From bbcf0c7c347b1347b76f234da761f76ac9fd7f75 Mon Sep 17 00:00:00 2001
From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Date: Mon, 27 Jan 2025 10:19:44 +0100
Subject: [PATCH] [New Hunt] Persistence via Initramfs (#4402)

* [New Hunt] Persistence via Initramfs

* Update index.yml
---
 hunting/index.md                              |  1 +
 hunting/index.yml                             |  5 ++
 .../linux/docs/persistence_via_initramfs.md   | 83 +++++++++++++++++++
 .../queries/persistence_via_initramfs.toml    | 66 +++++++++++++++
 4 files changed, 155 insertions(+)
 create mode 100644 hunting/linux/docs/persistence_via_initramfs.md
 create mode 100644 hunting/linux/queries/persistence_via_initramfs.toml

diff --git a/hunting/index.md b/hunting/index.md
index 170547c3a..d282cc4c8 100644
--- a/hunting/index.md
+++ b/hunting/index.md
@@ -43,6 +43,7 @@ Here are the queries currently available:
 - [Persistence via DPKG/RPM Package](./linux/docs/persistence_via_rpm_dpkg_installer_packages.md) (ES|QL)
 - [Persistence via Docker Container](./linux/docs/persistence_via_malicious_docker_container.md) (ES|QL)
 - [Persistence via Dynamic Linker Hijacking](./linux/docs/persistence_via_dynamic_linker_hijacking.md) (ES|QL)
+- [Persistence via Initramfs](./linux/docs/persistence_via_initramfs.md) (ES|QL)
 - [Persistence via GRUB Bootloader](./linux/docs/persistence_via_grub_bootloader.md) (ES|QL)
 - [Persistence via Loadable Kernel Modules](./linux/docs/persistence_via_loadable_kernel_modules.md) (ES|QL)
 - [Persistence via Message-of-the-Day](./linux/docs/persistence_via_message_of_the_day.md) (ES|QL)
diff --git a/hunting/index.yml b/hunting/index.yml
index 78aae1df3..3eed8c5f4 100644
--- a/hunting/index.yml
+++ b/hunting/index.yml
@@ -250,6 +250,11 @@ linux:
     path: ./linux/queries/persistence_via_malicious_docker_container.toml
     mitre:
     - T1610
+  1206f5e2-aee6-4e5c-bda0-718fe440b1cf:
+    name: Persistence via Initramfs
+    path: ./linux/queries/persistence_via_initramfs.toml
+    mitre:
+    - T1542
   7adc1a69-3962-4f84-a46d-0b68f69e45a8:
     name: Persistence via GRUB Bootloader
     path: ./linux/queries/persistence_via_grub_bootloader.toml
diff --git a/hunting/linux/docs/persistence_via_initramfs.md b/hunting/linux/docs/persistence_via_initramfs.md
new file mode 100644
index 000000000..203afe880
--- /dev/null
+++ b/hunting/linux/docs/persistence_via_initramfs.md
@@ -0,0 +1,83 @@
+# Persistence via Initramfs
+
+---
+
+## Metadata
+
+- **Author:** Elastic
+- **Description:** This hunt identifies potential persistence mechanisms leveraging modifications to Initramfs (initial RAM filesystem) on Linux systems. Initramfs is a key component in the boot process, providing early user-space initialization before the main filesystem is mounted. Attackers can abuse Initramfs by injecting malicious scripts, modules, or files into its configuration, allowing them to gain persistence or execute malicious code during system boot. This hunt monitors file creations and modifications within Initramfs-related directories, tracks executions of Initramfs manipulation tools, and retrieves metadata for critical Initramfs-related files for forensic analysis.
+
+- **UUID:** `1206f5e2-aee6-4e5c-bda0-718fe440b1cf`
+- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint)
+- **Language:** `[ES|QL, SQL]`
+- **Source File:** [Persistence via Initramfs](../queries/persistence_via_initramfs.toml)
+
+## Query
+
+```sql
+sql
+from logs-endpoint.events.file-*
+| keep @timestamp, host.os.type, event.type, event.action, file.path, file.extension, process.executable, agent.id
+| where @timestamp > now() - 30 day
+| where host.os.type == "linux" and event.type == "creation" and (
+  file.path like "/lib/dracut/modules.d/*" or
+  file.path like "/usr/lib/dracut/modules.d/*"
+) and not file.extension in ("swp", "dpkg-new")
+| stats cc = count(), agent_count = count_distinct(agent.id) by file.path, process.executable
+| where agent_count <= 3
+| sort cc asc
+| limit 100
+```
+
+```sql
+sql
+from logs-endpoint.events.process-*
+| keep @timestamp, host.os.type, event.type, event.action, process.name, process.executable, process.parent.executable, agent.id
+| where @timestamp > now() - 30 day
+| where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name in ("unmkinitramfs", "dracut", "binwalk")
+| stats cc = count(), agent_count = count_distinct(agent.id) by process.executable, process.parent.executable
+| where agent_count <= 3 and cc < 10
+| sort cc asc
+| limit 100
+```
+
+```sql
+sql
+SELECT
+    f.filename,
+    f.path,
+    u.username AS file_owner,
+    g.groupname AS group_owner,
+    datetime(f.atime, 'unixepoch') AS file_last_access_time,
+    datetime(f.mtime, 'unixepoch') AS file_last_modified_time,
+    datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,
+    datetime(f.btime, 'unixepoch') AS file_created_time,
+    f.size AS size_bytes
+FROM
+    file f
+LEFT JOIN
+    users u ON f.uid = u.uid
+LEFT JOIN
+    groups g ON f.gid = g.gid
+WHERE (
+        f.path = '/lib/dracut/modules.d/%'
+        OR f.path LIKE '/usr/lib/dracut/modules.d/%'
+        OR f.path LIKE '/boot/initrd.img%'
+      )
+AND (mtime > strftime('%s', 'now') - (7 * 86400)); -- Modified in the last 7 days
+```
+
+## Notes
+
+- Tracks file creations within directories used by Dracut to manage Initramfs such as /lib/dracut/modules.d/ and /usr/lib/dracut/modules.d/, focusing on unusual additions or unauthorized changes.
+- Monitors the execution of processes used to manipulate Initramfs, including tools like dracut, unmkinitramfs, and binwalk, which could indicate attempts to extract, analyze, or modify the Initramfs.
+- Queries metadata for Initramfs-related files, such as those in /boot/initrd.img, to identify recent modifications or anomalous attributes like ownership changes or unexpected access times.
+- Helps detect unauthorized persistence mechanisms that leverage modifications to Initramfs, improving detection coverage for threats targeting the early stages of the Linux boot process.
+
+## MITRE ATT&CK Techniques
+
+- [T1542](https://attack.mitre.org/techniques/T1542)
+
+## License
+
+- `Elastic License v2`
diff --git a/hunting/linux/queries/persistence_via_initramfs.toml b/hunting/linux/queries/persistence_via_initramfs.toml
new file mode 100644
index 000000000..64e6d06b5
--- /dev/null
+++ b/hunting/linux/queries/persistence_via_initramfs.toml
@@ -0,0 +1,66 @@
+[hunt]
+author = "Elastic"
+description = """
+This hunt identifies potential persistence mechanisms leveraging modifications to Initramfs (initial RAM filesystem) on Linux systems. Initramfs is a key component in the boot process, providing early user-space initialization before the main filesystem is mounted. Attackers can abuse Initramfs by injecting malicious scripts, modules, or files into its configuration, allowing them to gain persistence or execute malicious code during system boot. This hunt monitors file creations and modifications within Initramfs-related directories, tracks executions of Initramfs manipulation tools, and retrieves metadata for critical Initramfs-related files for forensic analysis.
+"""
+integration = ["endpoint"]
+uuid = "1206f5e2-aee6-4e5c-bda0-718fe440b1cf"
+name = "Persistence via Initramfs"
+language = ["ES|QL", "SQL"]
+license = "Elastic License v2"
+notes = [
+    "Tracks file creations within directories used by Dracut to manage Initramfs such as /lib/dracut/modules.d/ and /usr/lib/dracut/modules.d/, focusing on unusual additions or unauthorized changes.",
+    "Monitors the execution of processes used to manipulate Initramfs, including tools like dracut, unmkinitramfs, and binwalk, which could indicate attempts to extract, analyze, or modify the Initramfs.",
+    "Queries metadata for Initramfs-related files, such as those in /boot/initrd.img, to identify recent modifications or anomalous attributes like ownership changes or unexpected access times.",
+    "Helps detect unauthorized persistence mechanisms that leverage modifications to Initramfs, improving detection coverage for threats targeting the early stages of the Linux boot process."
+]
+mitre = ["T1542"]
+query = [
+'''sql
+from logs-endpoint.events.file-*
+| keep @timestamp, host.os.type, event.type, event.action, file.path, file.extension, process.executable, agent.id
+| where @timestamp > now() - 30 day
+| where host.os.type == "linux" and event.type == "creation" and (
+  file.path like "/lib/dracut/modules.d/*" or
+  file.path like "/usr/lib/dracut/modules.d/*"
+) and not file.extension in ("swp", "dpkg-new")
+| stats cc = count(), agent_count = count_distinct(agent.id) by file.path, process.executable
+| where agent_count <= 3
+| sort cc asc
+| limit 100
+''',
+'''sql
+from logs-endpoint.events.process-*
+| keep @timestamp, host.os.type, event.type, event.action, process.name, process.executable, process.parent.executable, agent.id
+| where @timestamp > now() - 30 day
+| where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name in ("unmkinitramfs", "dracut", "binwalk")
+| stats cc = count(), agent_count = count_distinct(agent.id) by process.executable, process.parent.executable
+| where agent_count <= 3 and cc < 10
+| sort cc asc
+| limit 100
+''',
+'''sql
+SELECT
+    f.filename,
+    f.path,
+    u.username AS file_owner,
+    g.groupname AS group_owner,
+    datetime(f.atime, 'unixepoch') AS file_last_access_time,
+    datetime(f.mtime, 'unixepoch') AS file_last_modified_time,
+    datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,
+    datetime(f.btime, 'unixepoch') AS file_created_time,
+    f.size AS size_bytes
+FROM
+    file f
+LEFT JOIN
+    users u ON f.uid = u.uid
+LEFT JOIN
+    groups g ON f.gid = g.gid
+WHERE (
+        f.path = '/lib/dracut/modules.d/%'
+        OR f.path LIKE '/usr/lib/dracut/modules.d/%'
+        OR f.path LIKE '/boot/initrd.img%'
+      )
+AND (mtime > strftime('%s', 'now') - (7 * 86400)); -- Modified in the last 7 days
+''',
+]