From f13e9ce0d0cff2ea9b2b16769fdfff2af1f72c72 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Wed, 10 Feb 2021 17:44:15 +0100 Subject: [PATCH] [New Rule] Shell Profile Modification (#878) * [New Rule] Shell Profile Modification * added auditbeat index * Update persistence_shell_profile_modification.toml * excluding noisy processes * Update rules/cross-platform/persistence_shell_profile_modification.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/cross-platform/persistence_shell_profile_modification.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/cross-platform/persistence_shell_profile_modification.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted * Update rules/cross-platform/persistence_shell_profile_modification.toml Co-authored-by: Justin Ibarra * added note short desc * Update persistence_shell_profile_modification.toml * added FPs note Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra --- ...ersistence_shell_profile_modification.toml | 71 +++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 rules/cross-platform/persistence_shell_profile_modification.toml diff --git a/rules/cross-platform/persistence_shell_profile_modification.toml b/rules/cross-platform/persistence_shell_profile_modification.toml new file mode 100644 index 000000000..9057a5262 --- /dev/null +++ b/rules/cross-platform/persistence_shell_profile_modification.toml @@ -0,0 +1,71 @@ +[metadata] +creation_date = "2021/01/19" +maturity = "production" +updated_date = "2021/01/19" + +[rule] +author = ["Elastic"] +description = """ +Both ~/.bash_profile and ~/.bashrc are files containing shell commands that are run when Bash is invoked. These files +are executed in a user's context, either interactively or non-interactively, when a user logs in so that their +environment is set correctly. Adversaries may abuse this to establish persistence by executing malicious content +triggered by a user’s shell. +""" +false_positives = ["Changes to the Shell Profile tend to be noisy, a tuning per your environment will be required."] +from = "now-9m" +index = ["logs-endpoint.events.*", "auditbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Bash Shell Profile Modification" +references = ["https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat"] +risk_score = 47 +rule_id = "e6c1a552-7776-44ad-ae0f-8746cc07773c" +severity = "medium" +tags = ["Elastic", "Host", "macOS", "Linux", "Threat Detection", "Execution", "Persistence"] +type = "query" + +query = ''' +event.category:file and event.type:change and + process.name:(* and not (sudo or + vim or + zsh or + env or + nano or + bash or + Terminal or + xpcproxy or + login or + cat or + cp or + launchctl or + java)) and + not process.executable:(/Applications/* or /private/var/folders/* or /usr/local/*) and + file.path:(/private/etc/rc.local or + /etc/rc.local or + /home/*/.profile or + /home/*/.profile1 or + /home/*/.bash_profile or + /home/*/.bash_profile1 or + /home/*/.bashrc or + /Users/*/.bash_profile or + /Users/*/.zshenv) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" +[[rule.threat.technique.subtechnique]] +id = "T1546.004" +name = ".bash_profile and .bashrc" +reference = "https://attack.mitre.org/techniques/T1546/004/" + + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/"