diff --git a/hunting/index.md b/hunting/index.md index e2037d6f9..c2aa2d58c 100644 --- a/hunting/index.md +++ b/hunting/index.md @@ -25,6 +25,7 @@ Here are the queries currently available: - [Shell Modification Persistence](./linux/docs/persistence_via_shell_modification_persistence.md) (ES|QL, SQL) - [Persistence via SSH Configurations and/or Keys](./linux/docs/persistence_via_ssh_configurations_and_keys.md) (SQL) - [Persistence via Systemd (Timers)](./linux/docs/persistence_via_systemd_timers.md) (ES|QL, SQL) +- [Persistence via System V Init](./linux/docs/persistence_via_sysv_init.md) (ES|QL, SQL) - [Persistence via Udev](./linux/docs/persistence_via_udev.md) (ES|QL, SQL) - [Unusual System Binary Parent (Potential System Binary Hijacking Attempt)](./linux/docs/persistence_via_unusual_system_binary_parent.md) (ES|QL) - [Privilege Escalation/Persistence via User/Group Creation and/or Modification](./linux/docs/persistence_via_user_group_creation_modification.md) (SQL) diff --git a/hunting/linux/docs/persistence_via_sysv_init.md b/hunting/linux/docs/persistence_via_sysv_init.md new file mode 100644 index 000000000..95874d24c --- /dev/null +++ b/hunting/linux/docs/persistence_via_sysv_init.md @@ -0,0 +1,84 @@ +# Persistence via System V Init + +--- + +## Metadata + +- **Author:** Elastic +- **Description:** This hunt identifies potential persistence mechanisms via System V Init on Linux systems. System V Init is a legacy init system used in many Linux distributions. System V Init uses scripts in /etc/init.d/ to start and stop services. These queries monitor for file creation/modification and process execution events in directories and files associated with System V Init services. These activities can indicate attempts to establish persistence through System V Init configurations. The hunt lists detailed information for further analysis and investigation. + +- **UUID:** `27d76f07-7dc4-49bc-b4a7-6d9a01de171f` +- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint) +- **Language:** `[ES|QL, SQL]` + +## Query + +```sql +from logs-endpoint.events.file-* +| where @timestamp > NOW() - 30 day +| where host.os.type == "linux" and event.type in ("creation", "change") and file.path like "/etc/init.d/*" and +not process.name in ("dpkg", "dockerd", "yum", "dnf", "snapd", "pacman") +| eval persistence = case(file.path like "/etc/init.d/*", process.name, null) +| stats pers_count = count(persistence), agent_count = count_distinct(agent.id) by process.executable, file.path +| where pers_count > 0 and pers_count <= 20 and agent_count <= 3 +| sort pers_count asc +| limit 100 +``` + +```sql +from logs-endpoint.events.process-* +| where @timestamp > now() - 30 day +| where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.parent.executable like "/etc/init.d/*" +| stats cc = count(), host_count = count_distinct(host.name) by process.executable, process.parent.executable +| where cc > 0 and cc <= 20 and host_count <= 3 +| sort cc asc +| limit 100 +``` + +```sql +SELECT name, path, source, status, type FROM startup_items +WHERE type == "systemd unit" AND status == "active" AND +source LIKE "/etc/init.d/%" +``` + +```sql +SELECT + f.filename, + f.path, + u.username AS file_owner, + g.groupname AS group_owner, + datetime(f.atime, 'unixepoch') AS file_last_access_time, + datetime(f.mtime, 'unixepoch') AS file_last_modified_time, + datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, + datetime(f.btime, 'unixepoch') AS file_created_time, + f.size AS size_bytes, + h.md5 +FROM + file f +LEFT JOIN + users u ON f.uid = u.uid +LEFT JOIN + groups g ON f.gid = g.gid +LEFT JOIN + hash h ON f.path = h.path +WHERE + f.directory IN ('/etc/init.d/') +ORDER BY + f.mtime DESC; +``` + +## Notes + +- This hunt includes multiple ES|QL and OSQuery queries to identify potential persistence mechanisms via System V Init on Linux systems. +- Detects file creation or modification events in directories and files associated with System V Init services, such as /etc/init.d/. +- Detects processes started by System V Init scripts in /etc/init.d/. +- Uses OSQuery to detect active System V Init services and retrieve detailed file information related to System V Init services. +- Uses OSQuery to retrieve file information for files in /etc/init.d/. +- Excludes common legitimate processes and file types to minimize false positives. +## MITRE ATT&CK Techniques + +- [T1037](https://attack.mitre.org/techniques/T1037) + +## License + +- `Elastic License v2` diff --git a/hunting/linux/queries/persistence_via_sysv_init.toml b/hunting/linux/queries/persistence_via_sysv_init.toml new file mode 100644 index 000000000..3580f9ee4 --- /dev/null +++ b/hunting/linux/queries/persistence_via_sysv_init.toml @@ -0,0 +1,71 @@ +[hunt] +author = "Elastic" +description = """ +This hunt identifies potential persistence mechanisms via System V Init on Linux systems. System V Init is a legacy init system used in many Linux distributions. System V Init uses scripts in /etc/init.d/ to start and stop services. These queries monitor for file creation/modification and process execution events in directories and files associated with System V Init services. These activities can indicate attempts to establish persistence through System V Init configurations. The hunt lists detailed information for further analysis and investigation. +""" +integration = ["endpoint"] +uuid = "27d76f07-7dc4-49bc-b4a7-6d9a01de171f" +name = "Persistence via System V Init" +language = ["ES|QL", "SQL"] +license = "Elastic License v2" +notes = [ + "This hunt includes multiple ES|QL and OSQuery queries to identify potential persistence mechanisms via System V Init on Linux systems.", + "Detects file creation or modification events in directories and files associated with System V Init services, such as /etc/init.d/.", + "Detects processes started by System V Init scripts in /etc/init.d/.", + "Uses OSQuery to detect active System V Init services and retrieve detailed file information related to System V Init services.", + "Uses OSQuery to retrieve file information for files in /etc/init.d/.", + "Excludes common legitimate processes and file types to minimize false positives.", +] +mitre = ["T1037"] +query = [ +''' +from logs-endpoint.events.file-* +| where @timestamp > NOW() - 30 day +| where host.os.type == "linux" and event.type in ("creation", "change") and file.path like "/etc/init.d/*" and +not process.name in ("dpkg", "dockerd", "yum", "dnf", "snapd", "pacman") +| eval persistence = case(file.path like "/etc/init.d/*", process.name, null) +| stats pers_count = count(persistence), agent_count = count_distinct(agent.id) by process.executable, file.path +| where pers_count > 0 and pers_count <= 20 and agent_count <= 3 +| sort pers_count asc +| limit 100 +''', +''' +from logs-endpoint.events.process-* +| where @timestamp > now() - 30 day +| where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.parent.executable like "/etc/init.d/*" +| stats cc = count(), host_count = count_distinct(host.name) by process.executable, process.parent.executable +| where cc > 0 and cc <= 20 and host_count <= 3 +| sort cc asc +| limit 100 +''', +''' +SELECT name, path, source, status, type FROM startup_items +WHERE type == "systemd unit" AND status == "active" AND +source LIKE "/etc/init.d/%" +''', +''' +SELECT + f.filename, + f.path, + u.username AS file_owner, + g.groupname AS group_owner, + datetime(f.atime, 'unixepoch') AS file_last_access_time, + datetime(f.mtime, 'unixepoch') AS file_last_modified_time, + datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, + datetime(f.btime, 'unixepoch') AS file_created_time, + f.size AS size_bytes, + h.md5 +FROM + file f +LEFT JOIN + users u ON f.uid = u.uid +LEFT JOIN + groups g ON f.gid = g.gid +LEFT JOIN + hash h ON f.path = h.path +WHERE + f.directory IN ('/etc/init.d/') +ORDER BY + f.mtime DESC; +''' +]