security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1ce072a4e58238d94deae33ff8de25458ac129d5
sigma-rules/hunting/linux/queries/persistence_via_rc_local.toml
T
Terrance DeJesus f0b2cb7c87 [New Hunt] Add Initial Linux Hunting Files (#3847) 
* added 'Uncommon Process Execution from Suspicious Directory' hunt

* adds all linux hunting files

* moves linux hunting files to queries folder

* adds generated docs

* fixing windows hunts

* fixing windows hunts

* updated README

* Removed 2, updated a few, changed some names/descriptions and added list of str

* updated windows for language schema changes, regenerated docs; updated README and index

* changed UUIDs to hex only with standard hyphen format

* removing unecessary docs

* Fixed queries based on Samir feedback

* ++

* regenerating linux docs

* Update hunting/linux/queries/command_and_control_via_network_connections_with_low_occurrence_frequency_for_unique_agents.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update hunting/linux/queries/defense_evasion_via_hidden_process_execution.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update hunting/linux/queries/command_and_control_via_unusual_file_downloads_from_source_addresses.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update hunting/linux/queries/defense_evasion_via_capitalized_process_execution.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update hunting/linux/queries/defense_evasion_via_hidden_process_execution.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Updates

* Update

* Update hunting/linux/queries/command_and_control_via_network_connections_with_low_occurrence_frequency_for_unique_agents.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Updates

* regenerating linux docs

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
2024-07-05 20:01:12 +02:00

68 lines
3.1 KiB
TOML
Raw Blame History

[hunt]
author = "Elastic"
description = """
This hunt identifies potential persistence mechanisms via rc.local and rc.common on Linux systems. RC scripts are used to start custom applications, services, scripts or commands during start-up. RC scripts have mostly been replaced by Systemd. However, through the "systemd-rc-local-generator", these files can be converted to services that run at boot. The query monitors for file creation or modification events in the /etc/rc.local and /etc/rc.common files, as well as processes started by these scripts. These activities can indicate attempts to establish persistence through rc.local modifications.
"""
integration = ["endpoint", "system"]
uuid = "a95f778f-2193-4a3d-bbbe-7b02d5740638"
name = "Persistence via rc.local/rc.common"
language = ["ES|QL", "SQL"]
license = "Elastic License v2"
notes = [
"This hunt includes multiple ES|QL and OSQuery queries to detect potential persistence mechanisms via rc.local on Linux systems.",
"Detects file creation or modification events in the /etc/rc.local and /etc/rc.common files, which are used for system initialization scripts.",
"Uses EVAL to tag potential persistence events and counts occurrences to identify unusual activity.",
"Monitors processes started by rc.local and rc.common scripts to detect potential persistence mechanisms.",
"Syslog hunting query is provided to complement the detection by analyzing syslog entries related to rc.local and rc.common processes.",
"OSQuery queries are provided to retrieve systemd unit states, startup items, and detailed file information related to rc.local and rc.common."
]
mitre = ["T1037.004", "T1546.003"]
query = [
'''
from logs-endpoint.events.file-*
| where @timestamp > now() - 30 day
| where host.os.type == "linux" and event.type in ("creation", "change") and (file.path == "/etc/rc.local" or file.path == "/etc/rc.common")
| eval persistence = case(file.path == "/etc/rc.local" or file.path == "/etc/rc.common", process.name, null)
| stats pers_count = count(persistence), agent_count = count_distinct(agent.id) by process.executable
| where pers_count > 0 and pers_count <= 3 and agent_count <= 3
| sort pers_count asc
| limit 100
''',
'''
from logs-system.syslog-*
| where @timestamp > now() - 30 day
| where host.os.type == "linux" and process.name in ("rc.local", "rc.common")
| stats cc = count(), host_count = count_distinct(host.name) by message
| where host_count <= 3 and cc < 10
| sort cc asc
| limit 100
''',
'''
SELECT * FROM systemd_units WHERE id = "rc-local.service"
''',
'''
SELECT * FROM startup_items WHERE name = "rc-local.service"
''',
'''
SELECT
f.filename,
f.path,
u.username AS file_owner,
g.groupname AS group_owner,
datetime(f.atime, 'unixepoch') AS file_last_access_time,
datetime(f.mtime, 'unixepoch') AS file_last_modified_time,
datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,
datetime(f.btime, 'unixepoch') AS file_created_time,
f.size AS size_bytes
FROM
file f
LEFT JOIN
users u ON f.uid = u.uid
LEFT JOIN
groups g ON f.gid = g.gid
WHERE
f.path in ('/etc/rc.local', '/etc/rc.common')
'''
]
Reference in New Issue View Git Blame Copy Permalink