From b6ed215958c7685ca3d53cb969f7fa599d08e3f4 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Thu, 31 Aug 2023 17:32:17 +0200 Subject: [PATCH] [New Rule] File Creation, Exec and Self-Deletion (#3045) * [New Rule] File Creation, Exec and Self-Deletion * Update execution_file_execution_followed_by_deletion.toml * Update execution_file_execution_followed_by_deletion.toml * Update execution_file_execution_followed_by_deletion.toml * Update execution_file_execution_followed_by_deletion.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --- ...n_file_execution_followed_by_deletion.toml | 55 +++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 rules/linux/execution_file_execution_followed_by_deletion.toml diff --git a/rules/linux/execution_file_execution_followed_by_deletion.toml b/rules/linux/execution_file_execution_followed_by_deletion.toml new file mode 100644 index 000000000..64b8c70bb --- /dev/null +++ b/rules/linux/execution_file_execution_followed_by_deletion.toml @@ -0,0 +1,55 @@ +[metadata] +creation_date = "2023/08/28" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/08/28" + +[rule] +author = ["Elastic"] +description = """ +This rule monitors for the creation of a file, followed by its execution and self-deletion in a short timespan within a +directory often used for malicious purposes by threat actors. This behavior is often used by malware to execute +malicious code and delete itself to hide its tracks. +""" +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "File Creation, Execution and Self-Deletion in Suspicious Directory" +risk_score = 47 +rule_id = "09bc6c90-7501-494d-b015-5d988dc3f233" +severity = "medium" +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] +type = "eql" +query = ''' +sequence by host.id, user.id with maxspan=1m + [file where host.os.type == "linux" and event.action == "creation" and + process.name in ("curl", "wget", "fetch", "ftp", "sftp", "scp", "rsync", "ld") and + file.path : ("/dev/shm/*", "/run/shm/*", "/tmp/*", "/var/tmp/*", + "/run/*", "/var/run/*", "/var/www/*", "/proc/*/fd/*")] by file.name + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")] by process.name + [file where host.os.type == "linux" and event.action == "deletion" and not process.name in ("rm", "ld") and + file.path : ("/dev/shm/*", "/run/shm/*", "/tmp/*", "/var/tmp/*", + "/run/*", "/var/run/*", "/var/www/*", "/proc/*/fd/*")] by file.name +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/"