diff --git a/rules/linux/persistence_kde_autostart_modification.toml b/rules/linux/persistence_kde_autostart_modification.toml new file mode 100644 index 000000000..8018c4e2f --- /dev/null +++ b/rules/linux/persistence_kde_autostart_modification.toml @@ -0,0 +1,56 @@ +[metadata] +creation_date = "2021/01/06" +maturity = "production" +updated_date = "2021/01/06" + +[rule] +author = ["Elastic"] +description = """ +Identifies the creation or modification of a K Desktop Environment (KDE) AutoStart script or desktop file that will +execute upon each user logon. Adversaries may abuse this method for persistence. +""" +from = "now-9m" +index = ["auditbeat-*", "logs-endpoint.events.*"] +language = "eql" +license = "Elastic License" +name = "Persistence via KDE AutoStart Script or Desktop File Modification" +references = [ + "https://userbase.kde.org/System_Settings/Autostart", + "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/", + "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/", +] +risk_score = 47 +rule_id = "e3e904b3-0a8e-4e68-86a8-977a163e21d3" +severity = "medium" +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence"] +type = "eql" + +query = ''' +file where event.type != "deletion" and + file.extension in ("sh", "desktop") and + file.path : + ( + "/home/*/.config/autostart/*", "/root/.config/autostart/*", + "/home/*/.kde/Autostart/*", "/root/.kde/Autostart/*", + "/home/*/.kde4/Autostart/*", "/root/.kde4/Autostart/*", + "/home/*/.kde/share/autostart/*", "/root/.kde/share/autostart/*", + "/home/*/.kde4/share/autostart/*", "/root/.kde4/share/autostart/*", + "/home/*/.local/share/autostart/*", "/root/.local/share/autostart/*", + "/home/*/.config/autostart-scripts/*", "/root/.config/autostart-scripts/*", + "/etc/xdg/autostart/*", "/usr/share/autostart/*" + ) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/"