[metadata] creation_date = "2022/07/22" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" updated_date = "2023/08/24" integration = ["endpoint"] [rule] author = ["Elastic"] description = """ Detects the manual creation of files in specific etc directories, via user root, used by Linux malware to persist and elevate privileges on compromised systems. File creation in these directories should not be entirely common and could indicate a malicious binary or script installing persistence mechanisms for long term access. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Suspicious File Creation in /etc for Persistence" references = [ "https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/", "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/" ] risk_score = 47 rule_id = "1c84dd64-7e6c-4bad-ac73-a5014ee37042" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Orbit", "Threat: Lightning Framework", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "eql" query = ''' file where host.os.type == "linux" and event.type in ("creation", "file_create_event") and user.name == "root" and file.path : ("/etc/ld.so.conf.d/*", "/etc/cron.d/*", "/etc/sudoers.d/*", "/etc/rc.d/init.d/*", "/etc/systemd/system/*", "/usr/lib/systemd/system/*") and not process.executable : ("*/dpkg", "*/yum", "*/apt", "*/dnf", "*/rpm", "*/systemd", "*/snapd", "*/dnf-automatic","*/yum-cron", "*/elastic-agent", "*/dnfdaemon-system", "*/bin/dockerd", "*/sbin/dockerd", "/kaniko/executor", "/usr/sbin/rhn_check") and not file.extension in ("swp", "swpx", "tmp") ''' [[rule.threat]] framework = "MITRE ATT&CK" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" [[rule.threat.technique.subtechnique]] id = "T1037.004" name = "RC Scripts" reference = "https://attack.mitre.org/techniques/T1037/004/" [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" [[rule.threat.technique.subtechnique]] id = "T1574.006" name = "Dynamic Linker Hijacking" reference = "https://attack.mitre.org/techniques/T1574/006/" [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" [[rule.threat.technique.subtechnique]] id = "T1543.002" name = "Systemd Service" reference = "https://attack.mitre.org/techniques/T1543/002/" [[rule.threat]] framework = "MITRE ATT&CK" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" [[rule.threat.technique.subtechnique]] id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" [[rule.threat]] framework = "MITRE ATT&CK" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" [[rule.threat.technique.subtechnique]] id = "T1548.003" name = "Sudo and Sudo Caching" reference = "https://attack.mitre.org/techniques/T1548/003/"