From ffaf689778f1cf267a10d7cf1fae274f0c9e90ad Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Tue, 9 Feb 2021 10:47:05 +0100 Subject: [PATCH] =?UTF-8?q?[New=20Rule]=20Persistence=20via=20KDE=20AutoSt?= =?UTF-8?q?art=20Script=20or=20Desktop=20File=20Modif=E2=80=A6=20(#809)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * [New Rule] Persistence via KDE AutoStart Script or Desktop File Modification * Update persistence_kde_autostart_modification.toml * Update rules/linux/persistence_kde_autostart_modification.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/linux/persistence_kde_autostart_modification.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted * Update rules/linux/persistence_kde_autostart_modification.toml Co-authored-by: Justin Ibarra * format * date Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra --- ...ersistence_kde_autostart_modification.toml | 56 +++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 rules/linux/persistence_kde_autostart_modification.toml diff --git a/rules/linux/persistence_kde_autostart_modification.toml b/rules/linux/persistence_kde_autostart_modification.toml new file mode 100644 index 000000000..8018c4e2f --- /dev/null +++ b/rules/linux/persistence_kde_autostart_modification.toml @@ -0,0 +1,56 @@ +[metadata] +creation_date = "2021/01/06" +maturity = "production" +updated_date = "2021/01/06" + +[rule] +author = ["Elastic"] +description = """ +Identifies the creation or modification of a K Desktop Environment (KDE) AutoStart script or desktop file that will +execute upon each user logon. Adversaries may abuse this method for persistence. +""" +from = "now-9m" +index = ["auditbeat-*", "logs-endpoint.events.*"] +language = "eql" +license = "Elastic License" +name = "Persistence via KDE AutoStart Script or Desktop File Modification" +references = [ + "https://userbase.kde.org/System_Settings/Autostart", + "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/", + "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/", +] +risk_score = 47 +rule_id = "e3e904b3-0a8e-4e68-86a8-977a163e21d3" +severity = "medium" +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence"] +type = "eql" + +query = ''' +file where event.type != "deletion" and + file.extension in ("sh", "desktop") and + file.path : + ( + "/home/*/.config/autostart/*", "/root/.config/autostart/*", + "/home/*/.kde/Autostart/*", "/root/.kde/Autostart/*", + "/home/*/.kde4/Autostart/*", "/root/.kde4/Autostart/*", + "/home/*/.kde/share/autostart/*", "/root/.kde/share/autostart/*", + "/home/*/.kde4/share/autostart/*", "/root/.kde4/share/autostart/*", + "/home/*/.local/share/autostart/*", "/root/.local/share/autostart/*", + "/home/*/.config/autostart-scripts/*", "/root/.config/autostart-scripts/*", + "/etc/xdg/autostart/*", "/usr/share/autostart/*" + ) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/"