "sapinit", "httpd", "dbora") + process.parent.executable in ("/opt/commvault/.gxsetup/silent_install/install", "/usr/sbin/alternatives") or + process.parent.args : ("/var/tmp/rpm*", "/var/lib/waagent/*", "/usr/bin/puppet*") or + process.args in ("jexec", "sapinit", "httpd", "dbora" , "selfprotection") ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml index 44170ed43..523302ed1 100644 --- a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml +++ b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/21" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/12/22" [transform] [[transform.osquery]] @@ -43,10 +43,10 @@ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] language = "kuery" license = "Elastic License v2" -name = "Modification of OpenSSH Binaries" +name = "Renaming of OpenSSH Binaries" note = """## Triage and analysis -### Investigating Modification of OpenSSH Binaries +### Investigating Renaming of OpenSSH Binaries OpenSSH is a widely used suite of secure networking utilities based on the Secure Shell (SSH) protocol, which provides encrypted communication sessions over a computer network. @@ -105,7 +105,7 @@ The detection rule 'Modification of OpenSSH Binaries' is designed to identify su - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ references = ["https://blog.angelalonso.es/2016/09/anatomy-of-real-linux-intrusion-part-ii.html"] -risk_score = 47 +risk_score = 21 rule_id = "0415f22a-2336-45fa-ba07-618a5942e22c" setup = """## Setup @@ -144,7 +144,7 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). - For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ -severity = "medium" +severity = "low" tags = [ "Domain: Endpoint", "OS: Linux", @@ -158,20 +158,25 @@ tags = [ ] timestamp_override = "event.ingested" type = "query" - query = ''' event.category:file and host.os.type:linux and event.type:change and - process.name:(* and not ( - dnf or dnf-automatic or dpkg or yum or rpm or yum-cron or anacron or platform-python* or - apk or ansible-admin or systemd or python* or yum or nix-daemon or nix - ) - ) and - (file.path:(/usr/bin/scp or - /usr/bin/sftp or - /usr/bin/ssh or - /usr/sbin/sshd) or - file.name:libkeyutils.so) and - not process.executable:/usr/share/elasticsearch/* +process.name:(* and not ( + dnf or dnf-automatic or dpkg or yum or rpm or yum-cron or anacron or platform-python* or + apk or ansible-admin or systemd or python* or yum or nix-daemon or nix + ) +) and +(file.path:(/usr/bin/scp or + /usr/bin/sftp or + /usr/bin/ssh or + /usr/sbin/sshd) or +file.name:libkeyutils.so) and +not ( + process.executable:( + /usr/share/elasticsearch/* or "/usr/bin/microdnf" or "/usr/bin/dnf5" or "/usr/sbin/gdm" or + "/usr/libexec/packagekitd" or "/usr/libexec/zypp/zypp-rpm" or "/home/sa-ansible" + ) or + file.Ext.original.name:"sshd.session-split" +) ''' [[rule.threat]] diff --git a/rules/linux/persistence_cron_job_creation.toml b/rules/linux/persistence_cron_job_creation.toml index cf12783ba..752d09252 100644 --- a/rules/linux/persistence_cron_job_creation.toml +++ b/rules/linux/persistence_cron_job_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/09" integration = ["endpoint"] maturity = "production" -updated_date = "2025/09/29" +updated_date = "2025/12/22" [transform] [[transform.osquery]] @@ -176,10 +176,8 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' -file where host.os.type == "linux" and -event.action in ("rename", "creation") and file.path : ( +file where host.os.type == "linux" and event.action in ("rename", "creation") and file.path like ( "/etc/cron.allow", "/etc/cron.deny", "/etc/cron.d/*", "/etc/cron.hourly/*", "/etc/cron.daily/*", "/etc/cron.weekly/*", "/etc/cron.monthly/*", "/etc/crontab", "/var/spool/cron/crontabs/*", "/var/spool/anacron/*" ) and not ( @@ -190,26 +188,27 @@ event.action in ("rename", "creation") and file.path : ( "/bin/pacman", "/usr/bin/pacman", "/usr/bin/dpkg-divert", "/bin/dpkg-divert", "/sbin/apk", "/usr/sbin/apk", "/usr/local/sbin/apk", "/usr/bin/apt", "/usr/sbin/pacman", "/bin/podman", "/usr/bin/podman", "/usr/bin/puppet", "/bin/puppet", "/opt/puppetlabs/puppet/bin/puppet", "/usr/bin/chef-client", "/bin/chef-client", - "/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/dev/fd/*", "/usr/bin/pamac-daemon", + "/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/usr/bin/pamac-daemon", "/bin/pamac-daemon", "/usr/local/bin/dockerd", "/opt/elasticbeanstalk/bin/platform-engine", "/opt/puppetlabs/puppet/bin/ruby", "/usr/libexec/platform-python", "/opt/imunify360/venv/bin/python3", "/opt/eset/efs/lib/utild", "/usr/sbin/anacron", "/usr/bin/podman", "/kaniko/kaniko-executor", - "/usr/bin/pvedaemon", "./usr/bin/podman", "/usr/lib/systemd/systemd" + "/usr/bin/pvedaemon", "./usr/bin/podman", "/usr/lib/systemd/systemd", "./usr/bin/podman", "/usr/bin/coreutils", + "/usr/sbin/univention-config-registry", "/usr/bin/dnf5", "./usr/lib/snapd/snap-update-ns" ) or file.path like ("/var/spool/cron/crontabs/tmp.*", "/etc/cron.d/jumpcloud-updater") or file.extension in ("swp", "swpx", "swx", "dpkg-remove") or file.Ext.original.extension == "dpkg-new" or - process.executable : ( + process.executable like ( "/nix/store/*", "/var/lib/dpkg/*", "/tmp/vmis.*", "/snap/*", "/dev/fd/*", "/usr/libexec/platform-python*", "/var/lib/waagent/Microsoft*" ) or process.executable == null or process.name in ( - "crond", "executor", "puppet", "droplet-agent.postinst", "cf-agent", "schedd", "imunify-notifier", "perl", + "crond", "executor", "puppet", "droplet-agent.postinst", "cf-agent", "schedd", "imunify-notifier", "jumpcloud-agent", "crio", "dnf_install", "utild" ) or - (process.name == "sed" and file.name : "sed*") or - (process.name == "perl" and file.name : "e2scrub_all.tmp*") or + (process.name == "sed" and file.name like "sed*") or + (process.name == "perl" and file.name like "e2scrub_all.tmp*") or (process.name in ("vi", "vim") and file.name like "*~") ) ''' diff --git a/rules/linux/persistence_dbus_service_creation.toml b/rules/linux/persistence_dbus_service_creation.toml index 3f14e690d..386571da5 100644 --- a/rules/linux/persistence_dbus_service_creation.toml +++ b/rules/linux/persistence_dbus_service_creation.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/09/09" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -94,10 +94,9 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' file where host.os.type == "linux" and event.type == "creation" and process.executable != null and -file.extension in ("service", "conf") and file.path like~ ( +file.extension in ("service", "conf") and file.path like ( "/usr/share/dbus-1/system-services/*", "/etc/dbus-1/system.d/*", "/lib/dbus-1/system-services/*", "/run/dbus/system.d/*", "/home/*/.local/share/dbus-1/services/*", "/home/*/.dbus/session-bus/*", @@ -110,49 +109,49 @@ file.extension in ("service", "conf") and file.path like~ ( "/bin/pacman", "/usr/bin/pacman", "/usr/bin/dpkg-divert", "/bin/dpkg-divert", "/sbin/apk", "/usr/sbin/apk", "/usr/local/sbin/apk", "/usr/bin/apt", "/usr/sbin/pacman", "/bin/podman", "/usr/bin/podman", "/usr/bin/puppet", "/bin/puppet", "/opt/puppetlabs/puppet/bin/puppet", "/usr/bin/chef-client", "/bin/chef-client", - "/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/dev/fd/*", "/usr/bin/pamac-daemon", + "/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/usr/bin/pamac-daemon", "/bin/pamac-daemon", "/usr/lib/snapd/snapd", "/usr/local/bin/dockerd", "/usr/bin/crio", "/usr/sbin/crond", "/opt/puppetlabs/puppet/bin/ruby", "/usr/libexec/platform-python", "/kaniko/kaniko-executor", "/usr/local/bin/dockerd", "/usr/bin/podman", "/bin/install", "/proc/self/exe", "/usr/lib/systemd/systemd", "/usr/sbin/sshd", "/usr/bin/gitlab-runner", "/opt/gitlab/embedded/bin/ruby", "/usr/sbin/gdm", "/usr/bin/install", - "/usr/local/manageengine/uems_agent/bin/dcregister" + "/usr/local/manageengine/uems_agent/bin/dcregister", "./usr/bin/podman", "/.envbuilder/bin/envbuilder" ) or - process.executable : ( - "/nix/store/*", "/var/lib/dpkg/*", "/tmp/vmis.*", "/snap/*", "/dev/fd/*", "/usr/lib/virtualbox/*" + process.executable like ( + "/nix/store/*", "/var/lib/dpkg/*", "/tmp/vmis.*", "/snap/*", "/dev/fd/*", "/usr/lib/virtualbox/*", + "/var/lib/docker/overlay2/*/dockerd", "/var/lib/containers/storage/overlay/*/dockerd" ) or process.name like ( "ssm-agent-worker", "platform-python*", "dnf_install", "cloudflared", "lxc-pve-prestart-hook", "convert-usrmerge", "elastic-agent", "google_metadata_script_runner", "update-alternatives", "gitlab-runner", "install", "crio", "apt-get", "package-cleanup", "dcservice", "dcregister", "jumpcloud-agent", "executor" ) or - (process.name == "sed" and file.name : "sed*") or - (process.name == "perl" and file.name : "e2scrub_all.tmp*") + (process.name == "sed" and file.name like "sed*") or + (process.name == "perl" and file.name like "e2scrub_all.tmp*") ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml b/rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml index 219d9888e..6d9c71de0 100644 --- a/rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml +++ b/rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/21" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -93,57 +93,72 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start") and process.parent.name == "dbus-daemon" and process.args_count > 1 and not ( process.parent.args == "--session" or process.args in ("/usr/lib/software-properties/software-properties-dbus", "/usr/share/backintime/qt/serviceHelper.py") or process.name in ("dbus-daemon-launch-helper", "gnome-keyring-daemon", "abrt-dbus", "aptd", "usb-creator-helper") or - process.executable like~ ("/usr/lib/*", "/usr/local/lib/*", "/usr/libexec/*", "/tmp/newroot/*") + process.executable like ( + "/usr/lib/*", "/usr/local/lib/*", "/usr/libexec/*", "/tmp/newroot/*", "/usr/sbin/setroubleshootd", + "/usr/share/setroubleshoot/SetroubleshootPrivileged.py", + "/var/lib/awx/.local/share/containers/storage/overlay/*/SetroubleshootPrivileged.py", + "/home/*/.local/share/containers/storage/overlay/*/SetroubleshootPrivileged.py", + "/bin/rpm", "/run/user/*/.bubblewrap/newroot/usr/libexec/rhsmd", "/opt/CrowdStrike/sandbox/usr/libexec/rhsmd", + "/run/user/*/.bubblewrap/*/setroubleshootd" + ) or + ( + process.name like "python*" and + process.args in ( + "/usr/share/usb-creator/usb-creator-helper", "/usr/sbin/aptd", "/usr/sbin/aptk", "/usr/bin/hp-pkservice", + "/usr/libexec/language-selector/ls-dbus-backend" + ) + ) or + (process.name == "perl" and process.args like "/usr/share/system-tools-backends-*.pl") or + ?process.working_directory like "/run/user/*/.bubblewrap/newroot/var/lib/gdm/" ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml b/rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml index bbf353ca4..10ca2105f 100644 --- a/rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml +++ b/rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/25" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -100,18 +100,18 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' file where host.os.type == "linux" and event.action in ("rename", "creation") and -file.path : ("/usr/lib/python*/site-packages/dnf-plugins/*", "/etc/dnf/plugins/*") and not ( +file.path like ("/usr/lib/python*/site-packages/dnf-plugins/*", "/etc/dnf/plugins/*") and not ( process.executable in ( "/bin/dockerd", "/usr/bin/dockerd", "/usr/sbin/dockerd", "/bin/microdnf", "/usr/bin/microdnf", "/bin/rpm", "/usr/bin/rpm", "/bin/snapd", "/usr/bin/snapd", "/bin/yum", "/usr/bin/yum", "/bin/dnf", "/usr/bin/dnf", "/bin/podman", "/usr/bin/podman", "/bin/dnf-automatic", "/usr/bin/dnf-automatic", "/sbin/apk", "/usr/sbin/apk", "/usr/local/sbin/apk", "/bin/podman", "/usr/bin/podman", "/usr/bin/puppet", "/bin/puppet", "/opt/puppetlabs/puppet/bin/puppet", "/usr/bin/chef-client", "/bin/chef-client", "/bin/autossl_check", - "/usr/bin/autossl_check", "/proc/self/exe", "/dev/fd/*", "/usr/lib/snapd/snapd", "/usr/local/bin/dockerd", - "/usr/libexec/netplan/generate" + "/usr/bin/autossl_check", "/proc/self/exe", "/usr/lib/snapd/snapd", "/usr/local/bin/dockerd", + "/usr/libexec/netplan/generate", "./usr/bin/podman", "/usr/bin/dnf5", "/bin/needs-restarting", + "/usr/bin/crio", "/usr/bin/insights-client", "/kaniko/executor" ) or file.extension in ("swp", "swpx", "swx") or process.executable : ( @@ -126,9 +126,9 @@ file.path : ("/usr/lib/python*/site-packages/dnf-plugins/*", "/etc/dnf/plugins/* ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" @@ -138,22 +138,22 @@ reference = "https://attack.mitre.org/techniques/T1543/" id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique.subtechnique]] id = "T1546.016" name = "Installer Packages" reference = "https://attack.mitre.org/techniques/T1546/016/" - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -161,4 +161,3 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml b/rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml index 7820af235..595ab2d54 100644 --- a/rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml +++ b/rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/09" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -16,6 +16,41 @@ index = ["logs-endpoint.events.*"] language = "kuery" license = "Elastic License v2" name = "DPKG Package Installed by Unusual Parent Process" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating DPKG Package Installed by Unusual Parent Process + +DPKG is a core utility for managing Debian packages on Linux systems, crucial for software installation and maintenance. Adversaries may exploit DPKG to install malicious packages, leveraging unusual parent processes to evade detection. The detection rule identifies such anomalies by monitoring DPKG executions initiated by atypical parent processes, signaling potential unauthorized package installations. + +### Possible investigation steps + +- Review the process tree to identify the parent process of the dpkg execution. Determine if the parent process is legitimate or unusual for package installations. +- Examine the command-line arguments used with the dpkg command, specifically looking for the "-i" or "--install" flags, to understand what package was being installed. +- Check the source and integrity of the package being installed to ensure it is from a trusted repository or source. +- Investigate the user account under which the dpkg command was executed to determine if it has the necessary permissions and if the activity aligns with the user's typical behavior. +- Correlate the event with other logs or alerts around the same timeframe to identify any related suspicious activities or patterns. +- Assess the system for any signs of compromise or unauthorized changes following the package installation. + +### False positive analysis + +- System updates or maintenance scripts may trigger the rule when legitimate administrative tools or scripts use dpkg to install updates. To handle this, identify and whitelist known maintenance scripts or processes that regularly perform package installations. +- Automated deployment tools like Ansible or Puppet might use dpkg for software deployment, leading to false positives. Exclude these tools by adding their process names to an exception list if they are part of your standard operations. +- Custom internal applications or scripts that manage software installations could also cause alerts. Review these applications and, if verified as safe, configure exceptions for their parent processes. +- Developers or system administrators using dpkg for testing or development purposes might inadvertently trigger the rule. Establish a policy for such activities and exclude known development environments or user accounts from triggering alerts. +- Backup or recovery operations that reinstall packages as part of their process can be mistaken for malicious activity. Identify these operations and exclude their associated processes from the rule. + +### Response and remediation + +- Isolate the affected system from the network to prevent further unauthorized package installations or lateral movement by the adversary. +- Terminate the dpkg process if it is still running to stop any ongoing malicious package installation. +- Identify and remove any suspicious or unauthorized packages installed by the dpkg command using the package management tools available on the system. +- Conduct a thorough review of the system's package installation logs and history to identify any other potentially malicious packages or unusual installation activities. +- Restore the system from a known good backup if malicious packages have altered critical system components or configurations. +- Implement stricter access controls and monitoring on systems to prevent unauthorized use of package management utilities by non-administrative users or processes. +- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected, ensuring a coordinated response to the threat.""" references = ["https://www.makeuseof.com/how-deb-packages-are-backdoored-how-to-detect-it/"] risk_score = 21 rule_id = "f4d1c0ac-aedb-4063-9fa6-cc651eb5e6ee" @@ -55,50 +90,14 @@ tags = [ ] timestamp_override = "event.ingested" type = "new_terms" - query = ''' host.os.type:linux and event.category:process and event.type:start and event.action:exec and process.name:dpkg and process.args:("-i" or "--install") ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating DPKG Package Installed by Unusual Parent Process - -DPKG is a core utility for managing Debian packages on Linux systems, crucial for software installation and maintenance. Adversaries may exploit DPKG to install malicious packages, leveraging unusual parent processes to evade detection. The detection rule identifies such anomalies by monitoring DPKG executions initiated by atypical parent processes, signaling potential unauthorized package installations. - -### Possible investigation steps - -- Review the process tree to identify the parent process of the dpkg execution. Determine if the parent process is legitimate or unusual for package installations. -- Examine the command-line arguments used with the dpkg command, specifically looking for the "-i" or "--install" flags, to understand what package was being installed. -- Check the source and integrity of the package being installed to ensure it is from a trusted repository or source. -- Investigate the user account under which the dpkg command was executed to determine if it has the necessary permissions and if the activity aligns with the user's typical behavior. -- Correlate the event with other logs or alerts around the same timeframe to identify any related suspicious activities or patterns. -- Assess the system for any signs of compromise or unauthorized changes following the package installation. - -### False positive analysis - -- System updates or maintenance scripts may trigger the rule when legitimate administrative tools or scripts use dpkg to install updates. To handle this, identify and whitelist known maintenance scripts or processes that regularly perform package installations. -- Automated deployment tools like Ansible or Puppet might use dpkg for software deployment, leading to false positives. Exclude these tools by adding their process names to an exception list if they are part of your standard operations. -- Custom internal applications or scripts that manage software installations could also cause alerts. Review these applications and, if verified as safe, configure exceptions for their parent processes. -- Developers or system administrators using dpkg for testing or development purposes might inadvertently trigger the rule. Establish a policy for such activities and exclude known development environments or user accounts from triggering alerts. -- Backup or recovery operations that reinstall packages as part of their process can be mistaken for malicious activity. Identify these operations and exclude their associated processes from the rule. - -### Response and remediation - -- Isolate the affected system from the network to prevent further unauthorized package installations or lateral movement by the adversary. -- Terminate the dpkg process if it is still running to stop any ongoing malicious package installation. -- Identify and remove any suspicious or unauthorized packages installed by the dpkg command using the package management tools available on the system. -- Conduct a thorough review of the system's package installation logs and history to identify any other potentially malicious packages or unusual installation activities. -- Restore the system from a known good backup if malicious packages have altered critical system components or configurations. -- Implement stricter access controls and monitoring on systems to prevent unauthorized use of package management utilities by non-administrative users or processes. -- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected, ensuring a coordinated response to the threat.""" - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" @@ -108,35 +107,35 @@ reference = "https://attack.mitre.org/techniques/T1543/" id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique.subtechnique]] id = "T1546.016" name = "Installer Packages" reference = "https://attack.mitre.org/techniques/T1546/016/" - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1195" name = "Supply Chain Compromise" reference = "https://attack.mitre.org/techniques/T1195/" + [[rule.threat.technique.subtechnique]] id = "T1195.002" name = "Compromise Software Supply Chain" reference = "https://attack.mitre.org/techniques/T1195/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" @@ -145,8 +144,7 @@ reference = "https://attack.mitre.org/tactics/TA0001/" [rule.new_terms] field = "new_terms_fields" value = ["process.parent.executable"] + [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-7d" - - +value = "now-5d" diff --git a/rules/linux/persistence_dpkg_unusual_execution.toml b/rules/linux/persistence_dpkg_unusual_execution.toml index a6fe79198..73a6322b9 100644 --- a/rules/linux/persistence_dpkg_unusual_execution.toml +++ b/rules/linux/persistence_dpkg_unusual_execution.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/09" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -16,55 +16,6 @@ index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Unusual DPKG Execution" -references = ["https://www.makeuseof.com/how-deb-packages-are-backdoored-how-to-detect-it/"] -risk_score = 21 -rule_id = "d6241c90-99f2-44db-b50f-299b6ebd7ee9" -setup = """## Setup - -This rule requires data coming in from Elastic Defend. - -### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. - -#### Prerequisite Requirements: -- Fleet is required for Elastic Defend. -- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). - -#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click "Add integrations". -- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. -- Click "Add Elastic Defend". -- Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". -- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. -For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click "Save and Continue". -- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. -For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). -""" -severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", - "Resources: Investigation Guide" - ] -timestamp_override = "event.ingested" -type = "eql" -query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and -process.executable : "/var/lib/dpkg/info/*" and process.session_leader.name != null and -process.group_leader.name != null and not ( - process.parent.name in ("dpkg", "dpkg-reconfigure", "frontend") or - process.session_leader.name == "dpkg" or - process.group_leader.name == "dpkg" or - process.parent.executable in ("/usr/share/debconf/frontend", "/usr/bin/unattended-upgrade") -) -''' note = """## Triage and analysis > **Disclaimer**: @@ -98,6 +49,55 @@ DPKG is a core utility in Debian-based Linux systems for managing software packa - Update and patch the affected system to ensure all software is up-to-date, reducing the risk of exploitation through known vulnerabilities. - Implement stricter access controls and monitoring on package management utilities to prevent unauthorized use, ensuring only trusted processes can execute DPKG commands. - Escalate the incident to the security operations team for further investigation and to assess the potential impact on other systems within the network.""" +references = ["https://www.makeuseof.com/how-deb-packages-are-backdoored-how-to-detect-it/"] +risk_score = 47 +rule_id = "d6241c90-99f2-44db-b50f-299b6ebd7ee9" +setup = """## Setup + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Resources: Investigation Guide" +] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and +process.executable : "/var/lib/dpkg/info/*" and process.session_leader.name != null and +process.group_leader.name != null and not ( + process.parent.name in ("dpkg", "dpkg-reconfigure", "frontend") or + process.session_leader.name == "dpkg" or + process.group_leader.name == "dpkg" or + process.parent.executable in ("/usr/share/debconf/frontend", "/usr/bin/unattended-upgrade") +) +''' [[rule.threat]] framework = "MITRE ATT&CK" @@ -144,4 +144,3 @@ reference = "https://attack.mitre.org/techniques/T1195/002/" name = "Initial Access" id = "TA0001" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/linux/persistence_dracut_module_creation.toml b/rules/linux/persistence_dracut_module_creation.toml index 7f2207cd9..9427236d5 100644 --- a/rules/linux/persistence_dracut_module_creation.toml +++ b/rules/linux/persistence_dracut_module_creation.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -90,10 +90,11 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' file where host.os.type == "linux" and event.type == "creation" and process.executable != null and file.path like~ ("/lib/dracut/modules.d/*", "/usr/lib/dracut/modules.d/*") and not ( + // Too many FPs from Python automation + process.name like ("python*", "platform-python*") or process.executable in ( "/bin/dpkg", "/usr/bin/dpkg", "/bin/dockerd", "/usr/bin/dockerd", "/usr/sbin/dockerd", "/bin/microdnf", "/usr/bin/microdnf", "/bin/rpm", "/usr/bin/rpm", "/bin/snapd", "/usr/bin/snapd", "/bin/yum", "/usr/bin/yum", @@ -101,24 +102,27 @@ file.path like~ ("/lib/dracut/modules.d/*", "/usr/lib/dracut/modules.d/*") and n "/bin/pacman", "/usr/bin/pacman", "/usr/bin/dpkg-divert", "/bin/dpkg-divert", "/sbin/apk", "/usr/sbin/apk", "/usr/local/sbin/apk", "/usr/bin/apt", "/usr/sbin/pacman", "/bin/podman", "/usr/bin/podman", "/usr/bin/puppet", "/bin/puppet", "/opt/puppetlabs/puppet/bin/puppet", "/usr/bin/chef-client", "/bin/chef-client", - "/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/dev/fd/*", "/usr/bin/pamac-daemon", + "/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/usr/bin/pamac-daemon", "/bin/pamac-daemon", "/usr/lib/snapd/snapd", "/usr/local/bin/dockerd", "/usr/bin/crio", "/usr/sbin/crond", "/opt/puppetlabs/puppet/bin/ruby", "/usr/libexec/platform-python", "/kaniko/kaniko-executor", "/usr/local/bin/dockerd", "/usr/bin/podman", "/bin/install", "/proc/self/exe", "/usr/lib/systemd/systemd", "/usr/sbin/sshd", "/usr/bin/gitlab-runner", "/opt/gitlab/embedded/bin/ruby", "/usr/sbin/gdm", "/usr/bin/install", - "/usr/local/manageengine/uems_agent/bin/dcregister", "/usr/local/bin/pacman" + "/usr/local/manageengine/uems_agent/bin/dcregister", "/usr/local/bin/pacman", "/usr/libexec/packagekitd", + "./usr/bin/podman", "/usr/lib/dracut/dracut-install", "/usr/bin/dnf5", "/kaniko/executor", "/usr/bin/buildah", + "/usr/sbin/yum-cron" ) or process.executable like~ ( - "/nix/store/*", "/var/lib/dpkg/*", "/tmp/vmis.*", "/snap/*", "/dev/fd/*", "/usr/lib/virtualbox/*" + "/nix/store/*", "/var/lib/dpkg/*", "/tmp/vmis.*", "/snap/*", "/dev/fd/*", "/usr/lib/virtualbox/*", + "/var/lib/docker/overlay2/*/dockerd" ) or file.extension in ("swp", "swpx", "swx", "dpkg-remove") or (process.name == "sed" and file.name : "sed*") ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1542" name = "Pre-OS Boot" @@ -134,28 +138,29 @@ id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -163,4 +168,3 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/persistence_dynamic_linker_backup.toml b/rules/linux/persistence_dynamic_linker_backup.toml index 4908718e4..f6f216ead 100644 --- a/rules/linux/persistence_dynamic_linker_backup.toml +++ b/rules/linux/persistence_dynamic_linker_backup.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/12" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/22" [transform] [[transform.osquery]] @@ -44,7 +44,6 @@ query = "SELECT * FROM users WHERE username = {{user.name}}" label = "Osquery - Investigate the Account Authentication Status" query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" - [rule] author = ["Elastic"] description = """ @@ -165,33 +164,30 @@ tags = [ "Resources: Investigation Guide", ] type = "eql" - query = ''' sequence by process.entity_id with maxspan=1m -[process where host.os.type == "linux" and event.type == "start" and process.name in ("cp", "rsync") and +[process where host.os.type == "linux" and event.type == "start" and process.name in ("cp", "rsync", "mv") and process.args in ( "/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2", "/etc/ld.so.preload", "/lib64/ld-linux-x86-64.so.2", "/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2", "/usr/lib64/ld-linux-x86-64.so.2" )] -[file where host.os.type == "linux" and event.action == "creation" and file.extension == "so"] +[file where host.os.type == "linux" and event.action == "creation" and (file.extension == "so" or file.name like "*.so.*")] ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [[rule.threat.technique.subtechnique]] id = "T1574.006" name = "Dynamic Linker Hijacking" reference = "https://attack.mitre.org/techniques/T1574/006/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/linux/persistence_extract_initramfs_via_cpio.toml b/rules/linux/persistence_extract_initramfs_via_cpio.toml index 355f60beb..3116b6120 100644 --- a/rules/linux/persistence_extract_initramfs_via_cpio.toml +++ b/rules/linux/persistence_extract_initramfs_via_cpio.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/09/29" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -109,10 +109,11 @@ not ( process.args like ("/var/tmp/mkinitramfs_*", "/tmp/tmp.*/mkinitramfs_*") or ?process.working_directory like ( "/var/tmp/mkinitramfs-*", "/tmp/microcode-initrd_*", "/var/tmp/mkinitramfs-*", "/var/tmp/dracut.*", - "/var/tmp/mkinitramfs_*" + "/var/tmp/mkinitramfs_*", "/var/tmp/supermin*/init.d" ) ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/linux/persistence_git_hook_execution.toml b/rules/linux/persistence_git_hook_execution.toml index 1db36eee7..55473220b 100644 --- a/rules/linux/persistence_git_hook_execution.toml +++ b/rules/linux/persistence_git_hook_execution.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/15" integration = ["endpoint", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/10/17" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -55,7 +55,7 @@ references = [ "https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#backdooring-git", "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms", ] -risk_score = 47 +risk_score = 21 rule_id = "dc61f382-dc0c-4cc0-a845-069f2a071704" setup = """## Setup @@ -82,7 +82,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -severity = "medium" +severity = "low" tags = [ "Domain: Endpoint", "OS: Linux", @@ -96,20 +96,19 @@ tags = [ "Data Source: Crowdstrike", ] type = "eql" - query = ''' sequence by host.id with maxspan=3s [process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "start", "ProcessRollup2") and - process.parent.name == "git" and process.args : ".git/hooks/*" and + process.parent.name == "git" and process.args like ".git/hooks/*" and process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") ] by process.entity_id [process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "start", "ProcessRollup2") and process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")] by process.parent.entity_id ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" @@ -120,28 +119,29 @@ id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -149,4 +149,3 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/persistence_git_hook_file_creation.toml b/rules/linux/persistence_git_hook_file_creation.toml index 98e9a56dc..c5b9d78a1 100644 --- a/rules/linux/persistence_git_hook_file_creation.toml +++ b/rules/linux/persistence_git_hook_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/26" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -98,9 +98,8 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' -file where host.os.type == "linux" and event.type == "creation" and file.path : "*.git/hooks/*" and +file where host.os.type == "linux" and event.type == "creation" and file.path like "*.git/hooks/*" and file.extension == null and process.executable != null and not ( process.executable in ( "/bin/dpkg", "/usr/bin/dpkg", "/bin/dockerd", "/usr/bin/dockerd", "/usr/sbin/dockerd", "/bin/microdnf", @@ -110,18 +109,21 @@ file.extension == null and process.executable != null and not ( "/usr/local/sbin/apk", "/usr/bin/apt", "/usr/sbin/pacman", "/bin/podman", "/usr/bin/podman", "/usr/bin/puppet", "/bin/puppet", "/opt/puppetlabs/puppet/bin/puppet", "/usr/bin/chef-client", "/bin/chef-client", "/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/usr/bin/pamac-daemon", "/bin/pamac-daemon", - "/usr/local/bin/dockerd", "/sbin/dockerd" + "/usr/local/bin/dockerd", "/sbin/dockerd", "/usr/bin/fuse-overlayfs", "/usr/local/bin/gitlab-runner", + "/usr/bin/coreutils", "/usr/bin/nautilus" + ) or + process.executable like ( + "/nix/store/*", "/var/lib/dpkg/*", "/snap/*", "/dev/fd/*", "/run/k3s/containerd/io.containerd.runtime.v2.task/k8s.io/*/r10k" ) or - process.executable : ("/nix/store/*", "/var/lib/dpkg/*", "/snap/*", "/dev/fd/*") or process.name in ("git", "dirname", "tar", "gitea", "git-lfs") or (process.name == "sed" and file.name : "sed*") or (process.name == "perl" and file.name : "e2scrub_all.tmp*") ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" @@ -132,28 +134,29 @@ id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -161,4 +164,3 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/persistence_git_hook_netcon.toml b/rules/linux/persistence_git_hook_netcon.toml index 1c2911e51..3c79ca6de 100644 --- a/rules/linux/persistence_git_hook_netcon.toml +++ b/rules/linux/persistence_git_hook_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/15" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -17,6 +17,42 @@ index = ["logs-endpoint.events.process*", "logs-endpoint.events.network*"] language = "eql" license = "Elastic License v2" name = "Git Hook Egress Network Connection" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Git Hook Egress Network Connection + +Git hooks are scripts that automate tasks during Git operations like commits or pushes. Adversaries can exploit these hooks to execute unauthorized commands, maintain persistence, or initiate network connections for data exfiltration. The detection rule identifies suspicious network activities by monitoring script executions from Git hooks and subsequent egress connections to non-local IPs, flagging potential misuse. + +### Possible investigation steps + +- Review the process execution details to identify the specific Git hook script that triggered the alert. Check the process.args field for the exact script path within the .git/hooks directory. +- Investigate the parent process details to confirm the legitimacy of the Git operation. Verify the process.parent.name is "git" and assess whether the Git activity aligns with expected user or system behavior. +- Analyze the destination IP address involved in the network connection attempt. Use the destination.ip field to determine if the IP is known, trusted, or associated with any malicious activity. +- Check for any additional network connections from the same host around the time of the alert to identify potential patterns or additional suspicious activity. +- Correlate the alert with any recent changes in the repository or system that might explain the execution of the Git hook, such as recent commits or updates. +- Review user activity logs to determine if the Git operation was performed by an authorized user and if their actions align with their typical behavior. +- If suspicious activity is confirmed, isolate the affected system to prevent further unauthorized access or data exfiltration and initiate a deeper forensic analysis. + +### False positive analysis + +- Legitimate automated scripts or CI/CD pipelines may trigger Git hooks to perform network operations. Review the source and purpose of these scripts and consider excluding them if they are verified as non-threatening. +- Development environments often use Git hooks for tasks like fetching dependencies or updating remote services. Identify these common operations and create exceptions for known safe IP addresses or domains. +- Internal tools or services that rely on Git hooks for communication with other internal systems might be flagged. Ensure these tools are documented and whitelist their network activities if they are deemed secure. +- Frequent updates or deployments that involve Git hooks could lead to repeated alerts. Monitor the frequency and context of these alerts to determine if they are part of regular operations and adjust the rule to reduce noise. +- Consider the context of the network connection, such as the destination IP or domain. If the destination is a known and trusted entity, it may be appropriate to exclude it from triggering alerts. + +### Response and remediation + +- Immediately isolate the affected host from the network to prevent further unauthorized egress connections and potential data exfiltration. +- Terminate any suspicious processes identified as originating from Git hooks, particularly those executing shell scripts like bash, dash, or zsh. +- Conduct a thorough review of the .git/hooks directory on the affected system to identify and remove any unauthorized or malicious scripts. +- Reset credentials and access tokens associated with the affected Git repository to prevent further unauthorized access. +- Restore any modified or deleted files from a known good backup to ensure system integrity. +- Implement network monitoring to detect and block any future unauthorized egress connections from Git hooks or similar scripts. +- Escalate the incident to the security operations team for further investigation and to assess the potential impact on other systems or repositories.""" references = [ "https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#backdooring-git", "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms", @@ -60,12 +96,13 @@ tags = [ "Resources: Investigation Guide", ] type = "eql" - query = ''' sequence by host.id with maxspan=3s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and - process.parent.name == "git" and process.args : ".git/hooks/*" and - process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")] by process.entity_id + process.parent.name == "git" and process.args like ".git/hooks/*" and + process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and + not (process.name like "python*" and process.command_line like "*pip*") + ] by process.entity_id [network where host.os.type == "linux" and event.type == "start" and event.action == "connection_attempted" and not ( destination.ip == null or destination.ip == "0.0.0.0" or cidrmatch( destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", @@ -77,46 +114,10 @@ sequence by host.id with maxspan=3s ) ] by process.parent.entity_id ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Git Hook Egress Network Connection - -Git hooks are scripts that automate tasks during Git operations like commits or pushes. Adversaries can exploit these hooks to execute unauthorized commands, maintain persistence, or initiate network connections for data exfiltration. The detection rule identifies suspicious network activities by monitoring script executions from Git hooks and subsequent egress connections to non-local IPs, flagging potential misuse. - -### Possible investigation steps - -- Review the process execution details to identify the specific Git hook script that triggered the alert. Check the process.args field for the exact script path within the .git/hooks directory. -- Investigate the parent process details to confirm the legitimacy of the Git operation. Verify the process.parent.name is "git" and assess whether the Git activity aligns with expected user or system behavior. -- Analyze the destination IP address involved in the network connection attempt. Use the destination.ip field to determine if the IP is known, trusted, or associated with any malicious activity. -- Check for any additional network connections from the same host around the time of the alert to identify potential patterns or additional suspicious activity. -- Correlate the alert with any recent changes in the repository or system that might explain the execution of the Git hook, such as recent commits or updates. -- Review user activity logs to determine if the Git operation was performed by an authorized user and if their actions align with their typical behavior. -- If suspicious activity is confirmed, isolate the affected system to prevent further unauthorized access or data exfiltration and initiate a deeper forensic analysis. - -### False positive analysis - -- Legitimate automated scripts or CI/CD pipelines may trigger Git hooks to perform network operations. Review the source and purpose of these scripts and consider excluding them if they are verified as non-threatening. -- Development environments often use Git hooks for tasks like fetching dependencies or updating remote services. Identify these common operations and create exceptions for known safe IP addresses or domains. -- Internal tools or services that rely on Git hooks for communication with other internal systems might be flagged. Ensure these tools are documented and whitelist their network activities if they are deemed secure. -- Frequent updates or deployments that involve Git hooks could lead to repeated alerts. Monitor the frequency and context of these alerts to determine if they are part of regular operations and adjust the rule to reduce noise. -- Consider the context of the network connection, such as the destination IP or domain. If the destination is a known and trusted entity, it may be appropriate to exclude it from triggering alerts. - -### Response and remediation - -- Immediately isolate the affected host from the network to prevent further unauthorized egress connections and potential data exfiltration. -- Terminate any suspicious processes identified as originating from Git hooks, particularly those executing shell scripts like bash, dash, or zsh. -- Conduct a thorough review of the .git/hooks directory on the affected system to identify and remove any unauthorized or malicious scripts. -- Reset credentials and access tokens associated with the affected Git repository to prevent further unauthorized access. -- Restore any modified or deleted files from a known good backup to ensure system integrity. -- Implement network monitoring to detect and block any future unauthorized egress connections from Git hooks or similar scripts. -- Escalate the incident to the security operations team for further investigation and to assess the potential impact on other systems or repositories.""" - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" @@ -127,28 +128,29 @@ id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -156,4 +158,3 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/persistence_git_hook_process_execution.toml b/rules/linux/persistence_git_hook_process_execution.toml index d94e5860c..2203dc37a 100644 --- a/rules/linux/persistence_git_hook_process_execution.toml +++ b/rules/linux/persistence_git_hook_process_execution.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/26" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -104,30 +104,29 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and - event.action in ("exec", "exec_event", "start", "ProcessRollup2") and - process.parent.name in ( - "applypatch-msg", "commit-msg", "fsmonitor-watchman", "post-update", "post-checkout", "post-commit", - "pre-applypatch", "pre-commit", "pre-merge-commit", "prepare-commit-msg", "pre-push", "pre-rebase", "pre-receive", - "push-to-checkout", "update", "post-receive", "pre-auto-gc", "post-rewrite", "sendemail-validate", "p4-pre-submit", - "post-index-change", "post-merge", "post-applypatch" - ) and - ( - process.name in ("nohup", "setsid", "disown", "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") or - process.name : ("php*", "perl*", "ruby*", "lua*") or - process.executable : ( - "/boot/*", "/dev/shm/*", "/etc/cron.*/*", "/etc/init.d/*", "/etc/update-motd.d/*", - "/run/*", "/srv/*", "/tmp/*", "/var/tmp/*", "/var/log/*" - ) - ) and - not process.name in ("git", "dirname") +event.action in ("exec", "exec_event", "start", "ProcessRollup2") and +process.parent.name in ( + "applypatch-msg", "commit-msg", "fsmonitor-watchman", "post-update", "post-checkout", "post-commit", + "pre-applypatch", "pre-commit", "pre-merge-commit", "prepare-commit-msg", "pre-push", "pre-rebase", "pre-receive", + "push-to-checkout", "update", "post-receive", "pre-auto-gc", "post-rewrite", "sendemail-validate", "p4-pre-submit", + "post-index-change", "post-merge", "post-applypatch" +) and +( + process.name in ("nohup", "setsid", "disown", "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") or + process.name like ("php*", "perl*", "ruby*", "lua*") or + process.executable like ( + "/boot/*", "/dev/shm/*", "/etc/cron.*/*", "/etc/init.d/*", "/etc/update-motd.d/*", + "/run/*", "/srv/*", "/tmp/*", "/var/tmp/*", "/var/log/*" + ) +) and +not process.name in ("git", "dirname") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" @@ -138,28 +137,29 @@ id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -167,4 +167,3 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/persistence_grub_configuration_creation.toml b/rules/linux/persistence_grub_configuration_creation.toml index c5e5b0ff3..d3c5b78af 100644 --- a/rules/linux/persistence_grub_configuration_creation.toml +++ b/rules/linux/persistence_grub_configuration_creation.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -90,13 +90,14 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' file where host.os.type == "linux" and event.type == "creation" and process.executable != null and file.path like~ ( "/etc/default/grub.d/*", "/etc/default/grub", "/etc/grub.d/*", "/boot/grub2/grub.cfg", "/boot/grub/grub.cfg", "/boot/efi/EFI/*/grub.cfg", "/etc/sysconfig/grub" ) and not ( + /* Too many FPs from Python automation */ + process.name like ("python*", "platform-python*") or process.executable in ( "/bin/dpkg", "/usr/bin/dpkg", "/bin/dockerd", "/usr/bin/dockerd", "/usr/sbin/dockerd", "/bin/microdnf", "/usr/bin/microdnf", "/bin/rpm", "/usr/bin/rpm", "/bin/snapd", "/usr/bin/snapd", "/bin/yum", "/usr/bin/yum", @@ -104,12 +105,13 @@ file where host.os.type == "linux" and event.type == "creation" and process.exec "/bin/pacman", "/usr/bin/pacman", "/usr/bin/dpkg-divert", "/bin/dpkg-divert", "/sbin/apk", "/usr/sbin/apk", "/usr/local/sbin/apk", "/usr/bin/apt", "/usr/sbin/pacman", "/bin/podman", "/usr/bin/podman", "/usr/bin/puppet", "/bin/puppet", "/opt/puppetlabs/puppet/bin/puppet", "/usr/bin/chef-client", "/bin/chef-client", - "/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/dev/fd/*", "/usr/bin/pamac-daemon", + "/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/usr/bin/pamac-daemon", "/bin/pamac-daemon", "/usr/lib/snapd/snapd", "/usr/local/bin/dockerd", "/usr/bin/crio", "/usr/sbin/crond", "/opt/puppetlabs/puppet/bin/ruby", "/usr/libexec/platform-python", "/kaniko/kaniko-executor", "/usr/local/bin/dockerd", "/usr/bin/podman", "/bin/install", "/proc/self/exe", "/usr/lib/systemd/systemd", "/usr/sbin/sshd", "/usr/bin/gitlab-runner", "/opt/gitlab/embedded/bin/ruby", "/usr/sbin/gdm", "/usr/bin/install", - "/usr/local/manageengine/uems_agent/bin/dcregister", "/usr/local/bin/pacman" + "/usr/local/manageengine/uems_agent/bin/dcregister", "/usr/local/bin/pacman", "./usr/bin/podman", "/usr/bin/dnf5", + "/usr/sbin/yum-cron" ) or process.executable like~ ( "/nix/store/*", "/var/lib/dpkg/*", "/tmp/vmis.*", "/snap/*", "/dev/fd/*", "/usr/lib/virtualbox/*" @@ -119,9 +121,9 @@ file where host.os.type == "linux" and event.type == "creation" and process.exec ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1542" name = "Pre-OS Boot" @@ -137,9 +139,7 @@ id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/linux/persistence_grub_makeconfig.toml b/rules/linux/persistence_grub_makeconfig.toml index 23b192d44..dc7576275 100644 --- a/rules/linux/persistence_grub_makeconfig.toml +++ b/rules/linux/persistence_grub_makeconfig.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -92,21 +92,28 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2") and process.parent.executable != null and process.name in ("grub-mkconfig", "grub2-mkconfig", "update-grub") and not ( process.parent.name in ("run-parts", "sudo", "update-grub", "pacman", "dockerd", "dnf", "rpm", "yum") or - process.parent.executable like~ ( - "/var/lib/dpkg/info/*", "/usr/lib/bootloader/grub2-efi/config", "/tmp/newroot/*", "/usr/lib/kernel/install.d/*" - ) + process.parent.executable like ( + "/var/lib/dpkg/info/*", "/usr/lib/bootloader/grub2-efi/config", "/tmp/newroot/*", "/usr/lib/kernel/install.d/*", + "/run/user/*/.bubblewrap/*/timeout" + ) or + process.parent.executable in ( + "/usr/bin/timeout", "/usr/sbin/nvidia-boot-update", "/usr/lib/oci-linux-config/misc_updates.sh", + "/opt/puppetlabs/puppet/bin/puppet", "/usr/sbin/selinux-activate", "/usr/lib/skylight/stop-workspace", + "/var/lib/aws-replication-agent/install_agent", "/usr/local/CTS/bin/apply_personality", + "/opt/puppetlabs/puppet/bin/ruby" + ) or + (process.parent.name like ("python*", "platform-python*") and process.parent.command_line like "*ansible*") ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1542" name = "Pre-OS Boot" @@ -122,9 +129,7 @@ id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/linux/persistence_init_d_file_creation.toml b/rules/linux/persistence_init_d_file_creation.toml index 9596e5bce..b4d7276cf 100644 --- a/rules/linux/persistence_init_d_file_creation.toml +++ b/rules/linux/persistence_init_d_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/21" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/22" [transform] [[transform.osquery]] @@ -34,10 +34,10 @@ query = "SELECT * FROM crontab" [rule] author = ["Elastic"] description = """ -Files that are placed in the /etc/init.d/ directory in Unix can be used to start custom applications, services, scripts +Files that are placed in the "/etc/init.d/" directory in Unix can be used to start custom applications, services, scripts or commands during start-up. Init.d has been mostly replaced in favor of Systemd. However, the "systemd-sysv-generator" can convert init.d files to service unit files that run at boot. Adversaries may add or alter files located in the -/etc/init.d/ directory to execute malicious code upon boot in order to gain persistence on the system. +"/etc/init.d/" directory to execute malicious code upon boot in order to gain persistence on the system. """ from = "now-9m" index = ["endgame-*", "logs-endpoint.events.file*", "logs-sentinel_one_cloud_funnel.*"] @@ -152,43 +152,47 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' file where host.os.type == "linux" and event.action in ("creation", "file_create_event", "rename", "file_rename_event") -and file.path : "/etc/init.d/*" and not ( +and file.path like "/etc/init.d/*" and not ( process.executable in ( "/bin/dpkg", "/usr/bin/dpkg", "/bin/dockerd", "/usr/bin/dockerd", "/usr/sbin/dockerd", "/bin/microdnf", "/usr/bin/microdnf", "/bin/rpm", "/usr/bin/rpm", "/bin/snapd", "/usr/bin/snapd", "/bin/yum", "/usr/bin/yum", "/bin/dnf", "/usr/bin/dnf", "/bin/podman", "/usr/bin/podman", "/bin/dnf-automatic", "/usr/bin/dnf-automatic", "/bin/pacman", "/usr/bin/pacman", "/usr/bin/dpkg-divert", "/bin/dpkg-divert", "/sbin/apk", "/usr/sbin/apk", "/usr/local/sbin/apk", "/usr/bin/apt", "/usr/sbin/pacman", "/bin/podman", "/usr/bin/podman", "/usr/bin/puppet", - "/bin/puppet", "/opt/puppetlabs/puppet/bin/puppet", "/usr/bin/chef-client", "/bin/chef-client", - "/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/dev/fd/*", "/usr/bin/pamac-daemon", - "/bin/pamac-daemon", "/usr/lib/snapd/snapd", "/usr/local/bin/dockerd" + "/bin/puppet", "/opt/puppetlabs/puppet/bin/puppet", "/usr/bin/chef-client", "/bin/chef-client", "./envbuilder/bin/envbuilder", + "/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/usr/bin/pamac-daemon", "/opt/puppetlabs/puppet/bin/ruby", + "/bin/pamac-daemon", "/usr/lib/snapd/snapd", "/usr/local/bin/dockerd", "./usr/bin/podman", "/usr/lib/systemd/systemd", + "/usr/bin/buildah", "/dev/.buildkit_qemu_emulator", "/usr/lib/nvidia/post-install", "/usr/bin/dnf5", "/usr/sbin/yum-cron" ) or file.extension in ("swp", "swpx", "swx", "dpkg-remove", "dpkg-new") or + ?file.Ext.original.name like "*.dpkg-new" or file.path like ("/etc/init.d/*beat*", "/etc/init.d/elastic-agent*") or - process.executable like ("/nix/store/*", "/var/lib/dpkg/*", "/snap/*", "/dev/fd/*", "/usr/lib/virtualbox/*", "/opt/puppetlabs/puppet/bin/ruby") or + process.executable like ( + "/nix/store/*", "/var/lib/dpkg/*", "/snap/*", "/dev/fd/*", "/usr/lib/virtualbox/*", "/var/lib/docker/overlay2/*/dockerd ", + "/var/lib/containers/storage/overlay/*/dockerd" + ) or process.name in ("docker-init", "jumpcloud-agent", "crio") or process.executable == null or process.name in ("executor", "univention-config-registry", "install", "dockerd-entrypoint.sh", "platform-python*", "ssm-agent-worker") or (process.name == "ln" and file.path : "/etc/init.d/rc*.d/*") or (process.name == "sed" and file.name : "sed*") or - (process.name == "perl" and file.name : "e2scrub_all.tmp*") + (process.name == "perl" and file.name : "e2scrub_all.tmp*") or + (process.name == "cp" and file.path == "/etc/init.d/unified-monitoring-agent") or + (process.name == "./vmware-install.pl" and file.path == "/etc/init.d/vmware-tools") ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/linux/persistence_insmod_kernel_module_load.toml b/rules/linux/persistence_insmod_kernel_module_load.toml index cf26c1d71..048a62f38 100644 --- a/rules/linux/persistence_insmod_kernel_module_load.toml +++ b/rules/linux/persistence_insmod_kernel_module_load.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2022/07/11" -integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/22" [transform] [[transform.osquery]] @@ -45,6 +45,7 @@ index = [ "logs-auditd_manager.auditd-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*", + "logs-crowdstrike.fdr*", ] language = "eql" license = "Elastic License v2" @@ -162,35 +163,41 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Auditd Manager", "Data Source: SentinelOne", + "Data Source: Crowdstrike", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "eql" - query = ''' -process where host.os.type == "linux" and event.type == "start" and process.name == "insmod" and process.args : "*.ko" and -not process.parent.executable like ( - "/opt/ds_agent/*", "/usr/sbin/veeamsnap-loader", "/opt/TrendMicro/vls_agent/*", "/opt/intel/oneapi/*", - "/opt/commvault/Base/linux_drv", "/bin/falcoctl" +process where host.os.type == "linux" and event.type == "start" and +event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and +process.name == "insmod" and process.args : "*.ko" and +not ( + ?process.parent.executable like ("/opt/ds_agent/*", "/opt/TrendMicro/vls_agent/*", "/opt/intel/oneapi/*") or + ?process.working_directory in ("/opt/vinchin/agent", "/var/opt/ds_agent/am", "/opt/ds_agent", "/var/opt/TrendMicro/vls_agent/am") or + ?process.parent.executable in ( + "/usr/lib/uptrack/ksplice-apply", "/opt/commvault/commvault/Base/linux_drv", "/opt/cisco/amp/bin/cisco-amp-helper", + "/usr/bin/kcarectl", "/usr/share/ksplice/ksplice-apply", "/opt/commvault/Base/linux_drv", "/usr/sbin/veeamsnap-loader", + "/bin/falcoctl" + ) or + (?process.parent.name like ("python*", "platform-python*") and ?process.parent.args in ("--smart-update", "--auto-update")) ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.006" name = "Kernel Modules and Extensions" reference = "https://attack.mitre.org/techniques/T1547/006/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/linux/persistence_kde_autostart_modification.toml b/rules/linux/persistence_kde_autostart_modification.toml index 83b65a7ba..58550c3b5 100644 --- a/rules/linux/persistence_kde_autostart_modification.toml +++ b/rules/linux/persistence_kde_autostart_modification.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/06" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/22" [transform] [[transform.osquery]] @@ -73,7 +73,6 @@ query = "SELECT * FROM users WHERE username = {{user.name}}" label = "Osquery - Investigate the Account Authentication Status" query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" - [rule] author = ["Elastic"] description = """ @@ -84,16 +83,16 @@ from = "now-9m" index = ["auditbeat-*", "endgame-*", "logs-endpoint.events.file*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" -name = "Persistence via KDE AutoStart Script or Desktop File Modification" +name = "KDE AutoStart Script or Desktop File Creation" note = """## Triage and analysis -### Investigating Persistence via KDE AutoStart Script or Desktop File Modification +### Investigating KDE AutoStart Script or Desktop File Creation K Desktop Environment (KDE) is a popular graphical desktop environment for Linux systems. It supports AutoStart scripts and desktop files that execute automatically upon user logon. Adversaries may exploit this feature to maintain persistence on a compromised system by creating or modifying these files. -The detection rule 'Persistence via KDE AutoStart Script or Desktop File Modification' is designed to identify such activities by monitoring file events on Linux systems. It specifically targets the creation or modification of files with extensions ".sh" or ".desktop" in various AutoStart directories. By detecting these events, the rule helps security analysts identify potential abuse of KDE AutoStart functionality by malicious actors. +The detection rule 'KDE AutoStart Script or Desktop File Creation' is designed to identify such activities by monitoring file events on Linux systems. It specifically targets the creation or modification of files with extensions ".sh" or ".desktop" in various AutoStart directories. By detecting these events, the rule helps security analysts identify potential abuse of KDE AutoStart functionality by malicious actors. > **Note**: > This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/current/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. @@ -208,39 +207,43 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' -file where host.os.type == "linux" and event.type != "deletion" and - file.extension in ("sh", "desktop") and - file.path : - ( - "/home/*/.config/autostart/*", "/root/.config/autostart/*", - "/home/*/.kde/Autostart/*", "/root/.kde/Autostart/*", - "/home/*/.kde4/Autostart/*", "/root/.kde4/Autostart/*", - "/home/*/.kde/share/autostart/*", "/root/.kde/share/autostart/*", - "/home/*/.kde4/share/autostart/*", "/root/.kde4/share/autostart/*", - "/home/*/.local/share/autostart/*", "/root/.local/share/autostart/*", - "/home/*/.config/autostart-scripts/*", "/root/.config/autostart-scripts/*", - "/etc/xdg/autostart/*", "/usr/share/autostart/*" - ) and - not process.name in ( - "yum", "dpkg", "install", "dnf", "teams", "yum-cron", "dnf-automatic", "docker", "dockerd", "rpm", "pacman", - "podman", "nautilus", "remmina", "cinnamon-settings.py", "executor", "xfce4-clipman", "jetbrains-toolbox", - "ansible-admin", "apk" - ) +file where host.os.type == "linux" and event.type == "creation" and process.executable != null and +file.extension in ("sh", "desktop") and +file.path like ( + "/home/*/.config/autostart/*", "/root/.config/autostart/*", + "/home/*/.kde/Autostart/*", "/root/.kde/Autostart/*", + "/home/*/.kde4/Autostart/*", "/root/.kde4/Autostart/*", + "/home/*/.kde/share/autostart/*", "/root/.kde/share/autostart/*", + "/home/*/.kde4/share/autostart/*", "/root/.kde4/share/autostart/*", + "/home/*/.local/share/autostart/*", "/root/.local/share/autostart/*", + "/home/*/.config/autostart-scripts/*", "/root/.config/autostart-scripts/*", + "/etc/xdg/autostart/*", "/usr/share/autostart/*" +) and +not ( + process.name in ( + "yum", "dpkg", "install", "dnf", "teams", "yum-cron", "dnf-automatic", "docker", "dockerd", "rpm", "pacman", + "podman", "nautilus", "remmina", "cinnamon-settings.py", "executor", "xfce4-clipman", "jetbrains-toolbox", + "ansible-admin", "apk" + ) or + process.executable in ( + "/usr/bin/dnf5", "/usr/libexec/xdg-desktop-portal", "/usr/sbin/mkhomedir_helper", "/sbin/mkhomedir_helper", + "/usr/bin/crio", "/usr/sbin/useradd", "/usr/bin/nextcloud", "/usr/bin/sealert", "/opt/google/chrome/chrome", + "/usr/bin/pamac-daemon", "/usr/sbin/sshd", "/usr/sbin/gdm", "/usr/libexec/platform-python" + ) or + process.executable like "/home/*/.MathWorks/*/glnxa64/mlcpostinstall" +) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/linux/persistence_kernel_driver_load_by_non_root.toml b/rules/linux/persistence_kernel_driver_load_by_non_root.toml index ebfdbbbb8..9f4a83039 100644 --- a/rules/linux/persistence_kernel_driver_load_by_non_root.toml +++ b/rules/linux/persistence_kernel_driver_load_by_non_root.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/10" integration = ["auditd_manager"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -14,10 +14,45 @@ rule covers the gap that evasive rootkits leverage by monitoring for kernel modu auditd_manager. """ from = "now-9m" -index = ["logs-auditd_manager.auditd-*"] +index = ["logs-auditd_manager.auditd-*", "auditbeat-*"] language = "eql" license = "Elastic License v2" name = "Kernel Driver Load by non-root User" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Kernel Driver Load by non-root User + +Kernel modules extend the functionality of the Linux kernel, allowing dynamic loading of drivers or features. Typically, only root users can load these modules due to their potential to alter system behavior. Adversaries may exploit this by loading malicious modules, such as rootkits, to gain control and evade detection. The detection rule identifies non-root users attempting to load modules, signaling potential unauthorized activity. + +### Possible investigation steps + +- Review the alert details to identify the non-root user (user.id) involved in the kernel module loading attempt. +- Check the system logs and audit logs for any additional context around the time of the event, focusing on the specific system calls (init_module, finit_module) used. +- Investigate the source and legitimacy of the kernel module being loaded by examining the module's file path and associated metadata. +- Assess the user's recent activity and permissions to determine if there are any signs of privilege escalation or unauthorized access. +- Correlate this event with other security alerts or anomalies on the same host to identify potential patterns of malicious behavior. +- Verify the integrity and security posture of the affected system by running a comprehensive malware and rootkit scan. + +### False positive analysis + +- Legitimate software or system utilities may occasionally load kernel modules as part of their normal operation. Identify these applications and verify their behavior to ensure they are not malicious. +- Development environments or testing scenarios might involve non-root users loading kernel modules for legitimate purposes. Consider creating exceptions for these specific users or processes after thorough validation. +- Some system management tools or scripts executed by non-root users might trigger this rule. Review these tools and, if deemed safe, add them to an exception list to prevent unnecessary alerts. +- In environments where non-root users are granted specific permissions to load kernel modules, ensure these permissions are documented and monitored. Adjust the rule to exclude these known and authorized activities. +- Regularly review and update the list of exceptions to ensure that only verified and non-threatening behaviors are excluded, maintaining the integrity of the detection rule. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or potential lateral movement by the adversary. +- Terminate any suspicious processes associated with the non-root user attempting to load the kernel module to halt any ongoing malicious activity. +- Conduct a thorough review of the loaded kernel modules on the affected system to identify and remove any unauthorized or malicious modules. +- Reset credentials and review permissions for the non-root user involved in the alert to prevent further unauthorized actions. +- Escalate the incident to the security operations team for a deeper forensic analysis to determine the scope of the compromise and identify any additional affected systems. +- Implement enhanced monitoring and logging for kernel module loading activities across all systems to detect similar threats in the future. +- Review and update security policies to ensure that only authorized users have the necessary permissions to load kernel modules, reducing the risk of unauthorized access.""" risk_score = 47 rule_id = "ba81c182-4287-489d-af4d-8ae834b06040" setup = """## Setup @@ -58,75 +93,38 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' driver where host.os.type == "linux" and event.action == "loaded-kernel-module" and auditd.data.syscall in ("init_module", "finit_module") and user.id != "0" ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Kernel Driver Load by non-root User - -Kernel modules extend the functionality of the Linux kernel, allowing dynamic loading of drivers or features. Typically, only root users can load these modules due to their potential to alter system behavior. Adversaries may exploit this by loading malicious modules, such as rootkits, to gain control and evade detection. The detection rule identifies non-root users attempting to load modules, signaling potential unauthorized activity. - -### Possible investigation steps - -- Review the alert details to identify the non-root user (user.id) involved in the kernel module loading attempt. -- Check the system logs and audit logs for any additional context around the time of the event, focusing on the specific system calls (init_module, finit_module) used. -- Investigate the source and legitimacy of the kernel module being loaded by examining the module's file path and associated metadata. -- Assess the user's recent activity and permissions to determine if there are any signs of privilege escalation or unauthorized access. -- Correlate this event with other security alerts or anomalies on the same host to identify potential patterns of malicious behavior. -- Verify the integrity and security posture of the affected system by running a comprehensive malware and rootkit scan. - -### False positive analysis - -- Legitimate software or system utilities may occasionally load kernel modules as part of their normal operation. Identify these applications and verify their behavior to ensure they are not malicious. -- Development environments or testing scenarios might involve non-root users loading kernel modules for legitimate purposes. Consider creating exceptions for these specific users or processes after thorough validation. -- Some system management tools or scripts executed by non-root users might trigger this rule. Review these tools and, if deemed safe, add them to an exception list to prevent unnecessary alerts. -- In environments where non-root users are granted specific permissions to load kernel modules, ensure these permissions are documented and monitored. Adjust the rule to exclude these known and authorized activities. -- Regularly review and update the list of exceptions to ensure that only verified and non-threatening behaviors are excluded, maintaining the integrity of the detection rule. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or potential lateral movement by the adversary. -- Terminate any suspicious processes associated with the non-root user attempting to load the kernel module to halt any ongoing malicious activity. -- Conduct a thorough review of the loaded kernel modules on the affected system to identify and remove any unauthorized or malicious modules. -- Reset credentials and review permissions for the non-root user involved in the alert to prevent further unauthorized actions. -- Escalate the incident to the security operations team for a deeper forensic analysis to determine the scope of the compromise and identify any additional affected systems. -- Implement enhanced monitoring and logging for kernel module loading activities across all systems to detect similar threats in the future. -- Review and update security policies to ensure that only authorized users have the necessary permissions to load kernel modules, reducing the risk of unauthorized access.""" - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.006" name = "Kernel Modules and Extensions" reference = "https://attack.mitre.org/techniques/T1547/006/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1014" name = "Rootkit" reference = "https://attack.mitre.org/techniques/T1014/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/persistence_kernel_object_file_creation.toml b/rules/linux/persistence_kernel_object_file_creation.toml index 05f9db09c..e5b8aede5 100644 --- a/rules/linux/persistence_kernel_object_file_creation.toml +++ b/rules/linux/persistence_kernel_object_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/19" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/24" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -16,6 +16,41 @@ index = ["logs-endpoint.events.file-*"] language = "kuery" license = "Elastic License v2" name = "Kernel Object File Creation" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Kernel Object File Creation + +Kernel object files (.ko) are loadable modules that extend the functionality of the Linux kernel, often used for adding drivers or system features. Adversaries exploit this by loading malicious modules, such as rootkits, to gain control and evade detection. The detection rule identifies suspicious .ko file creation, excluding benign paths, to flag potential threats while minimizing false positives. + +### Possible investigation steps + +- Review the file path of the created .ko file to determine if it is located in a suspicious or unusual directory that is not excluded by the rule, such as /var/tmp or /usr/local. +- Examine the process that created the .ko file by checking the process.executable and process.name fields to identify if it is a known legitimate process or potentially malicious. +- Investigate the parent process of the process that created the .ko file to understand the context of how the file was created and if it was initiated by a legitimate user action or a script. +- Check for any recent system changes or anomalies around the time of the .ko file creation, such as new user accounts, changes in system configurations, or other suspicious file activities. +- Look for any associated network activity from the host around the time of the .ko file creation to identify potential command and control communications or data exfiltration attempts. +- Correlate the alert with other security events or logs from the same host to identify any patterns or additional indicators of compromise that may suggest a broader attack campaign. + +### False positive analysis + +- Kernel updates and system maintenance activities can generate .ko files in legitimate scenarios. Users should monitor for these activities and consider excluding paths related to official update processes. +- Custom kernel module development by developers or system administrators may trigger this rule. Establish a process to whitelist known development environments or specific user accounts involved in module creation. +- Automated system recovery tools, such as those using mkinitramfs, may create .ko files. Ensure these paths are excluded as indicated in the rule to prevent unnecessary alerts. +- Snap package installations might involve .ko file creation. Exclude the /snap/ directory to avoid false positives from legitimate package installations. +- Backup and restoration processes using tools like cpio can lead to .ko file creation. Verify these processes and exclude them if they are part of routine system operations. + +### Response and remediation + +- Isolate the affected system from the network to prevent further spread or communication with potential command and control servers. +- Terminate any suspicious processes associated with the creation of the .ko file, especially those not originating from known benign paths. +- Remove the suspicious .ko file from the system to prevent it from being loaded into the kernel. +- Conduct a thorough scan of the system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious components. +- Review system logs and audit trails to identify any unauthorized access or changes made around the time of the .ko file creation. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the threat is part of a larger attack campaign. +- Implement additional monitoring and alerting for similar activities, ensuring that any future attempts to create or load unauthorized .ko files are promptly detected and addressed.""" risk_score = 21 rule_id = "1965eab8-d17f-4b21-8c48-ad5ff133695d" setup = """## Setup @@ -56,45 +91,21 @@ tags = [ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.category:file and host.os.type:linux and event.type:creation and file.extension:ko and not ( - file.path:/var/tmp/mkinitramfs_* or process.executable:/snap/* or process.name:cpio -) and not file.path:/tmp/mkinitramfs* +event.category:file and host.os.type:linux and event.type:creation and file.extension:ko and +not ( + file.path:( + /tmp/mkinitramfs* or /var/cache/uptrack/* or /var/tmp/dracut.* or /build/* or /var/lib/dkms/* or + /mnt/Samsung/* or /var/tmp/portage/* or /tmp/user/0/mkinitramfs* or /var/tmp/supermin* or + /mnt/img/storage/squashfs-root/* or /var/opt/eset/* or /var/tmp/mkinitramfs_* + ) or + process.executable:( + "/usr/local/v3net/suarez/bin/suarez" or "/sbin/dracut" or "/opt/traps/bin/pmd" or "/usr/bin/pacman" or + "/usr/bin/containerd" or "/usr/sbin/dockerd" or "/usr/bin/dockerd" or /snap/* or + "/usr/lib/dracut/dracut-initramfs-restore" or "/sbin/unsquashfs" + ) or + process.name:"cpio" +) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Kernel Object File Creation - -Kernel object files (.ko) are loadable modules that extend the functionality of the Linux kernel, often used for adding drivers or system features. Adversaries exploit this by loading malicious modules, such as rootkits, to gain control and evade detection. The detection rule identifies suspicious .ko file creation, excluding benign paths, to flag potential threats while minimizing false positives. - -### Possible investigation steps - -- Review the file path of the created .ko file to determine if it is located in a suspicious or unusual directory that is not excluded by the rule, such as /var/tmp or /usr/local. -- Examine the process that created the .ko file by checking the process.executable and process.name fields to identify if it is a known legitimate process or potentially malicious. -- Investigate the parent process of the process that created the .ko file to understand the context of how the file was created and if it was initiated by a legitimate user action or a script. -- Check for any recent system changes or anomalies around the time of the .ko file creation, such as new user accounts, changes in system configurations, or other suspicious file activities. -- Look for any associated network activity from the host around the time of the .ko file creation to identify potential command and control communications or data exfiltration attempts. -- Correlate the alert with other security events or logs from the same host to identify any patterns or additional indicators of compromise that may suggest a broader attack campaign. - -### False positive analysis - -- Kernel updates and system maintenance activities can generate .ko files in legitimate scenarios. Users should monitor for these activities and consider excluding paths related to official update processes. -- Custom kernel module development by developers or system administrators may trigger this rule. Establish a process to whitelist known development environments or specific user accounts involved in module creation. -- Automated system recovery tools, such as those using mkinitramfs, may create .ko files. Ensure these paths are excluded as indicated in the rule to prevent unnecessary alerts. -- Snap package installations might involve .ko file creation. Exclude the /snap/ directory to avoid false positives from legitimate package installations. -- Backup and restoration processes using tools like cpio can lead to .ko file creation. Verify these processes and exclude them if they are part of routine system operations. - -### Response and remediation - -- Isolate the affected system from the network to prevent further spread or communication with potential command and control servers. -- Terminate any suspicious processes associated with the creation of the .ko file, especially those not originating from known benign paths. -- Remove the suspicious .ko file from the system to prevent it from being loaded into the kernel. -- Conduct a thorough scan of the system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious components. -- Review system logs and audit trails to identify any unauthorized access or changes made around the time of the .ko file creation. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the threat is part of a larger attack campaign. -- Implement additional monitoring and alerting for similar activities, ensuring that any future attempts to create or load unauthorized .ko files are promptly detected and addressed.""" [[rule.threat]] framework = "MITRE ATT&CK" @@ -133,4 +144,4 @@ value = ["process.name", "file.name"] [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-10d" +value = "now-5d" diff --git a/rules/linux/persistence_kubernetes_sensitive_file_activity.toml b/rules/linux/persistence_kubernetes_sensitive_file_activity.toml index 9e87a71e8..f9c982461 100644 --- a/rules/linux/persistence_kubernetes_sensitive_file_activity.toml +++ b/rules/linux/persistence_kubernetes_sensitive_file_activity.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/26" integration = ["endpoint"] maturity = "production" -updated_date = "2025/07/07" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -99,7 +99,10 @@ file where host.os.type == "linux" and event.type != "deletion" and file.path li "/etc/kubernetes/manifests/*", "/etc/kubernetes/pki/*", "/etc/kubernetes/*.conf" -) and not process.name in ("kubeadm", "kubelet", "dpkg", "sed") +) and not ( + process.name in ("kubeadm", "kubelet", "dpkg", "sed") or + (process.name in ("vi", "vim", "vim.basic") and file.extension in ("swx", "swp")) +) ''' [[rule.threat]] diff --git a/rules/linux/persistence_kworker_file_creation.toml b/rules/linux/persistence_kworker_file_creation.toml index d5e19a633..428a388aa 100644 --- a/rules/linux/persistence_kworker_file_creation.toml +++ b/rules/linux/persistence_kworker_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/26" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/22" [transform] [[transform.osquery]] @@ -165,44 +165,41 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' file where host.os.type == "linux" and event.action in ("creation", "file_create_event") and - process.name : "kworker*" and not ( - (process.name : "kworker*kcryptd*") or - (file.path : ( - "/var/log/*", "/var/crash/*", "/var/run/*", "/var/lib/systemd/coredump/*", "/var/spool/*", - "/var/lib/nfs/nfsdcltrack/main.sqlite-journal", "/proc/*/cwd/core.*", "/var/run/apport.lock", - "/var/spool/abrt/ccpp-*", "/var/lib/dynatrace/oneagent/*", "/var/lib/nfs*", "/run/user/*/.bubblewrap/*", - "/etc/localtime/*", "/proc/*/cwd/core.*" - ) - ) +process.name : "kworker*" and not ( + process.name : "kworker*kcryptd*" or + file.path like ( + "/var/log/*", "/var/crash/*", "/var/run/*", "/var/lib/systemd/coredump/*", "/var/spool/*", + "/var/lib/nfs/nfsdcltrack/main.sqlite-journal", "/proc/*/cwd/core.*", "/var/run/apport.lock", + "/var/spool/abrt/ccpp-*", "/var/lib/dynatrace/oneagent/*", "/var/lib/nfs*", "/run/user/*/.bubblewrap/*", + "/etc/localtime/*", "/proc/*/cwd/core.*", "/tmp/sh-thd.*", "/var/lib/apport/coredump/*", "/var/tmp/abrt/ccpp*" ) +) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1014" name = "Rootkit" reference = "https://attack.mitre.org/techniques/T1014/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/persistence_linux_backdoor_user_creation.toml b/rules/linux/persistence_linux_backdoor_user_creation.toml index 40dd37a98..fde1a2aa6 100644 --- a/rules/linux/persistence_linux_backdoor_user_creation.toml +++ b/rules/linux/persistence_linux_backdoor_user_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/07" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/22" [transform] [[transform.osquery]] @@ -28,7 +28,6 @@ query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" label = "Osquery - Retrieve Information for a Specific Group" query = "SELECT * FROM groups WHERE groupname = {{group.name}}" - [rule] author = ["Elastic"] description = """ @@ -95,7 +94,7 @@ This rule identifies the usage of the `usermod` command to set a user's UID to 0 - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"] -risk_score = 47 +risk_score = 73 rule_id = "494ebba4-ecb7-4be4-8c6f-654c686549ad" setup = """## Setup @@ -122,7 +121,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -severity = "medium" +severity = "high" tags = [ "Domain: Endpoint", "OS: Linux", @@ -137,29 +136,27 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and - event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") - and process.name == "usermod" and process.args : "-u" and process.args : "0" and process.args : "-o" +event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and +process.name == "usermod" and process.args in ("-u", "--uid") and process.args == "0" and +process.args in ("-o", "--non-unique") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1136" name = "Create Account" reference = "https://attack.mitre.org/techniques/T1136/" + [[rule.threat.technique.subtechnique]] id = "T1136.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1136/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/linux/persistence_linux_group_creation.toml b/rules/linux/persistence_linux_group_creation.toml index f2f16eec4..1a5ec5236 100644 --- a/rules/linux/persistence_linux_group_creation.toml +++ b/rules/linux/persistence_linux_group_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/13" integration = ["system"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/12/22" [transform] [[transform.osquery]] @@ -24,7 +24,9 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u [rule] author = ["Elastic"] -description = "Identifies attempts to create a new group. Attackers may create new groups to establish persistence on a system.\n" +description = """ +Identifies attempts to create a new group. Attackers may create new groups to establish persistence on a system. +""" from = "now-9m" index = ["filebeat-*", "logs-system.auth-*"] language = "eql" @@ -110,28 +112,24 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' -iam where host.os.type == "linux" and (event.type == "group" and event.type == "creation") and -process.name in ("groupadd", "addgroup") and group.name != null +iam where host.os.type == "linux" and event.type == "group" and event.type == "creation" and event.outcome == "success" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1136" name = "Create Account" reference = "https://attack.mitre.org/techniques/T1136/" + [[rule.threat.technique.subtechnique]] id = "T1136.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1136/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/linux/persistence_linux_shell_activity_via_web_server.toml b/rules/linux/persistence_linux_shell_activity_via_web_server.toml index 3ad4f9a15..e3267bc31 100644 --- a/rules/linux/persistence_linux_shell_activity_via_web_server.toml +++ b/rules/linux/persistence_linux_shell_activity_via_web_server.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/04" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/22" [transform] [[transform.osquery]] @@ -25,11 +25,10 @@ query = "SELECT name, cmdline, parent, path, uid FROM processes WHERE uid = {{pr label = "Osquery - Retrieve Crontab Information" query = "SELECT * FROM crontab" - [rule] author = ["Elastic"] description = """ -Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access. +Identifies suspicious child processes executed via a web server, which may suggest a vulnerability and remote shell access. Attackers may exploit a vulnerability in a web application to execute commands via a web server, or place a backdoor file that can be abused to gain code execution as a mechanism for persistence. """ @@ -43,10 +42,10 @@ from = "now-9m" index = ["endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" -name = "Potential Remote Code Execution via Web Server" +name = "Suspicious Child Execution via Web Server" note = """## Triage and analysis -### Investigating Potential Remote Code Execution via Web Server +### Investigating Suspicious Child Execution via Web Server Adversaries may backdoor web servers with web shells to establish persistent access to systems. A web shell is a malicious script, often embedded into a compromised web server, that grants an attacker remote access and control over the server. This enables the execution of arbitrary commands, data exfiltration, and further exploitation of the target network. @@ -101,7 +100,7 @@ references = [ "https://pentestlab.blog/tag/web-shell/", "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965", ] -risk_score = 73 +risk_score = 47 rule_id = "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb" setup = """## Setup @@ -128,7 +127,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -severity = "high" +severity = "medium" tags = [ "Domain: Endpoint", "OS: Linux", @@ -143,57 +142,67 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' -process where host.os.type == "linux" and event.type == "start" and -event.action in ("exec", "exec_event", "start") and process.parent.executable : ( - "/usr/sbin/nginx", "/usr/local/sbin/nginx", - "/usr/sbin/apache", "/usr/local/sbin/apache", - "/usr/sbin/apache2", "/usr/local/sbin/apache2", - "/usr/sbin/php*", "/usr/local/sbin/php*", - "/usr/sbin/lighttpd", "/usr/local/sbin/lighttpd", - "/usr/sbin/hiawatha", "/usr/local/sbin/hiawatha", - "/usr/local/bin/caddy", - "/usr/local/lsws/bin/lswsctrl", - "*/bin/catalina.sh" -) and -process.name : ( - "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", - "netcat", "ncat", "telnet", "awk", "socat" - ) and process.args : ( - "whoami", "id", "uname", "cat", "hostname", "ip", "curl", "wget", "pwd", "ls", "cd", "python*", "php*", "perl", - "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk", "socat" - ) and not process.name == "phpquery" +process where host.os.type == "linux" and event.type == "start" and process.parent.executable != null and ( + process.parent.name like ( + "apache", "nginx", "apache2", "httpd", "lighttpd", "caddy", "php-fpm*", "mongrel_rails", "haproxy", + "gunicorn", "uwsgi", "openresty", "cherokee", "h2o", "resin", "puma", "unicorn", "traefik", "uvicorn", + "tornado", "hypercorn", "daphne", "twistd", "yaws", "webfsd", "httpd.worker", "flask", "rails", "mongrel", + "php-cgi", "php-fcgi", "php-cgi.cagefs", "catalina.sh", "hiawatha", "lswsctrl" + ) or + user.name in ("apache", "www-data", "httpd", "nginx", "lighttpd", "tomcat", "tomcat8", "tomcat9") or + user.id in ("33", "498", "48") or + (process.name == "java" and ?process.working_directory like "/u0?/*") +) and ( + process.executable like ( + "/tmp/*", "/var/tmp/*", "/dev/shm/*", "./*", "/run/*", "/var/run/*", "/boot/*", "/sys/*", "/lost+found/*", + "/proc/*", "/var/mail/*", "/var/www/*", "/home/*", "/root/*" + ) or + process.name like~ ( + // Hidden processes + ".*", + // Suspicious file formats + "*.elf", "*.sh", "*.py", "*.rb", "*.pl", "*.lua*", "*.php*", ".js", + // Scheduled tasks + "systemd", "cron", "crond", + // Network utilities often used for reverse shells + "nc", "netcat", "ncat", "telnet", "socat", "openssl", "nc.openbsd", "ngrok", "nc.traditional", + // Cloud CLI + "az", "gcloud", "aws", + // Misc. tools + "whoami", "ifconfig", "ip", "ss", "top", "htop", "df", "du", "lsblk", "lsof", "tcpdump", + "strace", "ltrace", "curl", "wget", "dig", "nslookup", "host", "nmap", "arp", "traceroute" + ) +) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1505" name = "Server Software Component" reference = "https://attack.mitre.org/techniques/T1505/" + [[rule.threat.technique.subtechnique]] id = "T1505.003" name = "Web Shell" reference = "https://attack.mitre.org/techniques/T1505/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/linux/persistence_linux_user_account_creation.toml b/rules/linux/persistence_linux_user_account_creation.toml index 4079c03fa..0a006d4f1 100644 --- a/rules/linux/persistence_linux_user_account_creation.toml +++ b/rules/linux/persistence_linux_user_account_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/13" integration = ["system"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/12/22" [transform] [[transform.osquery]] @@ -21,10 +21,11 @@ query = "SELECT * FROM groups WHERE groupname = {{group.name}}" label = "Osquery - Retrieve Running Processes by User" query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username" - [rule] author = ["Elastic"] -description = "Identifies attempts to create new users. Attackers may add new users to establish persistence on a system.\n" +description = """ +Identifies attempts to create new users. Attackers may add new users to establish persistence on a system. +""" from = "now-9m" index = ["filebeat-*", "logs-system.auth-*"] language = "eql" @@ -109,28 +110,24 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' -iam where host.os.type == "linux" and (event.type == "user" and event.type == "creation") and -process.name in ("useradd", "adduser") and user.name != null +iam where host.os.type == "linux" and event.type == "user" and event.type == "creation" and event.outcome == "success" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1136" name = "Create Account" reference = "https://attack.mitre.org/techniques/T1136/" + [[rule.threat.technique.subtechnique]] id = "T1136.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1136/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/linux/persistence_linux_user_added_to_privileged_group.toml b/rules/linux/persistence_linux_user_added_to_privileged_group.toml index da38cb65f..10ff2785c 100644 --- a/rules/linux/persistence_linux_user_added_to_privileged_group.toml +++ b/rules/linux/persistence_linux_user_added_to_privileged_group.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/13" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/22" [transform] [[transform.osquery]] @@ -21,7 +21,6 @@ query = "SELECT * FROM groups WHERE groupname = {{group.name}}" label = "Osquery - Retrieve Running Processes by User" query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username" - [rule] author = ["Elastic"] description = """ @@ -129,35 +128,32 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and - event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and - process.args in ( - "root", "admin", "wheel", "staff", "sudo","disk", "video", "shadow", "lxc", "lxd" - ) and - ( - process.name in ("usermod", "adduser") or - (process.name == "gpasswd" and process.args in ("-a", "--add", "-M", "--members")) - ) +event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and +process.executable != null and process.args in ( + "root", "admin", "wheel", "staff", "sudo","disk", "video", "shadow", "lxc", "lxd" +) and +( + process.name in ("usermod", "adduser") or + (process.name == "gpasswd" and process.args in ("-a", "--add", "-M", "--members")) +) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1136" name = "Create Account" reference = "https://attack.mitre.org/techniques/T1136/" + [[rule.threat.technique.subtechnique]] id = "T1136.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1136/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/linux/persistence_lkm_configuration_file_creation.toml b/rules/linux/persistence_lkm_configuration_file_creation.toml index 1cf77cf7c..4bf0c7baf 100644 --- a/rules/linux/persistence_lkm_configuration_file_creation.toml +++ b/rules/linux/persistence_lkm_configuration_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/17" integration = ["endpoint"] maturity = "production" -updated_date = "2025/06/03" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -15,54 +15,6 @@ index = ["logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" name = "Loadable Kernel Module Configuration File Creation" -risk_score = 21 -rule_id = "6e2355cc-c60a-4d92-a80c-e54a45ad2400" -severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" -query = ''' -file where host.os.type == "linux" and event.action in ("rename", "creation") and process.executable != null and -file.path like ( - "/etc/modules", "/etc/modprobe.d/*", "/run/modprobe.d/*", "/usr/local/lib/modprobe.d/*", "/usr/lib/modprobe.d/*", - "/lib/modprobe.d/*", "/etc/modules-load.d/*", "/run/modules-load.d/*", "/usr/local/lib/modules-load.d/*", - "/usr/lib/modules-load.d/*" -) and not ( - process.executable in ( - "/bin/dpkg", "/usr/bin/dpkg", "/bin/dockerd", "/usr/bin/dockerd", "/usr/sbin/dockerd", "/bin/microdnf", - "/usr/bin/microdnf", "/bin/rpm", "/usr/bin/rpm", "/bin/snapd", "/usr/bin/snapd", "/bin/yum", "/usr/bin/yum", - "/bin/dnf", "/usr/bin/dnf", "/bin/podman", "/usr/bin/podman", "/bin/dnf-automatic", "/usr/bin/dnf-automatic", - "/bin/pacman", "/usr/bin/pacman", "/usr/bin/dpkg-divert", "/bin/dpkg-divert", "/sbin/apk", "/usr/sbin/apk", - "/usr/local/sbin/apk", "/usr/bin/apt", "/usr/sbin/pacman", "/bin/podman", "/usr/bin/podman", "/usr/bin/puppet", - "/bin/puppet", "/opt/puppetlabs/puppet/bin/puppet", "/usr/bin/chef-client", "/bin/chef-client", - "/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/dev/fd/*", "/usr/bin/pamac-daemon", - "/bin/pamac-daemon", "/usr/local/bin/dockerd", "/opt/elasticbeanstalk/bin/platform-engine", - "/opt/puppetlabs/puppet/bin/ruby", "/usr/libexec/platform-python", "/opt/imunify360/venv/bin/python3", - "/opt/eset/efs/lib/utild", "/usr/sbin/anacron", "/usr/bin/podman", "/kaniko/kaniko-executor", "/usr/bin/prime-select" - ) or - file.extension in ("swp", "swpx", "swx", "dpkg-remove") or - file.Ext.original.extension == "dpkg-new" or - process.executable like ( - "/nix/store/*", "/var/lib/dpkg/info/kmod.postinst", "/tmp/vmis.*", "/snap/*", "/dev/fd/*", - "/usr/libexec/platform-python*" - ) or - process.executable == null or - process.name in ( - "crond", "executor", "puppet", "droplet-agent.postinst", "cf-agent", "schedd", "imunify-notifier", "perl", - "jumpcloud-agent", "crio", "dnf_install", "utild" - ) or - (process.name == "sed" and file.name : "sed*") or - (process.name == "perl" and file.name : "e2scrub_all.tmp*") -) -''' note = """## Triage and analysis > **Disclaimer**: @@ -99,6 +51,58 @@ Loadable Kernel Modules (LKMs) are components that can be dynamically loaded int - Review system logs and the history of executed commands to identify the initial vector of compromise and any other affected systems. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised. - Implement additional monitoring and alerting for similar suspicious activities to enhance detection and response capabilities for future incidents.""" +risk_score = 47 +rule_id = "6e2355cc-c60a-4d92-a80c-e54a45ad2400" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +file where host.os.type == "linux" and event.action == "creation" and process.executable != null and +file.path like ( + "/etc/modules", "/etc/modprobe.d/*", "/run/modprobe.d/*", "/usr/local/lib/modprobe.d/*", "/usr/lib/modprobe.d/*", + "/lib/modprobe.d/*", "/etc/modules-load.d/*", "/run/modules-load.d/*", "/usr/local/lib/modules-load.d/*", + "/usr/lib/modules-load.d/*" +) and not ( + process.executable in ( + "/bin/dpkg", "/usr/bin/dpkg", "/bin/dockerd", "/usr/bin/dockerd", "/usr/sbin/dockerd", "/bin/microdnf", + "/usr/bin/microdnf", "/bin/rpm", "/usr/bin/rpm", "/bin/snapd", "/usr/bin/snapd", "/bin/yum", "/usr/bin/yum", + "/bin/dnf", "/usr/bin/dnf", "/bin/podman", "/usr/bin/podman", "/bin/dnf-automatic", "/usr/bin/dnf-automatic", + "/bin/pacman", "/usr/bin/pacman", "/usr/bin/dpkg-divert", "/bin/dpkg-divert", "/sbin/apk", "/usr/sbin/apk", + "/usr/local/sbin/apk", "/usr/bin/apt", "/usr/sbin/pacman", "/bin/podman", "/usr/bin/podman", "/usr/bin/puppet", + "/bin/puppet", "/opt/puppetlabs/puppet/bin/puppet", "/usr/bin/chef-client", "/bin/chef-client", + "/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/dev/fd/*", "/usr/bin/pamac-daemon", + "/bin/pamac-daemon", "/usr/local/bin/dockerd", "/opt/elasticbeanstalk/bin/platform-engine", + "/opt/puppetlabs/puppet/bin/ruby", "/usr/libexec/platform-python", "/opt/imunify360/venv/bin/python3", + "/opt/eset/efs/lib/utild", "/usr/sbin/anacron", "/usr/bin/podman", "/kaniko/kaniko-executor", "/usr/bin/prime-select", + "/usr/lib/dracut/dracut-install", "/usr/bin/dnf5", "./usr/bin/podman", "/usr/libexec/packagekitd", "/usr/bin/buildah", + "./usr/lib/snapd/snap-update-ns", "/usr/lib/snapd/snapd", "/usr/local/bin/podman", "/usr/sbin/yum-cron", + "./usr/bin/qemu-aarch64-static", "/.envbuilder/bin/envbuilder" + ) or + file.extension in ("swp", "swpx", "swx", "dpkg-remove") or + file.Ext.original.extension == "dpkg-new" or + process.executable like ( + "/nix/store/*", "/var/lib/dpkg/info/kmod.postinst", "/tmp/vmis.*", "/snap/*", "/dev/fd/*", + "/usr/libexec/platform-python*", "./snap/snapd/*/snap-update-ns" + ) or + process.executable == null or + process.name in ( + "crond", "executor", "puppet", "droplet-agent.postinst", "cf-agent", "schedd", "imunify-notifier", "perl", + "jumpcloud-agent", "crio", "dnf_install", "utild", "dockerd" + ) or + process.name like "python*" or + (process.name == "sed" and file.name : "sed*") or + (process.name == "perl" and file.name : "e2scrub_all.tmp*") +) +''' [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/linux/persistence_manual_dracut_execution.toml b/rules/linux/persistence_manual_dracut_execution.toml index afc047027..0afee6bda 100644 --- a/rules/linux/persistence_manual_dracut_execution.toml +++ b/rules/linux/persistence_manual_dracut_execution.toml @@ -2,13 +2,13 @@ creation_date = "2025/01/16" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/22" [rule] author = ["Elastic"] description = """ -This rule detects manual execution of the `dracut` command on Linux systems. Dracut is a tool used to generate an -initramfs image that is used to boot the system. Attackers may use `dracut` to create a custom initramfs image that +This rule detects manual execution of the "dracut" command on Linux systems. Dracut is a tool used to generate an +initramfs image that is used to boot the system. Attackers may use "dracut" to create a custom initramfs image that includes malicious code or backdoors, allowing them to maintain persistence on the system. """ from = "now-9m" @@ -96,14 +96,14 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2") and process.name == "dracut" and process.parent.executable != null and not ( - process.parent.executable like~ ( + process.parent.executable like ( "/usr/lib/kernel/*", "/etc/kernel/install.d/*", "/var/lib/dpkg/info/dracut.postinst", - "/tmp/newroot/*", "/usr/lib/module-init-tools/*" + "/tmp/newroot/*", "/usr/lib/module-init-tools/*", "/usr/bin/xargs", "/sbin/dkms", + "/sbin/mkinitrd", "/usr/bin/timeout", "/usr/sbin/dkms", "/usr/bin/systemd-inhibit" ) or process.parent.name in ( "dracut-install", "dracut", "run-parts", "weak-modules", "mkdumprd", "new-kernel-pkg", "sudo" @@ -113,34 +113,33 @@ process.name == "dracut" and process.parent.executable != null and not ( ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1542" name = "Pre-OS Boot" reference = "https://attack.mitre.org/techniques/T1542/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/linux/persistence_message_of_the_day_creation.toml b/rules/linux/persistence_message_of_the_day_creation.toml index 1013acfe8..32d08cc31 100644 --- a/rules/linux/persistence_message_of_the_day_creation.toml +++ b/rules/linux/persistence_message_of_the_day_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/28" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/12/22" [transform] [[transform.osquery]] @@ -30,7 +30,6 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Crontab Information" query = "SELECT * FROM crontab" - [rule] author = ["Elastic"] description = """ @@ -146,19 +145,19 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' -file where host.os.type == "linux" and event.action in ("rename", "creation") and -file.path : "/etc/update-motd.d/*" and not ( +file where host.os.type == "linux" and event.action == "creation" and file.path like "/etc/update-motd.d/*" and +not ( process.executable in ( "/bin/dpkg", "/usr/bin/dpkg", "/bin/dockerd", "/usr/bin/dockerd", "/usr/sbin/dockerd", "/bin/microdnf", "/usr/bin/microdnf", "/bin/rpm", "/usr/bin/rpm", "/bin/snapd", "/usr/bin/snapd", "/bin/yum", "/usr/bin/yum", "/bin/dnf", "/usr/bin/dnf", "/bin/podman", "/usr/bin/podman", "/bin/dnf-automatic", "/usr/bin/dnf-automatic", "/bin/pacman", "/usr/bin/pacman", "/usr/bin/dpkg-divert", "/bin/dpkg-divert", "/sbin/apk", "/usr/sbin/apk", "/usr/local/sbin/apk", "/usr/bin/apt", "/usr/sbin/pacman", "/bin/podman", "/usr/bin/podman", "/usr/bin/puppet", - "/bin/puppet", "/opt/puppetlabs/puppet/bin/puppet", "/usr/bin/chef-client", "/bin/chef-client", - "/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/dev/fd/*", "/usr/bin/pamac-daemon", - "/bin/pamac-daemon", "/usr/lib/snapd/snapd", "/usr/local/bin/dockerd" + "/bin/puppet", "/opt/puppetlabs/puppet/bin/puppet", "/usr/bin/chef-client", "/bin/chef-client", "/usr/bin/buildah", + "/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/usr/bin/pamac-daemon", "/.envbuilder/bin/envbuilder", + "/bin/pamac-daemon", "/usr/lib/snapd/snapd", "/usr/local/bin/dockerd", "./usr/bin/podman", "/opt/saltstack/salt/bin/python3.10", + "/opt/puppetlabs/puppet/bin/ruby", "/usr/bin/crio" ) or file.extension in ("swp", "swpx", "swx", "dpkg-remove") or file.Ext.original.extension == "dpkg-new" or @@ -168,21 +167,19 @@ file.path : "/etc/update-motd.d/*" and not ( process.executable == null or process.name in ("executor", "dockerd", "crio") or (process.name == "sed" and file.name : "sed*") or - (process.name == "perl" and file.name : "e2scrub_all.tmp*") + (process.name == "perl" and file.name : "e2scrub_all.tmp*") ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/linux/persistence_message_of_the_day_execution.toml b/rules/linux/persistence_message_of_the_day_execution.toml index bd5ad825a..4e5c181f2 100644 --- a/rules/linux/persistence_message_of_the_day_execution.toml +++ b/rules/linux/persistence_message_of_the_day_execution.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/28" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/22" [transform] [[transform.osquery]] @@ -30,7 +30,6 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Crontab Information" query = "SELECT * FROM crontab" - [rule] author = ["Elastic"] description = """ @@ -146,70 +145,67 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' -process where event.type == "start" and host.os.type == "linux" and event.action : ("exec", "exec_event", "start") and - process.parent.executable : "/etc/update-motd.d/*" and +process where event.type == "start" and host.os.type == "linux" and event.action in ("exec", "exec_event", "start") and +process.parent.executable like "/etc/update-motd.d/*" and +( ( + process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and ( - process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and - ( - process.args : ("-i", "-l") or - (process.parent.name == "socat" and process.parent.args : "*exec*") - ) - ) or - ( - process.name : ("nc", "ncat", "netcat", "nc.openbsd") and process.args_count >= 3 and - not process.args : ("-*z*", "-*l*") - ) or - ( - process.name : "python*" and process.args : "-c" and process.args : ( - "*import*pty*spawn*", "*import*subprocess*call*" - ) - ) or - ( - process.name : "perl*" and process.args : "-e" and process.args : "*socket*" and process.args : ( - "*exec*", "*system*" - ) - ) or - ( - process.name : "ruby*" and process.args : ("-e", "-rsocket") and process.args : ( - "*TCPSocket.new*", "*TCPSocket.open*" - ) - ) or - ( - process.name : "lua*" and process.args : "-e" and process.args : "*socket.tcp*" and process.args : ( - "*io.popen*", "*os.execute*" - ) - ) or - (process.name : "php*" and process.args : "-r" and process.args : "*fsockopen*" and process.args : "*/bin/*sh*") or - (process.name : ("awk", "gawk", "mawk", "nawk") and process.args : "*/inet/tcp/*") or - (process.name in ("openssl", "telnet")) or - ( - process.args : ( - "./*", "/boot/*", "/dev/shm/*", "/etc/cron.*/*", "/etc/init.d/*", "/etc/update-motd.d/*", "/run/*", "/srv/*", - "/tmp/*", "/var/tmp/*", "/var/log/*", "/opt/*" - ) and process.args_count == 1 + process.args : ("-i", "-l") or + (process.parent.name == "socat" and process.parent.args : "*exec*") ) - ) and - not ( - process.parent.args == "--force" or - process.args in ("/usr/games/lolcat", "/usr/bin/screenfetch") or - process.parent.name == "system-crash-notification" + ) or + ( + process.name : ("nc", "ncat", "netcat", "nc.openbsd") and process.args_count >= 3 and + not process.args : ("-*z*", "-*l*") + ) or + ( + process.name : "python*" and process.args : "-c" and process.args : ( + "*import*pty*spawn*", "*import*subprocess*call*" + ) + ) or + ( + process.name : "perl*" and process.args : "-e" and process.args : "*socket*" and process.args : ( + "*exec*", "*system*" + ) + ) or + ( + process.name : "ruby*" and process.args : ("-e", "-rsocket") and process.args : ( + "*TCPSocket.new*", "*TCPSocket.open*" + ) + ) or + ( + process.name : "lua*" and process.args : "-e" and process.args : "*socket.tcp*" and process.args : ( + "*io.popen*", "*os.execute*" + ) + ) or + (process.name : "php*" and process.args : "-r" and process.args : "*fsockopen*" and process.args : "*/bin/*sh*") or + (process.name : ("awk", "gawk", "mawk", "nawk") and process.args : "*/inet/tcp/*") or + (process.name in ("openssl", "telnet")) or + ( + process.args : ( + "./*", "/boot/*", "/dev/shm/*", "/etc/cron.*/*", "/etc/init.d/*", "/etc/update-motd.d/*", "/run/*", "/srv/*", + "/tmp/*", "/var/tmp/*", "/var/log/*", "/opt/*" + ) and process.args_count == 1 ) +) and +not ( + process.parent.args == "--force" or + process.args in ("/usr/games/lolcat", "/usr/bin/screenfetch") or + process.parent.name == "system-crash-notification" +) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/linux/persistence_network_manager_dispatcher_persistence.toml b/rules/linux/persistence_network_manager_dispatcher_persistence.toml index ff3fc273f..b70754ae4 100644 --- a/rules/linux/persistence_network_manager_dispatcher_persistence.toml +++ b/rules/linux/persistence_network_manager_dispatcher_persistence.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -93,9 +93,9 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' -file where host.os.type == "linux" and event.type == "creation" and file.path like~ "/etc/NetworkManager/dispatcher.d/*" and not ( +file where host.os.type == "linux" and event.type == "creation" and file.path like "/etc/NetworkManager/dispatcher.d/*" and +not ( process.executable in ( "/bin/dpkg", "/usr/bin/dpkg", "/bin/dockerd", "/usr/bin/dockerd", "/usr/sbin/dockerd", "/bin/microdnf", "/usr/bin/microdnf", "/bin/rpm", "/usr/bin/rpm", "/bin/snapd", "/usr/bin/snapd", "/bin/yum", "/usr/bin/yum", @@ -103,24 +103,28 @@ file where host.os.type == "linux" and event.type == "creation" and file.path li "/bin/pacman", "/usr/bin/pacman", "/usr/bin/dpkg-divert", "/bin/dpkg-divert", "/sbin/apk", "/usr/sbin/apk", "/usr/local/sbin/apk", "/usr/bin/apt", "/usr/sbin/pacman", "/bin/podman", "/usr/bin/podman", "/usr/bin/puppet", "/bin/puppet", "/opt/puppetlabs/puppet/bin/puppet", "/usr/bin/chef-client", "/bin/chef-client", - "/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/dev/fd/*", "/usr/bin/pamac-daemon", + "/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/usr/bin/pamac-daemon", "./usr/bin/podman", "/bin/pamac-daemon", "/usr/lib/snapd/snapd", "/usr/local/bin/dockerd", "/usr/bin/crio", "/usr/sbin/crond", "/opt/puppetlabs/puppet/bin/ruby", "/usr/libexec/platform-python", "/kaniko/kaniko-executor", "/usr/local/bin/dockerd", "/usr/bin/podman", "/bin/install", "/proc/self/exe", "/usr/lib/systemd/systemd", "/usr/sbin/sshd", "/usr/bin/gitlab-runner", "/opt/gitlab/embedded/bin/ruby", "/usr/sbin/gdm", "/usr/bin/install", - "/usr/local/manageengine/uems_agent/bin/dcregister", "/usr/local/bin/pacman" + "/usr/local/manageengine/uems_agent/bin/dcregister", "/usr/local/bin/pacman", "./usr/bin/qemu-aarch64-static", ) or process.executable like~ ( "/nix/store/*", "/var/lib/dpkg/*", "/tmp/vmis.*", "/snap/*", "/dev/fd/*", "/usr/lib/virtualbox/*" ) or file.extension in ("swp", "swpx", "swx", "dpkg-remove") or - (process.name == "sed" and file.name : "sed*") + (process.name == "sed" and file.name : "sed*") or + ( + process.executable like ("/kaniko/executor", "/usr/libexec/platform-python*") and + file.path like "/etc/NetworkManager/dispatcher.d/11-dhclient*" + ) ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" @@ -131,28 +135,29 @@ id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -160,4 +165,3 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/persistence_openssl_passwd_hash_generation.toml b/rules/linux/persistence_openssl_passwd_hash_generation.toml index 4b121002a..dc7660861 100644 --- a/rules/linux/persistence_openssl_passwd_hash_generation.toml +++ b/rules/linux/persistence_openssl_passwd_hash_generation.toml @@ -2,13 +2,13 @@ creation_date = "2025/01/16" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/22" [rule] author = ["Elastic"] description = """ -This rule detects the usage of the `openssl` binary to generate password hashes on Linux systems. The `openssl` command -is a cryptographic utility that can be used to generate password hashes. Attackers may use `openssl` to generate +This rule detects the usage of the "openssl" binary to generate password hashes on Linux systems. The "openssl" command +is a cryptographic utility that can be used to generate password hashes. Attackers may use "openssl" to generate password hashes for new user accounts or to change the password of existing accounts, which can be leveraged to maintain persistence on a Linux system. """ @@ -59,7 +59,7 @@ OpenSSL is a robust cryptographic toolkit used for secure communications and dat - Implement additional monitoring on the affected system to detect any further unauthorized use of OpenSSL or similar tools, focusing on process execution and command-line arguments. - Escalate the incident to the security operations team for a comprehensive investigation to determine the root cause and scope of the breach, and to assess potential impacts on other systems. - Review and update access controls and authentication mechanisms to enhance security and prevent similar incidents in the future, ensuring that only authorized users can perform sensitive operations.""" -risk_score = 21 +risk_score = 47 rule_id = "f4b857b3-faef-430d-b420-90be48647f00" setup = """## Setup @@ -86,7 +86,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -severity = "low" +severity = "medium" tags = [ "Domain: Endpoint", "OS: Linux", @@ -101,29 +101,27 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed") and process.name == "openssl" -and process.args == "passwd" +and process.args == "passwd" and ?process.args_count >= 4 and +not process.args in ("-help", "--help", "-h") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1136" name = "Create Account" reference = "https://attack.mitre.org/techniques/T1136/" + [[rule.threat.technique.subtechnique]] id = "T1136.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1136/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/linux/persistence_pluggable_authentication_module_creation.toml b/rules/linux/persistence_pluggable_authentication_module_creation.toml index 62988877d..a5bebae77 100644 --- a/rules/linux/persistence_pluggable_authentication_module_creation.toml +++ b/rules/linux/persistence_pluggable_authentication_module_creation.toml @@ -2,14 +2,13 @@ creation_date = "2024/03/06" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/08" +updated_date = "2025/12/22" [rule] author = ["Elastic"] description = """ -This rule monitors for the creation or modification of Pluggable Authentication Module (PAM) shared object files or -configuration files. Attackers may create or modify these files to maintain persistence on a compromised system, or -harvest account credentials. +This rule monitors for the creation of Pluggable Authentication Module (PAM) shared object files or configuration +files. Attackers may create these files to maintain persistence on a compromised system, or harvest account credentials. """ false_positives = [ "Trusted system module updates or allowed Pluggable Authentication Module (PAM) daemon configuration changes.", @@ -18,71 +17,13 @@ from = "now-9m" index = ["logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" -name = "Creation or Modification of Pluggable Authentication Module or Configuration" -references = [ - "https://github.com/zephrax/linux-pam-backdoor", - "https://github.com/eurialo/pambd", - "http://0x90909090.blogspot.com/2016/06/creating-backdoor-in-pam-in-5-line-of.html", - "https://www.trendmicro.com/en_us/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html", -] -risk_score = 47 -rule_id = "f48ecc44-7d02-437d-9562-b838d2c41987" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Persistence", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" -query = ''' -file where host.os.type == "linux" and event.action in ("rename", "creation") and -process.executable != null and ( - (file.path like ( - "/lib/security/*", "/lib64/security/*", "/usr/lib/security/*", "/usr/lib64/security/*", - "/lib/x86_64-linux-gnu/security/*", "/usr/lib/x86_64-linux-gnu/security/*" - ) and file.extension == "so") or - (file.path like "/etc/pam.d/*" and file.extension == null) or - (file.path like "/etc/security/pam_*" or file.path == "/etc/pam.conf") -) and not ( - process.executable in ( - "/bin/dpkg", "/usr/bin/dpkg", "/bin/dockerd", "/usr/bin/dockerd", "/usr/sbin/dockerd", "/bin/microdnf", - "/usr/bin/microdnf", "/bin/rpm", "/usr/bin/rpm", "/bin/snapd", "/usr/bin/snapd", "/bin/yum", "/usr/bin/yum", - "/bin/dnf", "/usr/bin/dnf", "/bin/podman", "/usr/bin/podman", "/bin/dnf-automatic", "/usr/bin/dnf-automatic", - "/bin/pacman", "/usr/bin/pacman", "/usr/bin/dpkg-divert", "/bin/dpkg-divert", "/sbin/apk", "/usr/sbin/apk", - "/usr/local/sbin/apk", "/usr/bin/apt", "/usr/sbin/pacman", "/bin/podman", "/usr/bin/podman", "/usr/bin/puppet", - "/bin/puppet", "/opt/puppetlabs/puppet/bin/puppet", "/usr/bin/chef-client", "/bin/chef-client", - "/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/dev/fd/*", "/usr/bin/pamac-daemon", - "/bin/pamac-daemon", "/usr/lib/snapd/snapd", "/usr/local/bin/dockerd", "/usr/sbin/pam-auth-update", - "/usr/lib/systemd/systemd", "/usr/libexec/packagekitd", "/usr/bin/bsdtar", "/sbin/pam-auth-update", "./user/bin/podman", - "/usr/bin/dnf5", "/opt/puppetlabs/puppet/bin/ruby", "/usr/bin/crio", "/sbin/authconfig", "/usr/sbin/yum-cron", - "/sbin/yum-cron", "/usr/local/psa/bin/dnf_install", "/opt/jc/bin/jumpcloud-agent" - - ) or - file.path like ( - "/tmp/snap.rootfs_*/pam_*.so", "/tmp/newroot/lib/*/pam_*.so", "/tmp/newroot/usr/lib64/security/pam_*.so" - ) or - file.extension in ("swp", "swpx", "swx", "dpkg-remove") or - file.Ext.original.extension == "dpkg-new" or - process.executable like ( - "/nix/store/*", "/var/lib/dpkg/*", "/snap/*", "/dev/fd/*", "/usr/lib/virtualbox/*", "/usr/bin/python*", - "/opt/alt/python*/bin/python*", "/usr/libexec/platform-python*", "./snap/snapd/*/usr/lib/snapd/snap-update-ns" - ) or - (process.name == "sed" and file.name like~ "sed*") or - (process.name == "perl" and file.name like~ "e2scrub_all.tmp*") or - (process.name == "perl" and event.action == "rename" and file.Ext.original.name like "*.pam-new") -) -''' +name = "Pluggable Authentication Module or Configuration Creation" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Creation or Modification of Pluggable Authentication Module or Configuration +### Investigating Pluggable Authentication Module or Configuration Creation Pluggable Authentication Modules (PAM) are integral to Linux systems, managing authentication tasks. Adversaries may exploit PAM by creating or altering its modules or configurations to gain persistence or capture credentials. The detection rule identifies suspicious activities by monitoring file operations in PAM directories, excluding legitimate processes, thus highlighting potential unauthorized modifications. @@ -112,6 +53,67 @@ Pluggable Authentication Modules (PAM) are integral to Linux systems, managing a - Monitor the system and network for any signs of continued unauthorized access or suspicious activity, focusing on the indicators of compromise related to PAM manipulation. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if other systems may be affected. - Implement additional monitoring and alerting for PAM-related activities to enhance detection capabilities and prevent similar threats in the future.""" +references = [ + "https://github.com/zephrax/linux-pam-backdoor", + "https://github.com/eurialo/pambd", + "http://0x90909090.blogspot.com/2016/06/creating-backdoor-in-pam-in-5-line-of.html", + "https://www.trendmicro.com/en_us/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html", +] +risk_score = 47 +rule_id = "f48ecc44-7d02-437d-9562-b838d2c41987" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +file where host.os.type == "linux" and event.action == "creation" and process.executable != null and ( + (file.path like ( + "/lib/security/*", "/lib64/security/*", "/usr/lib/security/*", "/usr/lib64/security/*", + "/lib/x86_64-linux-gnu/security/*", "/usr/lib/x86_64-linux-gnu/security/*" + ) and file.extension == "so") or + (file.path like "/etc/pam.d/*" and file.extension == null) or + (file.path like "/etc/security/pam_*" or file.path == "/etc/pam.conf") +) and not ( + process.executable in ( + "/bin/dpkg", "/usr/bin/dpkg", "/bin/dockerd", "/usr/bin/dockerd", "/usr/sbin/dockerd", "/bin/microdnf", + "/usr/bin/microdnf", "/bin/rpm", "/usr/bin/rpm", "/bin/snapd", "/usr/bin/snapd", "/bin/yum", "/usr/bin/yum", + "/bin/dnf", "/usr/bin/dnf", "/bin/podman", "/usr/bin/podman", "/bin/dnf-automatic", "/usr/bin/dnf-automatic", + "/bin/pacman", "/usr/bin/pacman", "/usr/bin/dpkg-divert", "/bin/dpkg-divert", "/sbin/apk", "/usr/sbin/apk", + "/usr/local/sbin/apk", "/usr/bin/apt", "/usr/sbin/pacman", "/bin/podman", "/usr/bin/podman", "/usr/bin/puppet", + "/bin/puppet", "/opt/puppetlabs/puppet/bin/puppet", "/usr/bin/chef-client", "/bin/chef-client", + "/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/usr/bin/pamac-daemon", + "/bin/pamac-daemon", "/usr/lib/snapd/snapd", "/usr/local/bin/dockerd", "/usr/sbin/pam-auth-update", + "/usr/lib/systemd/systemd", "/usr/libexec/packagekitd", "/usr/bin/bsdtar", "/sbin/pam-auth-update", "./user/bin/podman", + "/usr/bin/dnf5", "/opt/puppetlabs/puppet/bin/ruby", "/usr/bin/crio", "/sbin/authconfig", "/usr/sbin/yum-cron", + "/sbin/yum-cron", "/usr/local/psa/bin/dnf_install", "/opt/jc/bin/jumpcloud-agent", "./usr/bin/podman", + "/kaniko/executor", "/opt/kaniko/executor", "/usr/bin/buildah", "/usr/sbin/pam-config", + "./usr/lib/snapd/snap-update-ns", "/usr/bin/install", "/usr/bin/env" + ) or + file.path like ( + "/tmp/snap.rootfs_*/pam_*.so", "/tmp/newroot/lib/*/pam_*.so", "/tmp/newroot/usr/lib64/security/pam_*.so" + ) or + file.extension in ("swp", "swpx", "swx", "dpkg-remove") or + file.Ext.original.extension == "dpkg-new" or + file.Ext.original.name like "*.pam-new" or + process.executable like ( + "/nix/store/*", "/var/lib/dpkg/*", "/snap/*", "/dev/fd/*", "/usr/lib/virtualbox/*", "/usr/bin/python*", + "/opt/alt/python*/bin/python*", "/usr/libexec/platform-python*", "./snap/snapd/*/usr/lib/snapd/snap-update-ns" + ) or + (process.name == "sed" and file.name like~ "sed*") or + (process.name == "perl" and file.name like~ "e2scrub_all.tmp*") or + (process.name == "perl" and event.action == "rename" and file.Ext.original.name like "*.pam-new") or + process.name like ("python*", "platform-python*", "dockerd") or + (process.name == "vim.basic" and file.name like "*~") +) +''' [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml b/rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml index 230bfedb1..2505889dd 100644 --- a/rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml +++ b/rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/16" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -76,7 +76,6 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' file where host.os.type == "linux" and event.type == "creation" and file.name like "pam_*.so" and not file.path like ( "/lib/security/*", @@ -86,37 +85,40 @@ file where host.os.type == "linux" and event.type == "creation" and file.name li "/usr/lib64/security/*", "/usr/lib/x86_64-linux-gnu/security/*" ) and not ( - process.name in ("dockerd", "containerd", "steam", "buildkitd", "unsquashfs", "pacman") or + process.name in ("dockerd", "containerd", "steam", "buildkitd", "unsquashfs", "pacman", "executor") or file.path like ( "/build/rootImage/nix/store/*", "/home/*/.local/share/containers/*", "/nix/store/*", "/var/lib/containerd/*", - "/var/snap/*", "/usr/share/nix/nix/store/*", "/tmp/cura/squashfs-root/*", "/home/*/docker/*", "/tmp/containerd*" + "/var/snap/*", "/usr/share/nix/nix/store/*", "/tmp/cura/squashfs-root/*", "/home/*/docker/*", "/tmp/containerd*", + "/var/lib/rancher/*/agent/containerd/*", "/var/lib/lxc/*", "/var/lib/containers/storage/*", "/var/lib/checkpoint*", + "/var/lib/docker/overlay2/*", "/srv/docker/*", "/podman/storage/*", "/opt/jail/driver-jail*", "/build/tmp/work/iot*", + "/tmp/containers-root/*", "/cce-14/*", "/cce-usr/*", "/var/tmp/portage/*", "/media/*", "/data/var/lib/docker/overlay2/*", + "/home/*/.cache/bazel/*", "/home/*/.cache/umu/*/SteamLinuxRuntime*" ) ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/linux/persistence_pluggable_authentication_module_pam_exec_backdoor_exec.toml b/rules/linux/persistence_pluggable_authentication_module_pam_exec_backdoor_exec.toml index 5bd02b3aa..57331335b 100644 --- a/rules/linux/persistence_pluggable_authentication_module_pam_exec_backdoor_exec.toml +++ b/rules/linux/persistence_pluggable_authentication_module_pam_exec_backdoor_exec.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/29" integration = ["endpoint"] maturity = "production" -updated_date = "2025/07/07" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -79,13 +79,27 @@ query = ''' sequence by process.entity_id with maxspan=3s [process where host.os.type == "linux" and event.type == "change" and event.action == "session_id_change" and process.name in ("ssh", "sshd")] [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.parent.name in ("ssh", "sshd") and - process.args_count == 2 and ( - process.name like ("perl*", "python*", "php*", "ruby*", "lua*") or + process.args_count == 2 and process.args like ( + "sh", "dash", "bash", "zsh", + "perl*", "python*", "php*", "ruby*", "lua*", + + "/bin/sh", "/bin/dash", "/bin/bash", "/bin/zsh", + "/bin/perl*", "/bin/python*", "/bin/php*", "/bin/ruby*", "/bin/lua*", + + "/usr/bin/sh", "/usr/bin/dash", "/usr/bin/bash", "/usr/bin/zsh", + "/usr/bin/perl*", "/usr/bin/python*", "/usr/bin/php*", "/usr/bin/ruby*", "/usr/bin/lua*", + + "/usr/local/bin/sh", "/usr/local/bin/dash", "/usr/local/bin/bash", "/usr/local/bin/zsh", + "/usr/local/bin/perl*", "/usr/local/bin/python*", "/usr/local/bin/php*", "/usr/local/bin/ruby*", "/usr/local/bin/lua*" + ) and ( + process.name like ".*" or process.executable like ( - "/tmp/*", "/var/tmp/*", "/dev/shm/*", "./*", "/boot/*", "/sys/*", "/lost+found/*", "/media/*", "/proc/*", - "/var/backups/*", "/var/log/*", "/var/mail/*", "/var/spool/*") or - process.name like ".*" - )] + "/tmp/*", "/var/tmp/*", "/dev/shm/*", "./*", "/boot/*", "/sys/*", "/lost+found/*", "/media/*", "/proc/*", "/bin/*", "/usr/bin/*", + "/sbin/*", "/usr/sbin/*", "/lib/*", "/lib64/*", "/usr/lib/*", "/usr/lib64/*", "/opt/*", "/var/lib/*", "/run/*", "/var/backups/*", + "/var/log/*", "/var/mail/*", "/var/spool/*" + ) + ) + ] ''' [[rule.threat]] diff --git a/rules/linux/persistence_pluggable_authentication_module_source_download.toml b/rules/linux/persistence_pluggable_authentication_module_source_download.toml index e41295538..458326e40 100644 --- a/rules/linux/persistence_pluggable_authentication_module_source_download.toml +++ b/rules/linux/persistence_pluggable_authentication_module_source_download.toml @@ -2,12 +2,12 @@ creation_date = "2024/12/16" integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/10/17" +updated_date = "2025/12/22" [rule] author = ["Elastic"] description = """ -This rule detects the usage of `curl` or `wget` to download the source code of a Pluggable Authentication Module (PAM) +This rule detects the usage of "curl" or "wget" to download the source code of a Pluggable Authentication Module (PAM) shared object file. Attackers may download the source code of a PAM shared object file to create a backdoor in the authentication process. """ @@ -19,33 +19,6 @@ index = ["logs-endpoint.events.process*", "endgame-*", "logs-crowdstrike.fdr*"] language = "eql" license = "Elastic License v2" name = "Pluggable Authentication Module (PAM) Source Download" -references = [ - "https://github.com/zephrax/linux-pam-backdoor", - "https://github.com/eurialo/pambd", - "http://0x90909090.blogspot.com/2016/06/creating-backdoor-in-pam-in-5-line-of.html", - "https://www.trendmicro.com/en_us/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html", -] -risk_score = 21 -rule_id = "53ef31ea-1f8a-493b-9614-df23d8277232" -severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Persistence", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Resources: Investigation Guide", - "Data Source: Crowdstrike", -] -timestamp_override = "event.ingested" -type = "eql" -query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "ProcessRollup2") and -process.name in ("curl", "wget") and -process.args like~ "https://github.com/linux-pam/linux-pam/releases/download/v*/Linux-PAM-*.tar.xz" -''' note = """## Triage and analysis > **Disclaimer**: @@ -80,6 +53,33 @@ Pluggable Authentication Modules (PAM) are integral to Linux systems, managing a - Implement stricter access controls and monitoring on systems handling PAM configurations to prevent unauthorized downloads or modifications in the future. - Escalate the incident to the security operations team for further investigation and to assess the potential impact on other systems within the network. - Update detection mechanisms to monitor for similar download attempts and unauthorized modifications to critical authentication components.""" +references = [ + "https://github.com/zephrax/linux-pam-backdoor", + "https://github.com/eurialo/pambd", + "http://0x90909090.blogspot.com/2016/06/creating-backdoor-in-pam-in-5-line-of.html", + "https://www.trendmicro.com/en_us/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html", +] +risk_score = 47 +rule_id = "53ef31ea-1f8a-493b-9614-df23d8277232" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", + "Data Source: Crowdstrike", +] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "ProcessRollup2") and +process.name in ("curl", "wget") and +process.args like~ "https://github.com/linux-pam/linux-pam/releases/download/v*/Linux-PAM-*.tar.xz" +''' [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/linux/persistence_polkit_policy_creation.toml b/rules/linux/persistence_polkit_policy_creation.toml index 3c93c2291..0735fde6c 100644 --- a/rules/linux/persistence_polkit_policy_creation.toml +++ b/rules/linux/persistence_polkit_policy_creation.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -67,7 +67,6 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' file where host.os.type == "linux" and event.type == "creation" and process.executable != null and file.extension in ("rules", "pkla", "policy") and file.path like~ ( @@ -91,42 +90,44 @@ file.extension in ("rules", "pkla", "policy") and file.path like~ ( "/bin/pacman", "/usr/bin/pacman", "/usr/bin/dpkg-divert", "/bin/dpkg-divert", "/sbin/apk", "/usr/sbin/apk", "/usr/local/sbin/apk", "/usr/bin/apt", "/usr/sbin/pacman", "/bin/podman", "/usr/bin/podman", "/usr/bin/puppet", "/bin/puppet", "/opt/puppetlabs/puppet/bin/puppet", "/usr/bin/chef-client", "/bin/chef-client", - "/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/dev/fd/*", "/usr/bin/pamac-daemon", + "/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/usr/bin/pamac-daemon", "/bin/pamac-daemon", "/usr/lib/snapd/snapd", "/usr/local/bin/dockerd", "/usr/bin/crio", "/usr/sbin/crond", "/opt/puppetlabs/puppet/bin/ruby", "/usr/libexec/platform-python", "/kaniko/kaniko-executor", "/usr/local/bin/dockerd", "/usr/bin/podman", "/bin/install", "/proc/self/exe", "/usr/lib/systemd/systemd", "/usr/sbin/sshd", "/usr/bin/gitlab-runner", "/opt/gitlab/embedded/bin/ruby", "/usr/sbin/gdm", "/usr/bin/install", - "/usr/local/manageengine/uems_agent/bin/dcregister", "/usr/local/bin/pacman" + "/usr/local/manageengine/uems_agent/bin/dcregister", "/usr/local/bin/pacman", "./usr/bin/podman", + "/kaniko/executor", "/opt/kaniko/executor", "/usr/bin/buildah", "/usr/lib/cargo/bin/coreutils/install" ) or -process.executable like~ ( - "/nix/store/*", "/var/lib/dpkg/*", "/tmp/vmis.*", "/snap/*", "/dev/fd/*", "/usr/lib/virtualbox/*" - ) + process.executable like ( + "/nix/store/*", "/var/lib/dpkg/*", "/tmp/vmis.*", "/snap/*", "/dev/fd/*", "/usr/lib/virtualbox/*", + "/var/lib/containers/storage/overlay/*/dockerd", "/var/lib/docker/overlay2/*/dockerd" + ) or + (process.name like "python*" and file.name like ".ansible_tmp*.rules") ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/linux/persistence_potential_persistence_script_executable_bit_set.toml b/rules/linux/persistence_potential_persistence_script_executable_bit_set.toml index d403890c0..ada832ab5 100644 --- a/rules/linux/persistence_potential_persistence_script_executable_bit_set.toml +++ b/rules/linux/persistence_potential_persistence_script_executable_bit_set.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/03" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -57,7 +57,7 @@ references = [ "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/", "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms", ] -risk_score = 21 +risk_score = 47 rule_id = "94418745-529f-4259-8d25-a713a6feb6ae" setup = """## Setup @@ -84,7 +84,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -severity = "low" +severity = "medium" tags = [ "Domain: Endpoint", "OS: Linux", @@ -97,7 +97,6 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start") and process.args : ( @@ -123,42 +122,40 @@ process.args : ( ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" + [[rule.threat.technique.subtechnique]] id = "T1037.004" name = "RC Scripts" reference = "https://attack.mitre.org/techniques/T1037/004/" - [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.013" name = "XDG Autostart Entries" reference = "https://attack.mitre.org/techniques/T1547/013/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/linux/persistence_process_capability_set_via_setcap.toml b/rules/linux/persistence_process_capability_set_via_setcap.toml index c1efe8be0..412be5983 100644 --- a/rules/linux/persistence_process_capability_set_via_setcap.toml +++ b/rules/linux/persistence_process_capability_set_via_setcap.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/03" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -92,17 +92,21 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start") and process.name == "setcap" and not ( process.parent.executable == null or - process.parent.executable : ("/var/lib/dpkg/*", "/var/lib/docker/*", "/tmp/newroot/*", "/var/tmp/newroot/*") or - process.parent.name in ("jem", "vzctl") + process.parent.executable like ( + "/var/lib/dpkg/*", "/var/lib/docker/*", "/tmp/newroot/*", "/var/tmp/newroot/*", "/usr/bin/cmake", + "/opt/zscaler/bin/zpa-connector" + ) or + process.parent.name in ("jem", "vzctl") or + process.parent.args like "/var/lib/dpkg/info/*" or + ?process.working_directory in ("/opt/dynatrace/oneagent", "/opt/sophos-spl/plugins/av/sbin") or + process.parent.command_line in ("/bin/bash /entrypoint.sh telegraf", "/bin/sh /usr/local/bin/docker-entrypoint.sh server") ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" @@ -110,6 +114,7 @@ framework = "MITRE ATT&CK" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -117,4 +122,3 @@ framework = "MITRE ATT&CK" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/linux/persistence_pth_file_creation.toml b/rules/linux/persistence_pth_file_creation.toml index 497aee449..8492cf019 100644 --- a/rules/linux/persistence_pth_file_creation.toml +++ b/rules/linux/persistence_pth_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/26" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/03" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -98,8 +98,8 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -file where host.os.type == "linux" and event.action in ("creation", "rename") and file.extension == "pth" and -file.path like~ ( +file where host.os.type == "linux" and event.action == "creation" and file.extension == "pth" and +file.path like ( "/usr/local/lib/python*/dist-packages/*", "/usr/lib/python*/dist-packages/*", "/usr/local/lib/python*/site-packages/*", @@ -111,11 +111,17 @@ file.path like~ ( "/usr/local/bin/pip2", "/usr/bin/restic", "/usr/bin/pacman", "/usr/bin/dockerd", "/usr/local/bin/pip3", "/usr/bin/pip3", "/usr/local/bin/pip", "/usr/bin/pip", "/usr/bin/podman", "/usr/local/bin/poetry", "/usr/bin/poetry", "/usr/bin/pamac-daemon", "/opt/venv/bin/pip", "/usr/bin/dnf", "./venv/bin/pip", - "/usr/bin/dnf5", "/bin/dnf5", "/bin/pip", "/bin/podman" + "/usr/bin/dnf5", "/bin/dnf5", "/bin/pip", "/bin/podman", "./usr/bin/podman", "/kaniko/executor", "/dev/fd/3", + "/opt/SolarWinds/Agent/bin/Plugins/Discovery/SolarWinds.Agent.Discovery.Plugin", "/usr/bin/crio", + "/opt/splunk/bin/splunkd", "/opt/Tanium/TaniumClient/TaniumCX" ) or - process.executable like~ ( + process.executable like ( "/usr/bin/python*", "/usr/local/bin/python*", "/opt/venv/bin/python*", "/nix/store/*libexec/docker/dockerd", "/snap/docker/*dockerd" + ) or + ( + process.name like ("python*", "platform-python*", "conda", "virtualenv", "cp", "pip*", "uv") and + file.name in ("distutils-precedence.pth", "_virtualenv.pth") ) ) ''' diff --git a/rules/linux/persistence_rc_local_error_via_syslog.toml b/rules/linux/persistence_rc_local_error_via_syslog.toml index 893cbeabf..22cdd76e5 100644 --- a/rules/linux/persistence_rc_local_error_via_syslog.toml +++ b/rules/linux/persistence_rc_local_error_via_syslog.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/21" integration = ["system"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -18,44 +18,6 @@ index = ["logs-system.syslog-*"] language = "kuery" license = "Elastic License v2" name = "Suspicious rc.local Error Message" -references = [ - "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", - "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", - "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/", - "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms", -] -risk_score = 21 -rule_id = "69c116bb-d86f-48b0-857d-3648511a6cac" -setup = """## Setup - -This rule requires data coming in from one of the following integrations: -- Filebeat - -### Filebeat Setup -Filebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing. - -#### The following steps should be executed in order to add the Filebeat for the Linux System: -- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. -- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html). -- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html). -- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html). -- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html). -- For complete Setup and Run Filebeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html). - -#### Rule Specific Setup Note -- This rule requires the Filebeat System Module to be enabled. -- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions. -- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). -""" -severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide"] -timestamp_override = "event.ingested" -type = "query" - -query = ''' -host.os.type:linux and event.dataset:system.syslog and process.name:rc.local and -message:("Connection refused" or "No such file or directory" or "command not found") -''' note = """## Triage and analysis > **Disclaimer**: @@ -89,23 +51,64 @@ The rc.local script is crucial in Linux systems, executing commands at boot. Adv - Escalate the incident to the security operations team for further investigation and to determine if other systems are affected. - Implement enhanced monitoring on the affected system and similar systems to detect any future unauthorized changes to boot scripts. - Review and update access controls and permissions to ensure that only authorized personnel can modify critical system files like rc.local.""" +references = [ + "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", + "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", + "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/", + "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms", +] +risk_score = 47 +rule_id = "69c116bb-d86f-48b0-857d-3648511a6cac" +setup = """## Setup +This rule requires data coming in from one of the following integrations: +- Filebeat + +### Filebeat Setup +Filebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing. + +#### The following steps should be executed in order to add the Filebeat for the Linux System: +- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. +- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html). +- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html). +- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html). +- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html). +- For complete Setup and Run Filebeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html). + +#### Rule Specific Setup Note +- This rule requires the Filebeat System Module to be enabled. +- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions. +- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). +""" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide" +] +timestamp_override = "event.ingested" +type = "query" +query = ''' +host.os.type:linux and event.dataset:system.syslog and process.name:rc.local and +message:("Connection refused" or "No such file or directory" or "command not found") +''' [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" + [[rule.threat.technique.subtechnique]] id = "T1037.004" name = "RC Scripts" reference = "https://attack.mitre.org/techniques/T1037/004/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/linux/persistence_rc_local_service_already_running.toml b/rules/linux/persistence_rc_local_service_already_running.toml index a8e0c2205..c1a07ece7 100644 --- a/rules/linux/persistence_rc_local_service_already_running.toml +++ b/rules/linux/persistence_rc_local_service_already_running.toml @@ -2,24 +2,57 @@ creation_date = "2024/06/21" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/12/22" [rule] author = ["Elastic"] description = """ -This rule detects the potential execution of the `/etc/rc.local` script through the `already_running` event action -created by the `rc-local.service` systemd service. The `/etc/rc.local` script is a legacy initialization script that is -executed at the end of the boot process. The `/etc/rc.local` script is not enabled by default on most Linux -distributions. The `/etc/rc.local` script can be used by attackers to persistently execute malicious commands or scripts +This rule detects the potential execution of the "/etc/rc.local" script through the "already_running" event action +created by the "rc-local.service" systemd service. The "/etc/rc.local" script is a legacy initialization script that is +executed at the end of the boot process. The "/etc/rc.local" script is not enabled by default on most Linux +distributions. The "/etc/rc.local" script can be used by attackers to persistently execute malicious commands or scripts on a compromised system at reboot. As the rc.local file is executed prior to the initialization of Elastic Defend, the -execution event is not ingested, and therefore the `already_running` event is leveraged to provide insight into the -potential execution of `rc.local`. +execution event is not ingested, and therefore the "already_running" event is leveraged to provide insight into the +potential execution of "rc.local". """ from = "now-9m" index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Potential Execution of rc.local Script" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Potential Execution of rc.local Script + +The `/etc/rc.local` script is a legacy Linux initialization script executed at the end of the boot process. While not enabled by default, attackers can exploit it to persistently run malicious commands upon system reboot. The detection rule identifies potential misuse by monitoring for the `already_running` event action linked to `rc-local.service`, indicating the script's execution, thus alerting to possible persistence tactics. + +### Possible investigation steps + +- Review the system logs to identify any recent changes or modifications to the /etc/rc.local file, focusing on timestamps and user accounts involved in the changes. +- Examine the contents of the /etc/rc.local file to identify any suspicious or unauthorized commands or scripts that may have been added. +- Investigate the process tree and parent processes associated with the rc-local.service to determine if there are any unusual or unexpected parent processes that could indicate compromise. +- Check for any other persistence mechanisms or indicators of compromise on the system, such as unauthorized user accounts or scheduled tasks, to assess the broader impact of the potential threat. +- Correlate the event with other security alerts or logs from the same host to identify any patterns or related activities that could provide additional context or evidence of malicious behavior. + +### False positive analysis + +- System maintenance scripts: Some Linux distributions or administrators may use the rc.local script for legitimate system maintenance tasks. Review the script's content to verify its purpose and consider excluding these known benign scripts from triggering alerts. +- Custom startup configurations: Organizations might have custom startup configurations that utilize rc.local for non-malicious purposes. Document these configurations and create exceptions in the detection rule to prevent unnecessary alerts. +- Legacy applications: Certain legacy applications might rely on rc.local for initialization. Identify these applications and assess their necessity. If deemed safe, exclude their execution from the rule to reduce false positives. +- Testing environments: In testing or development environments, rc.local might be used for various non-threatening experiments. Clearly label these environments and adjust the rule to ignore alerts originating from them. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further execution of potentially malicious scripts and limit the attacker's access. +- Review the contents of the `/etc/rc.local` file on the affected system to identify any unauthorized or suspicious commands or scripts. Remove any malicious entries found. +- Conduct a thorough scan of the system using updated antivirus or endpoint detection tools to identify and remove any additional malware or persistence mechanisms. +- Restore the system from a known good backup if the integrity of the system is in question and if malicious activity is confirmed. +- Implement monitoring for changes to the `/etc/rc.local` file and other critical system files to detect unauthorized modifications in the future. +- Escalate the incident to the security operations team for further investigation and to determine if other systems may be affected. +- Review and update security policies and configurations to disable the execution of the `/etc/rc.local` script by default on all systems, unless explicitly required for legitimate purposes.""" references = [ "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", @@ -64,61 +97,25 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "info" and event.action == "already_running" and process.parent.args == "/etc/rc.local" and process.parent.args == "start" ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Potential Execution of rc.local Script - -The `/etc/rc.local` script is a legacy Linux initialization script executed at the end of the boot process. While not enabled by default, attackers can exploit it to persistently run malicious commands upon system reboot. The detection rule identifies potential misuse by monitoring for the `already_running` event action linked to `rc-local.service`, indicating the script's execution, thus alerting to possible persistence tactics. - -### Possible investigation steps - -- Review the system logs to identify any recent changes or modifications to the /etc/rc.local file, focusing on timestamps and user accounts involved in the changes. -- Examine the contents of the /etc/rc.local file to identify any suspicious or unauthorized commands or scripts that may have been added. -- Investigate the process tree and parent processes associated with the rc-local.service to determine if there are any unusual or unexpected parent processes that could indicate compromise. -- Check for any other persistence mechanisms or indicators of compromise on the system, such as unauthorized user accounts or scheduled tasks, to assess the broader impact of the potential threat. -- Correlate the event with other security alerts or logs from the same host to identify any patterns or related activities that could provide additional context or evidence of malicious behavior. - -### False positive analysis - -- System maintenance scripts: Some Linux distributions or administrators may use the rc.local script for legitimate system maintenance tasks. Review the script's content to verify its purpose and consider excluding these known benign scripts from triggering alerts. -- Custom startup configurations: Organizations might have custom startup configurations that utilize rc.local for non-malicious purposes. Document these configurations and create exceptions in the detection rule to prevent unnecessary alerts. -- Legacy applications: Certain legacy applications might rely on rc.local for initialization. Identify these applications and assess their necessity. If deemed safe, exclude their execution from the rule to reduce false positives. -- Testing environments: In testing or development environments, rc.local might be used for various non-threatening experiments. Clearly label these environments and adjust the rule to ignore alerts originating from them. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further execution of potentially malicious scripts and limit the attacker's access. -- Review the contents of the `/etc/rc.local` file on the affected system to identify any unauthorized or suspicious commands or scripts. Remove any malicious entries found. -- Conduct a thorough scan of the system using updated antivirus or endpoint detection tools to identify and remove any additional malware or persistence mechanisms. -- Restore the system from a known good backup if the integrity of the system is in question and if malicious activity is confirmed. -- Implement monitoring for changes to the `/etc/rc.local` file and other critical system files to detect unauthorized modifications in the future. -- Escalate the incident to the security operations team for further investigation and to determine if other systems may be affected. -- Review and update security policies and configurations to disable the execution of the `/etc/rc.local` script by default on all systems, unless explicitly required for legitimate purposes.""" - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" + [[rule.threat.technique.subtechnique]] id = "T1037.004" name = "RC Scripts" reference = "https://attack.mitre.org/techniques/T1037/004/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/linux/persistence_rc_script_creation.toml b/rules/linux/persistence_rc_script_creation.toml index 29091adcc..1ae06027c 100644 --- a/rules/linux/persistence_rc_script_creation.toml +++ b/rules/linux/persistence_rc_script_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/28" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2025/12/22" [transform] [[transform.osquery]] @@ -24,11 +24,10 @@ SELECT * FROM file WHERE (path = '/run/systemd/generator/multi-user.target.wants label = "Osquery - Retrieve Crontab Information" query = "SELECT * FROM crontab" - [rule] author = ["Elastic"] description = """ -This rule monitors the creation/alteration of the rc.local/rc.common file. The /etc/rc.local file is used to start +This rule monitors the creation of the rc.local/rc.common files. The "/etc/rc.local" file is used to start custom applications, services, scripts or commands during start-up. The rc.local file has mostly been replaced by Systemd. However, through the "systemd-rc-local-generator", rc.local files can be converted to services that run at boot. Adversaries may alter rc.local/rc.common to execute malicious code at start-up, and gain persistence onto the @@ -104,7 +103,7 @@ references = [ "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/", "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms", ] -risk_score = 47 +risk_score = 73 rule_id = "0f4d35e4-925e-4959-ab24-911be207ee6f" setup = """## Setup @@ -131,7 +130,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -severity = "medium" +severity = "high" tags = [ "Domain: Endpoint", "OS: Linux", @@ -142,9 +141,8 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' -file where host.os.type == "linux" and event.action in ("rename", "creation") and +file where host.os.type == "linux" and event.action == "creation" and file.path in ("/etc/rc.local", "/etc/rc.common") and not ( process.executable in ( "/bin/dpkg", "/usr/bin/dpkg", "/bin/dockerd", "/usr/bin/dockerd", "/usr/sbin/dockerd", "/bin/microdnf", @@ -168,22 +166,20 @@ file.path in ("/etc/rc.local", "/etc/rc.common") and not ( ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" + [[rule.threat.technique.subtechnique]] id = "T1037.004" name = "RC Scripts" reference = "https://attack.mitre.org/techniques/T1037/004/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml b/rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml index 02a4eb51f..378adc56f 100644 --- a/rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml +++ b/rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/10" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -16,45 +16,6 @@ index = ["logs-endpoint.events.*"] language = "kuery" license = "Elastic License v2" name = "RPM Package Installed by Unusual Parent Process" -risk_score = 21 -rule_id = "8cc72fa3-70ae-4ea1-bee2-8e6aaf3c1fcf" -setup = """## Setup -This rule requires data coming in from Elastic Defend. -### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. -#### Prerequisite Requirements: -- Fleet is required for Elastic Defend. -- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). -#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click "Add integrations". -- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. -- Click "Add Elastic Defend". -- Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". -- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. -For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click "Save and Continue". -- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. -For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). -""" -severity = "low" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "new_terms" - -query = ''' -host.os.type:linux and event.category:process and event.type:start and event.action:exec and process.name:rpm and -process.args:("-i" or "--install") -''' note = """## Triage and analysis > **Disclaimer**: @@ -89,10 +50,48 @@ RPM is a package management system crucial for managing software on Linux distri - Update and patch the system to ensure all software is up-to-date, reducing the risk of exploitation through known vulnerabilities. - Implement stricter access controls and monitoring on systems to prevent unauthorized RPM installations, focusing on unusual parent processes. - Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected.""" - +risk_score = 21 +rule_id = "8cc72fa3-70ae-4ea1-bee2-8e6aaf3c1fcf" +setup = """## Setup +This rule requires data coming in from Elastic Defend. +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "new_terms" +query = ''' +host.os.type:linux and event.category:process and event.type:start and event.action:exec and process.name:rpm and +process.args:("-i" or "--install") +''' [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" @@ -102,6 +101,7 @@ reference = "https://attack.mitre.org/techniques/T1543/" id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique.subtechnique]] id = "T1546.016" name = "Installer Packages" @@ -113,24 +113,24 @@ id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1195" name = "Supply Chain Compromise" reference = "https://attack.mitre.org/techniques/T1195/" + [[rule.threat.technique.subtechnique]] id = "T1195.002" name = "Compromise Software Supply Chain" reference = "https://attack.mitre.org/techniques/T1195/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" @@ -139,8 +139,7 @@ reference = "https://attack.mitre.org/tactics/TA0001/" [rule.new_terms] field = "new_terms_fields" value = ["process.parent.executable"] + [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-7d" - - +value = "now-5d" diff --git a/rules/linux/persistence_setuid_setgid_capability_set.toml b/rules/linux/persistence_setuid_setgid_capability_set.toml index 64bcaa630..7dccbc4c3 100644 --- a/rules/linux/persistence_setuid_setgid_capability_set.toml +++ b/rules/linux/persistence_setuid_setgid_capability_set.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/05" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/22" [transform] [[transform.osquery]] @@ -29,7 +29,6 @@ query = "SELECT * FROM users WHERE username = {{user.name}}" label = "Osquery - Investigate the Account Authentication Status" query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" - [rule] author = ["Elastic"] description = """ @@ -108,7 +107,7 @@ This rule monitors for the addition of the cap_setuid+ep or cap_setgid+ep capabi - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ -risk_score = 47 +risk_score = 73 rule_id = "f5c005d3-4e17-48b0-9cd7-444d48857f97" setup = """## Setup @@ -135,7 +134,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -severity = "medium" +severity = "high" tags = [ "Domain: Endpoint", "OS: Linux", @@ -149,17 +148,15 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' process where host.os.type == "linux" and event.type == "start" and - event.action in ("exec", "exec_event", "start", "ProcessRollup2") and - process.name == "setcap" and process.args : "cap_set?id+ep" and not ( - process.parent.name in ("jem", "vzctl") or - process.args like "/usr/bin/new?idmap" - ) +event.action in ("exec", "exec_event", "start", "ProcessRollup2") and +process.name == "setcap" and process.args : "cap_set?id+ep" and not ( + process.parent.name in ("jem", "vzctl") or + process.args like "/usr/bin/new?idmap" +) ''' - [[rule.threat]] framework = "MITRE ATT&CK" @@ -167,21 +164,21 @@ framework = "MITRE ATT&CK" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.001" name = "Setuid and Setgid" reference = "https://attack.mitre.org/techniques/T1548/001/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/linux/persistence_shadow_file_modification.toml b/rules/linux/persistence_shadow_file_modification.toml index b58e64049..61af8e00f 100644 --- a/rules/linux/persistence_shadow_file_modification.toml +++ b/rules/linux/persistence_shadow_file_modification.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/24" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -16,6 +16,40 @@ index = ["logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" name = "Shadow File Modification by Unusual Process" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Shadow File Modification by Unusual Process + +The Linux shadow file is crucial for storing hashed user passwords, ensuring system security. Adversaries may exploit this by altering the file to add users or change passwords, thus gaining unauthorized access or maintaining persistence. The detection rule identifies suspicious modifications by monitoring changes and renames of the shadow file, flagging potential unauthorized access attempts for further investigation. + +### Possible investigation steps + +- Review the alert details to confirm the event type is "change" and the action is "rename" for the file path "/etc/shadow". +- Check the file.Ext.original.path to identify the original location of the shadow file before the rename event. +- Investigate recent user account changes or additions by examining system logs and user management commands executed around the time of the alert. +- Analyze the history of commands executed by users with elevated privileges to identify any unauthorized or suspicious activities. +- Correlate the event with other security alerts or logs to determine if there are additional indicators of compromise or persistence tactics being employed. +- Verify the integrity of the shadow file by comparing its current state with a known good backup to detect unauthorized modifications. + +### False positive analysis + +- System updates or package installations may trigger legitimate changes to the shadow file. Users can create exceptions for known update processes or package managers to prevent these from being flagged. +- Administrative tasks performed by authorized personnel, such as password changes or user management, can also result in shadow file modifications. Implementing a whitelist for specific user accounts or processes that are known to perform these tasks can reduce false positives. +- Backup or restoration processes that involve the shadow file might cause rename events. Users should identify and exclude these processes if they are part of regular system maintenance. +- Automated scripts or configuration management tools that manage user accounts could lead to expected changes in the shadow file. Users should ensure these tools are recognized and excluded from triggering alerts. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary. +- Verify the integrity of the /etc/shadow file by comparing it with a known good backup to identify unauthorized changes or additions. +- Reset passwords for all user accounts on the affected system, ensuring the use of strong, unique passwords to mitigate the risk of compromised credentials. +- Review and remove any unauthorized user accounts that may have been added to the system, ensuring that only legitimate users have access. +- Conduct a thorough audit of system logs and user activity to identify any additional signs of compromise or persistence mechanisms employed by the threat actor. +- Escalate the incident to the security operations team for further investigation and to determine if additional systems may be affected. +- Implement enhanced monitoring and alerting for future modifications to the /etc/shadow file to quickly detect and respond to similar threats.""" references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"] risk_score = 21 rule_id = "cdf1a39b-1ca5-4e2a-9739-17fc4d026029" @@ -60,44 +94,19 @@ type = "eql" query = ''' file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and file.path == "/etc/shadow" and file.Ext.original.path != null and -not process.name in ( - "usermod", "useradd", "passwd", "chage", "systemd-sysusers", "chpasswd", "userdel", "adduser", "update-passwd", "perl" +not ( + file.Ext.original.name in ("shadow+", "nshadow") or + process.name in ( + "usermod", "useradd", "passwd", "chage", "systemd-sysusers", "chpasswd", "userdel", "adduser", "update-passwd", "perl" + ) or + process.executable like "/usr/libexec/platform-python*" or + process.executable in ( + "/usr/bin/containerd", "/usr/bin/dnf", "/usr/bin/yum", "/bin/dnf", "./usr/bin/qemu-aarch64-static", + "/usr/local/cpanel/whostmgr/bin/xml-api", "/usr/local/cpanel/whostmgr/bin/whostmgr5", + "/usr/local/cpanel/bin/admin/Cpanel/security" + ) ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Shadow File Modification by Unusual Process - -The Linux shadow file is crucial for storing hashed user passwords, ensuring system security. Adversaries may exploit this by altering the file to add users or change passwords, thus gaining unauthorized access or maintaining persistence. The detection rule identifies suspicious modifications by monitoring changes and renames of the shadow file, flagging potential unauthorized access attempts for further investigation. - -### Possible investigation steps - -- Review the alert details to confirm the event type is "change" and the action is "rename" for the file path "/etc/shadow". -- Check the file.Ext.original.path to identify the original location of the shadow file before the rename event. -- Investigate recent user account changes or additions by examining system logs and user management commands executed around the time of the alert. -- Analyze the history of commands executed by users with elevated privileges to identify any unauthorized or suspicious activities. -- Correlate the event with other security alerts or logs to determine if there are additional indicators of compromise or persistence tactics being employed. -- Verify the integrity of the shadow file by comparing its current state with a known good backup to detect unauthorized modifications. - -### False positive analysis - -- System updates or package installations may trigger legitimate changes to the shadow file. Users can create exceptions for known update processes or package managers to prevent these from being flagged. -- Administrative tasks performed by authorized personnel, such as password changes or user management, can also result in shadow file modifications. Implementing a whitelist for specific user accounts or processes that are known to perform these tasks can reduce false positives. -- Backup or restoration processes that involve the shadow file might cause rename events. Users should identify and exclude these processes if they are part of regular system maintenance. -- Automated scripts or configuration management tools that manage user accounts could lead to expected changes in the shadow file. Users should ensure these tools are recognized and excluded from triggering alerts. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary. -- Verify the integrity of the /etc/shadow file by comparing it with a known good backup to identify unauthorized changes or additions. -- Reset passwords for all user accounts on the affected system, ensuring the use of strong, unique passwords to mitigate the risk of compromised credentials. -- Review and remove any unauthorized user accounts that may have been added to the system, ensuring that only legitimate users have access. -- Conduct a thorough audit of system logs and user activity to identify any additional signs of compromise or persistence mechanisms employed by the threat actor. -- Escalate the incident to the security operations team for further investigation and to determine if additional systems may be affected. -- Implement enhanced monitoring and alerting for future modifications to the /etc/shadow file to quickly detect and respond to similar threats.""" [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/linux/persistence_shared_object_creation.toml b/rules/linux/persistence_shared_object_creation.toml index da62371ab..da1bfc939 100644 --- a/rules/linux/persistence_shared_object_creation.toml +++ b/rules/linux/persistence_shared_object_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/09" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/16" +updated_date = "2025/12/22" [transform] [[transform.osquery]] @@ -57,10 +57,10 @@ from = "now-9m" index = ["logs-endpoint.events.file*", "endgame-*"] language = "kuery" license = "Elastic License v2" -name = "Shared Object Created or Changed by Previously Unknown Process" +name = "Shared Object Created by Previously Unknown Process" note = """## Triage and analysis -### Investigating Shared Object Created or Changed by Previously Unknown Process +### Investigating Shared Object Created by Previously Unknown Process A shared object file is a compiled library file (typically with a .so extension) that can be dynamically linked to executable programs at runtime, allowing for code reuse and efficient memory usage. The creation of a shared object file involves compiling code into a dynamically linked library that can be loaded by other programs at runtime. @@ -161,7 +161,7 @@ tags = [ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.category:file and host.os.type:"linux" and event.action:("creation" or "file_create_event" or "file_rename_event" or "rename") and +event.category:file and host.os.type:"linux" and event.action:("creation" or "file_create_event") and (file.extension:"so" or file.name:*.so.*) and file.path:( /dev/shm/* or /usr/lib/* or /usr/lib64/* or /usr/local/lib/* or /usr/local/lib64/* or /lib/x86_64-linux-gnu/* or @@ -174,7 +174,16 @@ file.path:( ) or (process.name:"vmware-install.pl" and file.path:/usr/lib/vmware-tools/*) or (process.name:"ssm-agent-worker" and file.path:/usr/lib/jvm/java*) or - process.executable : (/dev/fd/* or "/" or "/kaniko/executor" or "/usr/bin/buildah") + process.executable : ( + /dev/fd/* or "/" or "/kaniko/executor" or "/usr/bin/buildah" or "/usr/bin/microdnf" or "/usr/sbin/yum-cron" or + "/usr/lib/check_mk_agent/plugins/3600/cmk-update-agent" or "/usr/bin/pamac-daemon" or "/usr/bin/dnf5" or + "3600/cmk-update-agent" or "/usr/lib/dracut/dracut-install" or "/usr/bin/dockerd" or "/usr/sbin/crond" or + "./usr/bin/qemu-aarch64-static" or "/usr/bin/nvidia-installer" or "./nvidia-installer" or "/usr/bin/cmake" or + /var/lib/docker/overlay2/* or "/usr/sbin/gdm" or "/opt/ITSPlatform/plugin/scap/fortify-scap-plugin" or + /tmp/makeself* or /tmp/selfgz* or "./usr/bin/qemu-aarch64" or "/usr/local/bin/cmake" or /opt/lpruitt/tmp/selfgz* or + "/usr/lib/snapd/snap-update-ns" or "/sbin/yum-cron" or "/usr/local/psa/bin/dnf_install" or /opt/lmanteuffel/useful/tmp/makeself* + ) or + file.name:libnvidia* ) ''' @@ -198,7 +207,7 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" -value = ["file.path", "process.executable"] +value = ["file.name", "process.name"] [[rule.new_terms.history_window_start]] field = "history_window_start" diff --git a/rules/linux/persistence_shell_configuration_modification.toml b/rules/linux/persistence_shell_configuration_modification.toml index cef3c5390..4fe836551 100644 --- a/rules/linux/persistence_shell_configuration_modification.toml +++ b/rules/linux/persistence_shell_configuration_modification.toml @@ -2,22 +2,56 @@ creation_date = "2024/04/30" integration = ["endpoint"] maturity = "production" -updated_date = "2025/06/03" +updated_date = "2025/12/22" [rule] author = ["Elastic"] description = """ -This rule monitors the creation/alteration of a shell configuration file. Unix systems use shell configuration files to +This rule monitors the creation of a shell configuration file. Unix systems use shell configuration files to set environment variables, create aliases, and customize the user's environment. Adversaries may modify or add a shell -configuration file to execute malicious code and gain persistence in the system. This behavior is consistent with the -Kaiji malware family. +configuration file to execute malicious code and gain persistence in the system. """ false_positives = ["Legitimate user shell modification activity."] from = "now-9m" index = ["logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" -name = "Shell Configuration Creation or Modification" +name = "Shell Configuration Creation" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Shell Configuration Creation + +Shell configuration files in Unix-like systems are crucial for setting up user environments by defining variables, aliases, and startup scripts. Adversaries exploit these files to execute malicious code persistently. The detection rule identifies suspicious creation or modification of these files, excluding benign processes, to flag potential threats, aligning with tactics like persistence and event-triggered execution. + +### Possible investigation steps + +- Review the specific file path involved in the alert to determine if it is a system-wide or user-specific shell configuration file, as listed in the query. +- Identify the process executable that triggered the alert and verify if it is part of the excluded benign processes. If not, investigate the process's origin and purpose. +- Check the creation timestamp of the file to correlate with any known user activities or scheduled tasks that might explain the change. +- Examine the contents of the newly created shell configuration file for any suspicious or unauthorized entries, such as unexpected scripts or commands. +- Investigate the user account associated with the file creation to determine if the activity aligns with their typical behavior or if the account may have been compromised. +- Cross-reference the alert with other security logs or alerts to identify any related suspicious activities or patterns that could indicate a broader attack campaign. + +### False positive analysis + +- System package managers like dpkg, rpm, and yum often modify shell configuration files during software installations or updates. To handle these, exclude processes with executables such as /bin/dpkg or /usr/bin/rpm from triggering alerts. +- Automated system management tools like Puppet and Chef may alter shell configuration files as part of their routine operations. Exclude these processes by adding exceptions for executables like /opt/puppetlabs/puppet/bin/puppet or /usr/bin/chef-client. +- User account management activities, such as adding new users, can lead to shell configuration file modifications. Exclude processes like /usr/sbin/adduser or /sbin/useradd to prevent false positives in these scenarios. +- Temporary files created by text editors (e.g., .swp files) during editing sessions can trigger alerts. Exclude file extensions such as swp, swpx, and swx to avoid these false positives. +- Virtualization and containerization tools like Docker and Podman may modify shell configuration files as part of their operations. Exclude executables like /usr/bin/dockerd or /usr/bin/podman to manage these cases. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further malicious activity and lateral movement. +- Review the modified or newly created shell configuration files to identify and remove any unauthorized or malicious code. +- Restore the affected shell configuration files from a known good backup to ensure the system's environment is clean and secure. +- Conduct a thorough scan of the system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malware or persistence mechanisms. +- Monitor the system and network for any signs of re-infection or related suspicious activity, focusing on the indicators of compromise (IOCs) associated with the Kaiji malware family. +- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected. +- Implement additional monitoring and alerting for changes to shell configuration files to enhance detection of similar threats in the future.""" references = [ "https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/", "https://www.elastic.co/security-labs/primer-on-persistence-mechanisms", @@ -61,7 +95,7 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -file where host.os.type == "linux" and event.action in ("rename", "creation") and file.path : ( +file where host.os.type == "linux" and event.action == "creation" and file.path : ( // system-wide configurations "/etc/profile", "/etc/profile.d/*", "/etc/bash.bashrc", "/etc/bash.bash_logout", "/etc/zsh/*", "/etc/csh.cshrc", "/etc/csh.login", "/etc/fish/config.fish", "/etc/ksh.kshrc", @@ -80,60 +114,26 @@ file where host.os.type == "linux" and event.action in ("rename", "creation") an "/bin/pacman", "/usr/bin/pacman", "/usr/bin/dpkg-divert", "/bin/dpkg-divert", "/sbin/apk", "/usr/sbin/apk", "/usr/local/sbin/apk", "/usr/bin/apt", "/usr/sbin/pacman", "/bin/podman", "/usr/bin/podman", "/usr/bin/puppet", "/bin/puppet", "/opt/puppetlabs/puppet/bin/puppet", "/usr/bin/chef-client", "/bin/chef-client", - "/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/dev/fd/*", "/usr/bin/pamac-daemon", + "/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/usr/bin/pamac-daemon", "/bin/pamac-daemon", "/usr/lib/snapd/snapd", "/usr/sbin/adduser", "/usr/sbin/useradd", "/usr/local/bin/dockerd", "/usr/sbin/gdm", "/usr/bin/unzip", "/usr/bin/gnome-shell", "/sbin/mkhomedir_helper", "/usr/sbin/sshd", "/opt/puppetlabs/puppet/bin/ruby", "/usr/bin/xfce4-session", "/usr/libexec/oddjob/mkhomedir", "/sbin/useradd", "/usr/lib/systemd/systemd", "/usr/sbin/crond", "/usr/bin/pamac-daemon", "/usr/sbin/mkhomedir_helper", - "/opt/pbis/sbin/lwsmd", "/usr/sbin/oddjobd" + "/opt/pbis/sbin/lwsmd", "/usr/sbin/oddjobd", "./usr/bin/podman", "/usr/bin/dnf5", "/bin/dnf5", + "/usr/libexec/gnome-terminal-server", "/usr/bin/buildah", "/usr/lib/venv-salt-minion/bin/python.original" ) or file.extension in ("swp", "swpx", "swx", "dpkg-remove") or file.Ext.original.extension == "dpkg-new" or - process.executable : ( + process.executable like ( "/nix/store/*", "/var/lib/dpkg/*", "/tmp/vmis.*", "/snap/*", "/dev/fd/*", "/usr/lib/virtualbox/*", - "/usr/libexec/platform-python*" + "/usr/libexec/platform-python*", "./snap/snapd/*/usr/lib/snapd/snap-update-ns", "/opt/alt/python*/bin/python*" ) or process.executable == null or process.name in ("adclient", "mkhomedir_helper", "teleport", "mkhomedir", "adduser", "desktopDaemon", "executor", "crio") or - (process.name == "sed" and file.name : "sed*") or - (process.name == "perl" and file.name : "e2scrub_all.tmp*") + (process.name == "sed" and file.name like "sed*") or + (process.name == "perl" and file.name like "e2scrub_all.tmp*") ) ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Shell Configuration Creation or Modification - -Shell configuration files in Unix-like systems are crucial for setting up user environments by defining variables, aliases, and startup scripts. Adversaries exploit these files to execute malicious code persistently. The detection rule identifies suspicious creation or modification of these files, excluding benign processes, to flag potential threats, aligning with tactics like persistence and event-triggered execution. - -### Possible investigation steps - -- Review the specific file path involved in the alert to determine if it is a system-wide or user-specific shell configuration file, as listed in the query. -- Identify the process executable that triggered the alert and verify if it is part of the excluded benign processes. If not, investigate the process's origin and purpose. -- Check the modification or creation timestamp of the file to correlate with any known user activities or scheduled tasks that might explain the change. -- Examine the contents of the modified or newly created shell configuration file for any suspicious or unauthorized entries, such as unexpected scripts or commands. -- Investigate the user account associated with the file modification to determine if the activity aligns with their typical behavior or if the account may have been compromised. -- Cross-reference the alert with other security logs or alerts to identify any related suspicious activities or patterns that could indicate a broader attack campaign. - -### False positive analysis - -- System package managers like dpkg, rpm, and yum often modify shell configuration files during software installations or updates. To handle these, exclude processes with executables such as /bin/dpkg or /usr/bin/rpm from triggering alerts. -- Automated system management tools like Puppet and Chef may alter shell configuration files as part of their routine operations. Exclude these processes by adding exceptions for executables like /opt/puppetlabs/puppet/bin/puppet or /usr/bin/chef-client. -- User account management activities, such as adding new users, can lead to shell configuration file modifications. Exclude processes like /usr/sbin/adduser or /sbin/useradd to prevent false positives in these scenarios. -- Temporary files created by text editors (e.g., .swp files) during editing sessions can trigger alerts. Exclude file extensions such as swp, swpx, and swx to avoid these false positives. -- Virtualization and containerization tools like Docker and Podman may modify shell configuration files as part of their operations. Exclude executables like /usr/bin/dockerd or /usr/bin/podman to manage these cases. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further malicious activity and lateral movement. -- Review the modified or newly created shell configuration files to identify and remove any unauthorized or malicious code. -- Restore the affected shell configuration files from a known good backup to ensure the system's environment is clean and secure. -- Conduct a thorough scan of the system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malware or persistence mechanisms. -- Monitor the system and network for any signs of re-infection or related suspicious activity, focusing on the indicators of compromise (IOCs) associated with the Kaiji malware family. -- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected. -- Implement additional monitoring and alerting for changes to shell configuration files to enhance detection of similar threats in the future.""" [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/linux/persistence_simple_web_server_connection_accepted.toml b/rules/linux/persistence_simple_web_server_connection_accepted.toml index e3b78f7fc..11e4f177d 100644 --- a/rules/linux/persistence_simple_web_server_connection_accepted.toml +++ b/rules/linux/persistence_simple_web_server_connection_accepted.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/17" integration = ["endpoint"] maturity = "production" -updated_date = "2025/10/13" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -17,6 +17,41 @@ index = ["logs-endpoint.events.process*", "logs-endpoint.events.network*"] language = "eql" license = "Elastic License v2" name = "Simple HTTP Web Server Connection" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Simple HTTP Web Server Connection + +Simple HTTP servers in Python and PHP are often used for development and testing, providing a quick way to serve web content. However, attackers can exploit these servers to maintain access on compromised Linux systems by deploying backdoors or executing commands remotely. The detection rule identifies suspicious server activity by monitoring for specific process patterns and command-line arguments indicative of these lightweight servers, flagging potential misuse for further investigation. + +### Possible investigation steps + +- Review the process details, including the process name and command line arguments, to confirm if the server was started using Python or PHP, as indicated by the query fields. +- Check the network connection details associated with the event, such as the source and destination IP addresses and ports, to identify any suspicious or unexpected connections. +- Investigate the user account under which the process was initiated to determine if it aligns with expected behavior or if it indicates potential unauthorized access. +- Examine the system logs and any related events around the time of the alert to identify any additional suspicious activities or anomalies. +- Assess the server's web root directory for any unauthorized files or scripts that could indicate a backdoor or malicious payload. +- Correlate this event with other alerts or indicators of compromise on the system to evaluate if this is part of a larger attack campaign. + +### False positive analysis + +- Development and testing environments may frequently trigger this rule when developers use Python or PHP's built-in HTTP servers for legitimate purposes. To manage this, consider excluding specific user accounts or IP addresses associated with development activities from the rule. +- Automated scripts or cron jobs that start simple HTTP servers for routine tasks can also generate false positives. Identify these scripts and add their process names or command-line patterns to an exception list. +- Educational or training environments where students are learning web development might cause alerts. In such cases, exclude the network segments or user groups associated with these activities. +- Internal tools or services that rely on lightweight HTTP servers for functionality might be flagged. Review these tools and whitelist their specific process names or command-line arguments to prevent unnecessary alerts. +- Temporary testing servers spun up for short-term projects can be mistaken for malicious activity. Document these instances and apply temporary exceptions during the project duration. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration. +- Terminate any suspicious Python or PHP processes identified by the detection rule to stop the potential backdoor or unauthorized server activity. +- Conduct a thorough review of the system's file system, focusing on the web root directory, to identify and remove any unauthorized scripts or payloads that may have been uploaded. +- Change all credentials associated with the compromised system, including SSH keys and passwords, to prevent attackers from regaining access. +- Restore the system from a known good backup if any unauthorized changes or persistent threats are detected that cannot be easily remediated. +- Implement network monitoring to detect any future unauthorized HTTP server activity, focusing on unusual process patterns and command-line arguments. +- Escalate the incident to the security operations team for further investigation and to assess the potential impact on other systems within the network.""" risk_score = 21 rule_id = "183f3cd2-4cc6-44c0-917c-c5d29ecdcf74" setup = """## Setup @@ -63,44 +98,10 @@ sequence by process.entity_id with maxspan=1m ( (process.name regex~ """php?[0-9]?\.?[0-9]{0,2}""" and process.command_line like "*-S*") or (process.name like "python*" and process.command_line like ("*--cgi*", "*CGIHTTPServer*")) - )] + ) and not process.parent.command_line == "runc init" +] [network where host.os.type == "linux" and event.type == "start" and event.action == "connection_accepted"] ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Simple HTTP Web Server Connection - -Simple HTTP servers in Python and PHP are often used for development and testing, providing a quick way to serve web content. However, attackers can exploit these servers to maintain access on compromised Linux systems by deploying backdoors or executing commands remotely. The detection rule identifies suspicious server activity by monitoring for specific process patterns and command-line arguments indicative of these lightweight servers, flagging potential misuse for further investigation. - -### Possible investigation steps - -- Review the process details, including the process name and command line arguments, to confirm if the server was started using Python or PHP, as indicated by the query fields. -- Check the network connection details associated with the event, such as the source and destination IP addresses and ports, to identify any suspicious or unexpected connections. -- Investigate the user account under which the process was initiated to determine if it aligns with expected behavior or if it indicates potential unauthorized access. -- Examine the system logs and any related events around the time of the alert to identify any additional suspicious activities or anomalies. -- Assess the server's web root directory for any unauthorized files or scripts that could indicate a backdoor or malicious payload. -- Correlate this event with other alerts or indicators of compromise on the system to evaluate if this is part of a larger attack campaign. - -### False positive analysis - -- Development and testing environments may frequently trigger this rule when developers use Python or PHP's built-in HTTP servers for legitimate purposes. To manage this, consider excluding specific user accounts or IP addresses associated with development activities from the rule. -- Automated scripts or cron jobs that start simple HTTP servers for routine tasks can also generate false positives. Identify these scripts and add their process names or command-line patterns to an exception list. -- Educational or training environments where students are learning web development might cause alerts. In such cases, exclude the network segments or user groups associated with these activities. -- Internal tools or services that rely on lightweight HTTP servers for functionality might be flagged. Review these tools and whitelist their specific process names or command-line arguments to prevent unnecessary alerts. -- Temporary testing servers spun up for short-term projects can be mistaken for malicious activity. Document these instances and apply temporary exceptions during the project duration. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration. -- Terminate any suspicious Python or PHP processes identified by the detection rule to stop the potential backdoor or unauthorized server activity. -- Conduct a thorough review of the system's file system, focusing on the web root directory, to identify and remove any unauthorized scripts or payloads that may have been uploaded. -- Change all credentials associated with the compromised system, including SSH keys and passwords, to prevent attackers from regaining access. -- Restore the system from a known good backup if any unauthorized changes or persistent threats are detected that cannot be easily remediated. -- Implement network monitoring to detect any future unauthorized HTTP server activity, focusing on unusual process patterns and command-line arguments. -- Escalate the incident to the security operations team for further investigation and to assess the potential impact on other systems within the network.""" [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/linux/persistence_simple_web_server_creation.toml b/rules/linux/persistence_simple_web_server_creation.toml index 7f31d6c92..a36dadf7d 100644 --- a/rules/linux/persistence_simple_web_server_creation.toml +++ b/rules/linux/persistence_simple_web_server_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/17" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -102,59 +102,59 @@ type = "eql" query = ''' process where host.os.type == "linux" and event.type == "start" and - event.action in ("exec", "exec_event", "start", "ProcessRollup2") and - ( - (process.name regex~ """php?[0-9]?\.?[0-9]{0,2}""" and process.args == "-S") or - (process.name like "python*" and process.args in ("--cgi", "CGIHTTPServer")) - ) and -not process.parent.name in ("check_kmp_wrapper", "naemon") +event.action in ("exec", "exec_event", "start", "ProcessRollup2") and +( + (process.name regex~ """php?[0-9]?\.?[0-9]{0,2}""" and process.args == "-S") or + (process.name like "python*" and process.args in ("--cgi", "CGIHTTPServer")) +) and +not process.parent.name in ("check_kmp_wrapper", "naemon", "runc") ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1505" name = "Server Software Component" reference = "https://attack.mitre.org/techniques/T1505/" + [[rule.threat.technique.subtechnique]] id = "T1505.003" name = "Web Shell" reference = "https://attack.mitre.org/techniques/T1505/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/linux/persistence_site_and_user_customize_file_creation.toml b/rules/linux/persistence_site_and_user_customize_file_creation.toml index e85311968..d0ae0b7eb 100644 --- a/rules/linux/persistence_site_and_user_customize_file_creation.toml +++ b/rules/linux/persistence_site_and_user_customize_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/26" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/03" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -93,8 +93,8 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -file where host.os.type == "linux" and event.type in ("creation", "rename") and process.executable != null and -file.path like~ ( +file where host.os.type == "linux" and event.type == "creation" and process.executable != null and +file.path like ( "/usr/lib/python*/sitecustomize.py", "/usr/local/lib/python*/sitecustomize.py", "/usr/lib/python*/dist-packages/sitecustomize.py", @@ -106,7 +106,9 @@ file.path like~ ( process.executable in ( "/usr/local/bin/pip2", "/usr/bin/restic", "/usr/bin/pacman", "/usr/bin/dockerd", "/usr/local/bin/pip3", "/usr/bin/pip3", "/usr/local/bin/pip", "/usr/bin/pip", "/usr/bin/podman", "/usr/local/bin/poetry", - "/usr/bin/poetry", "/usr/bin/pamac-daemon", "./venv/bin/pip" + "/usr/bin/poetry", "/usr/bin/pamac-daemon", "./venv/bin/pip", "./usr/bin/podman", + "/opt/miniforge3/bin/mamba", "/usr/sbin/dockerd", "/opt/conda/_conda", "/kaniko/executor", + "/usr/local/bin/dockerd", "/usr/bin/crio", "/usr/lib/systemd/systemd-executor" ) or process.executable like~ ( "/usr/bin/python*", "/usr/local/bin/python*", "/opt/venv/bin/python*", diff --git a/rules/linux/persistence_ssh_netcon.toml b/rules/linux/persistence_ssh_netcon.toml index 88130c4d2..bde9a2bb7 100644 --- a/rules/linux/persistence_ssh_netcon.toml +++ b/rules/linux/persistence_ssh_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/06" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2025/12/22" [rule] author = ["Elastic"] @@ -16,44 +16,13 @@ from = "now-9m" index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" -name = "Network Connection Initiated by SSHD Child Process" -references = ["https://hadess.io/the-art-of-linux-persistence/"] -risk_score = 47 -rule_id = "63431796-f813-43af-820b-492ee2efec8e" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", - "Resources: Investigation Guide" -] -type = "eql" -query = ''' -sequence by host.id with maxspan=1s - [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and - process.parent.executable == "/usr/sbin/sshd"] by process.entity_id - [network where host.os.type == "linux" and event.type == "start" and event.action == "connection_attempted" and not ( - destination.ip == null or destination.ip == "0.0.0.0" or cidrmatch( - destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", - "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", - "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", - "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10", - "FF00::/8", "172.31.0.0/16" - ) - ) and not ( - process.executable in ("/bin/yum", "/usr/bin/yum") or - process.name in ("login_duo", "ssh", "sshd", "sshd-session") - ) - ] by process.parent.entity_id -''' +name = "Network Connection Initiated by Suspicious SSHD Child Process" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Network Connection Initiated by SSHD Child Process +### Investigating Network Connection Initiated by Suspicious SSHD Child Process The SSH Daemon (SSHD) facilitates secure remote logins and command execution on Linux systems. Adversaries may exploit SSHD by modifying shell configurations or backdooring the daemon to establish unauthorized connections, often for persistence or data exfiltration. The detection rule identifies suspicious outbound connections initiated by SSHD child processes, excluding benign processes and internal IP ranges, to flag potential malicious activity. @@ -81,6 +50,52 @@ The SSH Daemon (SSHD) facilitates secure remote logins and command execution on - Apply security patches and updates to the SSH daemon and related software to mitigate known vulnerabilities that could be exploited for persistence or unauthorized access. - Monitor network traffic for any further suspicious outbound connections from other systems, indicating potential lateral movement or additional compromised hosts. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the scope of the compromise.""" +references = ["https://hadess.io/the-art-of-linux-persistence/"] +risk_score = 47 +rule_id = "63431796-f813-43af-820b-492ee2efec8e" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Resources: Investigation Guide" +] +type = "eql" +query = ''' +sequence by host.id with maxspan=1s + [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and + process.parent.executable == "/usr/sbin/sshd" and not process.command_line like ("*ansible*", "*BECOME-SUCCESS*")] by process.entity_id + [network where host.os.type == "linux" and event.type == "start" and event.action == "connection_attempted" and ( + process.executable like ( + "/tmp/*", "/var/tmp/*", "/dev/shm/*", "./*", "/run/*", "/var/run/*", "/boot/*", "/sys/*", "/lost+found/*", + "/proc/*", "/var/mail/*", "/var/www/*", "/home/*", "/root/*" + ) or + process.name like~ ( + // Hidden processes + ".*", + // Suspicious file formats + "*.elf", "*.sh", "*.py", "*.rb", "*.pl", "*.lua*", "*.php*", ".js", + // Scheduled tasks + "systemd", "cron", "crond", + // Network utilities often used for reverse shells + "nc", "netcat", "ncat", "telnet", "socat", "openssl", "nc.openbsd", "ngrok", "nc.traditional" + ) + ) and + not ( + destination.ip == null or destination.ip == "0.0.0.0" or cidrmatch( + destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", + "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", + "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", + "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10", + "FF00::/8", "172.31.0.0/16" + ) or + process.executable in ("/bin/yum", "/usr/bin/yum") or + process.name in ("login_duo", "ssh", "sshd", "sshd-session", "sqlplus") + ) + ] by process.parent.entity_id +''' [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/linux/persistence_ssh_via_backdoored_system_user.toml b/rules/linux/persistence_ssh_via_backdoored_system_user.toml index 71f626986..b41404c8b 100644 --- a/rules/linux/persistence_ssh_via_backdoored_system_user.toml +++ b/rules/linux/persistence_ssh_via_backdoored_system_user.toml @@ -2,20 +2,55 @@ creation_date = "2025/01/07" integration = ["system"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/12/22" [rule] author = ["Elastic"] description = """ This rule identifies successful logins by system users that are uncommon to authenticate. These users -have `nologin` set by default, and must be modified to allow SSH access. Adversaries may backdoor these users to +have "nologin" set by default, and must be modified to allow SSH access. Adversaries may backdoor these users to gain unauthorized access to the system. """ from = "now-9m" index = ["filebeat-*", "logs-system.auth-*"] -language = "eql" +language = "kuery" license = "Elastic License v2" -name = "Login via Unusual System User" +name = "Unusual Login via System User" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Unusual Login via System User + +In Linux environments, system users typically have restricted login capabilities to prevent unauthorized access. These accounts, often set with `nologin`, are not meant for interactive sessions. Adversaries may exploit these accounts by altering their configurations to enable SSH access, thus bypassing standard security measures. The detection rule identifies successful logins by these uncommon system users, flagging potential unauthorized access attempts for further investigation. + +### Possible investigation steps + +- Review the login event details to identify the specific system user account involved in the successful login, focusing on the user.name field. +- Check the system logs for any recent changes to the user account's configuration, particularly modifications that might have enabled SSH access for accounts typically set with nologin. +- Investigate the source IP address associated with the login event to determine if it is known or suspicious, and assess whether it aligns with expected access patterns. +- Examine the timeline of events leading up to and following the login to identify any unusual activities or patterns that could indicate malicious behavior. +- Verify if there are any other successful login attempts from the same source IP or involving other system user accounts, which could suggest a broader compromise. +- Consult with system administrators to confirm whether any legitimate changes were made to the system user account's login capabilities and document any authorized modifications. + +### False positive analysis + +- System maintenance tasks may require temporary login access for system users. Verify if the login corresponds with scheduled maintenance and consider excluding these events during known maintenance windows. +- Automated scripts or services might use system accounts for legitimate purposes. Identify these scripts and whitelist their associated activities to prevent false alerts. +- Some system users might be configured for specific applications that require login capabilities. Review application requirements and exclude these users if their access is deemed necessary and secure. +- In environments with custom configurations, certain system users might be intentionally modified for operational needs. Document these changes and adjust the detection rule to exclude these known modifications. +- Regularly review and update the list of system users in the detection rule to ensure it reflects the current environment and operational requirements, minimizing unnecessary alerts. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary. +- Terminate any active sessions associated with the unusual system user accounts identified in the alert to disrupt ongoing unauthorized access. +- Review and revert any unauthorized changes to the system user accounts, such as modifications to the shell configuration that enabled login capabilities. +- Conduct a thorough audit of the system for any additional unauthorized changes or backdoors, focusing on SSH configurations and user account settings. +- Reset passwords and update authentication mechanisms for all system user accounts to prevent further exploitation. +- Implement additional monitoring and alerting for any future login attempts by system users, ensuring rapid detection and response to similar threats. +- Escalate the incident to the security operations team for further investigation and to assess the potential impact on other systems within the network.""" references = [ "https://blog.exatrack.com/Perfctl-using-portainer-and-new-persistences/", "https://x.com/RFGroenewoud/status/1875112050218922010", @@ -53,50 +88,15 @@ tags = [ "Resources: Investigation Guide" ] timestamp_override = "event.ingested" -type = "eql" +type = "new_terms" query = ''' -authentication where host.os.type == "linux" and event.action in ("ssh_login", "user_login") and -user.name in ( - "deamon", "bin", "sys", "games", "man", "lp", "mail", "news", "uucp", "proxy", "www-data", "backup", - "list", "irc", "gnats", "nobody", "systemd-timesync", "systemd-network", "systemd-resolve", "messagebus", - "avahi", "sshd", "dnsmasq" -) and event.outcome == "success" +event.category:authentication and host.os.type:linux and event.action:("ssh_login" or "user_login") and +user.name:( + "deamon" or "bin" or "sys" or "games" or "man" or "lp" or "mail" or "news" or "uucp" or "proxy" or "www-data" or "backup" or + "list" or "irc" or "gnats" or "nobody" or "systemd-timesync" or "systemd-network" or "systemd-resolve" or "messagebus" or + "avahi" or "sshd" or "dnsmasq" +) and event.outcome:success ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Login via Unusual System User - -In Linux environments, system users typically have restricted login capabilities to prevent unauthorized access. These accounts, often set with `nologin`, are not meant for interactive sessions. Adversaries may exploit these accounts by altering their configurations to enable SSH access, thus bypassing standard security measures. The detection rule identifies successful logins by these uncommon system users, flagging potential unauthorized access attempts for further investigation. - -### Possible investigation steps - -- Review the login event details to identify the specific system user account involved in the successful login, focusing on the user.name field. -- Check the system logs for any recent changes to the user account's configuration, particularly modifications that might have enabled SSH access for accounts typically set with nologin. -- Investigate the source IP address associated with the login event to determine if it is known or suspicious, and assess whether it aligns with expected access patterns. -- Examine the timeline of events leading up to and following the login to identify any unusual activities or patterns that could indicate malicious behavior. -- Verify if there are any other successful login attempts from the same source IP or involving other system user accounts, which could suggest a broader compromise. -- Consult with system administrators to confirm whether any legitimate changes were made to the system user account's login capabilities and document any authorized modifications. - -### False positive analysis - -- System maintenance tasks may require temporary login access for system users. Verify if the login corresponds with scheduled maintenance and consider excluding these events during known maintenance windows. -- Automated scripts or services might use system accounts for legitimate purposes. Identify these scripts and whitelist their associated activities to prevent false alerts. -- Some system users might be configured for specific applications that require login capabilities. Review application requirements and exclude these users if their access is deemed necessary and secure. -- In environments with custom configurations, certain system users might be intentionally modified for operational needs. Document these changes and adjust the detection rule to exclude these known modifications. -- Regularly review and update the list of system users in the detection rule to ensure it reflects the current environment and operational requirements, minimizing unnecessary alerts. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary. -- Terminate any active sessions associated with the unusual system user accounts identified in the alert to disrupt ongoing unauthorized access. -- Review and revert any unauthorized changes to the system user accounts, such as modifications to the shell configuration that enabled login capabilities. -- Conduct a thorough audit of the system for any additional unauthorized changes or backdoors, focusing on SSH configurations and user account settings. -- Reset passwords and update authentication mechanisms for all system user accounts to prevent further exploitation. -- Implement additional monitoring and alerting for any future login attempts by system users, ensuring rapid detection and response to similar threats. -- Escalate the incident to the security operations team for further investigation and to assess the potential impact on other systems within the network.""" [[rule.threat]] framework = "MITRE ATT&CK" @@ -133,3 +133,11 @@ reference = "https://attack.mitre.org/techniques/T1564/" id = "T1564.002" name = "Hidden Users" reference = "https://attack.mitre.org/techniques/T1564/002/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["user.name", "agent.id"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-5d" diff --git a/rules/linux/persistence_web_server_unusual_command_execution.toml b/rules/linux/persistence_web_server_unusual_command_execution.toml index 9b74c3297..c0c8e722a 100644 --- a/rules/linux/persistence_web_server_unusual_command_execution.toml +++ b/rules/linux/persistence_web_server_unusual_command_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/02" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/11" +updated_date = "2025/12/23" [rule] author = ["Elastic"] @@ -68,7 +68,7 @@ event.category:process and host.os.type:linux and event.type:start and event.act "apache" or "nginx" or "apache2" or "httpd" or "lighttpd" or "caddy" or "mongrel_rails" or "haproxy" or "gunicorn" or "uwsgi" or "openresty" or "cherokee" or "h2o" or "resin" or "puma" or "unicorn" or "traefik" or "uvicorn" or "tornado" or "hypercorn" or "daphne" or "twistd" or "yaws" or "webfsd" or "httpd.worker" or "flask" or "rails" or "mongrel" or - php-fpm* or "php-cgi" or "php-fcgi" or "php-cgi.cagefs" or "java" or "node" + php-fpm* or "php-cgi" or "php-fcgi" or "php-cgi.cagefs" or "java" or "node" or "catalina.sh" or "hiawatha" or "lswsctrl" ) or user.name:("apache" or "www-data" or "httpd" or "nginx" or "lighttpd" or "tomcat" or "tomcat8" or "tomcat9") or user.id:("33" or "498" or "48" or "54321")