[New Rule] Suspicious File Modification (#3746)

* [New Rule] Suspicious File Modification

* Update persistence_suspicious_file_modifications.toml

* Update rules/linux/persistence_suspicious_file_modifications.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/persistence_suspicious_file_modifications.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Updates

* Update rules/integrations/fim/persistence_suspicious_file_modifications.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

rules/integrations/fim/persistence_suspicious_file_modifications.toml

@@ -0,0 +1,194 @@
+[metadata]
+creation_date = "2024/06/03"
+maturity = "production"
+integration = ["fim"]
+updated_date = "2024/06/03"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule leverages the File Integrity Monitoring (FIM) integration to detect file modifications of files that are
+commonly used for persistence on Linux systems. The rule detects modifications to files that are commonly used for
+cron jobs, systemd services, message-of-the-day (MOTD), SSH configurations, shell configurations, runtime control,
+init daemon, passwd/sudoers/shadow files, Systemd udevd, and XDG/KDE autostart entries. To leverage this rule, the
+paths specified in the query need to be added to the FIM policy in the Elastic Security app.
+"""
+from = "now-9m"
+index = ["logs-fim.event-*", "auditbeat-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Potential Persistence via File Modification"
+risk_score = 21
+rule_id = "192657ba-ab0e-4901-89a2-911d611eee98"
+setup = """
+## Setup
+
+This rule requires data coming in from the Elastic File Integrity Monitoring (FIM) integration.
+
+### Elastic FIM Integration Setup
+To configure the Elastic FIM integration, follow these steps:
+
+1. Install and configure the Elastic Agent on your Linux system. You can refer to the [Elastic Agent documentation](https://www.elastic.co/guide/en/ingest-management/current/agent-configuration.html) for detailed instructions.
+2. Once the Elastic Agent is installed, navigate to the Elastic Security app in Kibana.
+3. In the Kibana home page, click on "Integrations" in the left sidebar.
+4. Search for "File Integrity Monitoring" in the search bar and select the integration.
+6. Provide a name and optional description for the integration.
+7. Select the appropriate agent policy for your Linux system or create a new one.
+8. Configure the FIM policy by specifying the paths that you want to monitor for file modifications. You can use the same paths mentioned in the `query` field of the rule. Note that FIM does not accept wildcards in the paths, so you need to specify the exact paths you want to monitor.
+9. Save the configuration and the Elastic Agent will start monitoring the specified paths for file modifications.
+
+For more details on configuring the Elastic FIM integration, you can refer to the [Elastic FIM documentation](https://docs.elastic.co/integrations/fim).
+"""
+severity = "low"
+tags = [
+    "Domain: Endpoint",
+    "OS: Linux",
+    "Use Case: Threat Detection",
+    "Tactic: Persistence",
+    "Tactic: Privilege Escalation",
+    "Data Source: File Integrity Monitoring"
+]
+timestamp_override = "event.ingested"
+type = "eql"
+query = '''
+file where host.os.type == "linux" and event.dataset == "fim.event" and event.action == "updated" and
+file.path : (
+  // cron, anacron & at
+  "/etc/cron.d/*", "/etc/cron.daily/*", "/etc/cron.hourly/*", "/etc/cron.monthly/*",
+  "/etc/cron.weekly/*", "/etc/crontab", "/var/spool/cron/crontabs/*", "/etc/cron.allow",
+  "/etc/cron.deny",  "/var/spool/anacron/*", "/var/spool/cron/atjobs/*",
+
+  // systemd services & timers
+  "/etc/systemd/system/*", "/usr/local/lib/systemd/system/*", "/lib/systemd/system/*",
+  "/usr/lib/systemd/system/*", "/home/*/.config/systemd/user/*", "/home/*/.local/share/systemd/user/*",
+  "/root/.config/systemd/user/*", "/root/.local/share/systemd/user/*",
+
+  // LD_PRELOAD
+  "/etc/ld.so.preload", "/etc/ld.so.conf.d/*", "/etc/ld.so.conf",
+
+  // message-of-the-day (MOTD)
+  "/etc/update-motd.d/*",
+
+  // SSH
+  "/home/*/.ssh/*", "/root/.ssh/*", "/etc/ssh/*",
+
+  // system-wide shell configurations
+  "/etc/profile", "/etc/profile.d/*", "/etc/bash.bashrc", "/etc/zsh/*", "/etc/csh.cshrc",
+  "/etc/csh.login", "/etc/fish/config.fish", "/etc/ksh.kshrc",
+
+  // root and user shell configurations
+  "/home/*/.profile", "/home/*/.bashrc", "/home/*/.bash_login", "/home/*/.bash_logout",
+  "/root/.profile", "/root/.bashrc", "/root/.bash_login", "/root/.bash_logout",
+  "/home/*/.zprofile", "/home/*/.zshrc", "/root/.zprofile", "/root/.zshrc",
+  "/home/*/.cshrc", "/home/*/.login", "/home/*/.logout", "/root/.cshrc", "/root/.login", "/root/.logout",
+  "/home/*/.config/fish/config.fish", "/root/.config/fish/config.fish",
+  "/home/*/.kshrc", "/root/.kshrc",
+
+  // runtime control
+  "/etc/rc.common", "/etc/rc.local",
+
+  // init daemon
+  "/etc/init.d/*",
+
+  // passwd/sudoers/shadow
+  "/etc/passwd", "/etc/shadow", "/etc/sudoers", "/etc/sudoers.d/*",
+
+  // Systemd udevd
+  "/lib/udev/*", "/etc/udev/rules.d/*", "/usr/lib/udev/rules.d/*", "/run/udev/rules.d/*",
+
+  // XDG/KDE autostart entries
+  "/home/*/.config/autostart/*", "/root/.config/autostart/*", "/etc/xdg/autostart/*", "/usr/share/autostart/*",
+  "/home/*/.kde/Autostart/*", "/root/.kde/Autostart/*",
+  "/home/*/.kde4/Autostart/*", "/root/.kde4/Autostart/*",
+  "/home/*/.kde/share/autostart/*", "/root/.kde/share/autostart/*",
+  "/home/*/.kde4/share/autostart/*", "/root/.kde4/share/autostart/*",
+  "/home/*/.local/share/autostart/*", "/root/.local/share/autostart/*",
+  "/home/*/.config/autostart-scripts/*", "/root/.config/autostart-scripts/*"
+) and not (
+  file.path : (
+    "/var/spool/cron/crontabs/tmp.*", "/run/udev/rules.d/*rules.*", "/home/*/.ssh/known_hosts.*", "/root/.ssh/known_hosts.*"
+  ) or
+  file.extension in ("dpkg-new", "dpkg-remove", "SEQ")
+)
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1037"
+name = "Boot or Logon Initialization Scripts"
+reference = "https://attack.mitre.org/techniques/T1037/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1037.004"
+name = "RC Scripts"
+reference = "https://attack.mitre.org/techniques/T1037/004/"
+
+[[rule.threat.technique]]
+id = "T1543"
+name = "Create or Modify System Process"
+reference = "https://attack.mitre.org/techniques/T1543/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1543.002"
+name = "Systemd Service"
+reference = "https://attack.mitre.org/techniques/T1543/002/"
+
+[[rule.threat.technique]]
+id = "T1556"
+name = "Modify Authentication Process"
+reference = "https://attack.mitre.org/techniques/T1556/"
+
+[[rule.threat.technique]]
+id = "T1574"
+name = "Hijack Execution Flow"
+reference = "https://attack.mitre.org/techniques/T1574/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1574.006"
+name = "Dynamic Linker Hijacking"
+reference = "https://attack.mitre.org/techniques/T1574/006/"
+
+[[rule.threat.technique]]
+id = "T1136"
+name = "Create Account"
+reference = "https://attack.mitre.org/techniques/T1136/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1136.001"
+name = "Local Account"
+reference = "https://attack.mitre.org/techniques/T1136/001/"
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1053"
+name = "Scheduled Task/Job"
+reference = "https://attack.mitre.org/techniques/T1053/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1053.003"
+name = "Cron"
+reference = "https://attack.mitre.org/techniques/T1053/003/"
+
+[[rule.threat.technique]]
+id = "T1548"
+name = "Abuse Elevation Control Mechanism"
+reference = "https://attack.mitre.org/techniques/T1548/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1548.003"
+name = "Sudo and Sudo Caching"
+reference = "https://attack.mitre.org/techniques/T1548/003/"
+
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"

tests/test_all_rules.py

@@ -311,6 +311,7 @@ class TestRuleTags(BaseRuleTest):
             'logs-windows.sysmon_operational-*': {'all': ['Data Source: Sysmon']},
             'logs-windows.powershell*': {'all': ['Data Source: PowerShell Logs']},
             'logs-sentinel_one_cloud_funnel.*': {'all': ['Data Source: SentinelOne']},
+            'logs-fim.event-*': {'all': ['Data Source: File Integrity Monitoring']}
         }
 
         for rule in self.all_rules: