[New Rule] Shell Profile Modification (#878)

* [New Rule] Shell Profile Modification * added auditbeat index * Update persistence_shell_profile_modification.toml * excluding noisy processes * Update rules/cross-platform/persistence_shell_profile_modification.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/cross-platform/persistence_shell_profile_modification.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/cross-platform/persistence_shell_profile_modification.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted * Update rules/cross-platform/persistence_shell_profile_modification.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * added note short desc * Update persistence_shell_profile_modification.toml * added FPs note Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
2021-02-10 17:44:15 +01:00
parent 9421ccfad7
commit f13e9ce0d0
1 changed files with 71 additions and 0 deletions
@@ -0,0 +1,71 @@
+[metadata]
+creation_date = "2021/01/19"
+maturity = "production"
+updated_date = "2021/01/19"
+
+[rule]
+author = ["Elastic"]
+description = """
+Both ~/.bash_profile and ~/.bashrc are files containing shell commands that are run when Bash is invoked. These files
+are executed in a user's context, either interactively or non-interactively, when a user logs in so that their
+environment is set correctly. Adversaries may abuse this to establish persistence by executing malicious content
+triggered by a user’s shell.
+"""
+false_positives = ["Changes to the Shell Profile tend to be noisy, a tuning per your environment will be required."]
+from = "now-9m"
+index = ["logs-endpoint.events.*", "auditbeat-*"]
+language = "kuery"
+license = "Elastic License"
+name = "Bash Shell Profile Modification"
+references = ["https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat"]
+risk_score = 47
+rule_id = "e6c1a552-7776-44ad-ae0f-8746cc07773c"
+severity = "medium"
+tags = ["Elastic", "Host", "macOS", "Linux", "Threat Detection", "Execution", "Persistence"]
+type = "query"
+
+query = '''
+event.category:file and event.type:change and
+  process.name:(* and not (sudo or
+                           vim or
+                           zsh or
+                           env or
+                           nano or
+                           bash or
+                           Terminal or
+                           xpcproxy or
+                           login or
+                           cat or
+                           cp or
+                           launchctl or
+                           java)) and
+  not process.executable:(/Applications/* or /private/var/folders/* or /usr/local/*) and
+  file.path:(/private/etc/rc.local or
+             /etc/rc.local or
+             /home/*/.profile or
+             /home/*/.profile1 or
+             /home/*/.bash_profile or
+             /home/*/.bash_profile1 or
+             /home/*/.bashrc or
+             /Users/*/.bash_profile or
+             /Users/*/.zshenv)
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1546"
+name = "Event Triggered Execution"
+reference = "https://attack.mitre.org/techniques/T1546/"
+[[rule.threat.technique.subtechnique]]
+id = "T1546.004"
+name = ".bash_profile and .bashrc"
+reference = "https://attack.mitre.org/techniques/T1546/004/"
+
+
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"