Ruben Groenewoud
26258f806a
* [New Rules] Persistence through MOTD * fixed unit error test by adding timestamp_override * Update rules/linux/persistence_message_of_the_day_execution.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules/linux/persistence_message_of_the_day_creation.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * added host.os.type == "linux" * removed ability to bypass chmod by using e.g. 700 * Added endgame support, changed query * Changed query * updated risk_score * added OSQuery to investigation guides * Update rules/linux/persistence_message_of_the_day_creation.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_message_of_the_day_creation.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_message_of_the_day_creation.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_message_of_the_day_creation.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_message_of_the_day_creation.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_message_of_the_day_creation.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * removed investigation guides to add in future PR * removed investigation guide tag * Changed rule to new terms rule for FP reduction * Update rules/linux/persistence_message_of_the_day_creation.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --------- Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
61 lines
2.2 KiB
TOML
61 lines
2.2 KiB
TOML
[metadata]
|
|
creation_date = "2023/02/28"
|
|
integration = ["endpoint"]
|
|
maturity = "production"
|
|
min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term"
|
|
min_stack_version = "8.6.0"
|
|
updated_date = "2023/04/05"
|
|
|
|
[rule]
|
|
author = ["Elastic"]
|
|
description = """
|
|
Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or
|
|
a serial connection. Linux systems contain several default MOTD files located in the "/etc/update-motd.d/" and
|
|
"/usr/lib/update-notifier/" directories. These scripts run as the root user every time a user connects over SSH or a
|
|
serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a
|
|
user connects to the system by executing a backdoor script or command. This rule detects the creation of potentially
|
|
malicious files within the default MOTD file directories.
|
|
"""
|
|
from = "now-9m"
|
|
index = ["logs-endpoint.events.*", "endgame-*"]
|
|
language = "kuery"
|
|
license = "Elastic License v2"
|
|
name = "Potential Persistence Through MOTD File Creation Detected"
|
|
references = [
|
|
"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd"
|
|
]
|
|
risk_score = 47
|
|
rule_id = "96d11d31-9a79-480f-8401-da28b194608f"
|
|
severity = "medium"
|
|
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Elastic Endgame"]
|
|
type = "new_terms"
|
|
|
|
query = '''
|
|
host.os.type :"linux" and event.action:("creation" or "file_create_event" or "rename" or "file_rename_event") and
|
|
file.path : (/etc/update-motd.d/* or /usr/lib/update-notifier/*) and not
|
|
process.executable : ("/usr/bin/dpkg" or "/usr/bin/dockerd" or "/bin/rpm") and not
|
|
file.extension : "swp"
|
|
'''
|
|
|
|
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
[[rule.threat.technique]]
|
|
id = "T1037"
|
|
name = "Boot or Logon Initialization Scripts"
|
|
reference = "https://attack.mitre.org/techniques/T1037/"
|
|
|
|
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0003"
|
|
name = "Persistence"
|
|
reference = "https://attack.mitre.org/tactics/TA0003/"
|
|
|
|
|
|
[rule.new_terms]
|
|
field = "new_terms_fields"
|
|
value = ["file.path", "process.name"]
|
|
[[rule.new_terms.history_window_start]]
|
|
field = "history_window_start"
|
|
value = "now-7d" |