Ruben Groenewoud
26258f806a
* [New Rules] Persistence through MOTD * fixed unit error test by adding timestamp_override * Update rules/linux/persistence_message_of_the_day_execution.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules/linux/persistence_message_of_the_day_creation.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * added host.os.type == "linux" * removed ability to bypass chmod by using e.g. 700 * Added endgame support, changed query * Changed query * updated risk_score * added OSQuery to investigation guides * Update rules/linux/persistence_message_of_the_day_creation.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_message_of_the_day_creation.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_message_of_the_day_creation.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_message_of_the_day_creation.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_message_of_the_day_creation.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_message_of_the_day_creation.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * removed investigation guides to add in future PR * removed investigation guide tag * Changed rule to new terms rule for FP reduction * Update rules/linux/persistence_message_of_the_day_creation.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --------- Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
55 lines
2.0 KiB
TOML
55 lines
2.0 KiB
TOML
[metadata]
|
|
creation_date = "2023/02/28"
|
|
integration = ["endpoint"]
|
|
maturity = "production"
|
|
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
|
min_stack_version = "8.3.0"
|
|
updated_date = "2023/04/03"
|
|
|
|
[rule]
|
|
author = ["Elastic"]
|
|
description = """
|
|
Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH
|
|
or a serial connection. Linux systems contain several default MOTD files located in the "/etc/update-motd.d/" and
|
|
"/usr/lib/update-notifier/" directories. These scripts run as the root user every time a user connects over SSH or a
|
|
serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a
|
|
user connects to the system by executing a backdoor script or command. This rule detects the execution of potentially
|
|
malicious processes through the MOTD utility.
|
|
"""
|
|
from = "now-9m"
|
|
index = ["logs-endpoint.events.*", "endgame-*"]
|
|
language = "eql"
|
|
license = "Elastic License v2"
|
|
name = "Suspicious Process Spawned from MOTD Detected"
|
|
references = [
|
|
"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd"
|
|
]
|
|
risk_score = 73
|
|
rule_id = "4ec47004-b34a-42e6-8003-376a123ea447"
|
|
severity = "high"
|
|
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Elastic Endgame"]
|
|
timestamp_override = "event.ingested"
|
|
type = "eql"
|
|
|
|
query = '''
|
|
process where host.os.type == "linux" and
|
|
event.type == "start" and event.action : ("exec", "exec_event") and
|
|
process.parent.executable : ("/etc/update-motd.d/*", "/usr/lib/update-notifier/*") and
|
|
process.executable : ("*sh", "python*", "perl", "php*")
|
|
'''
|
|
|
|
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
[[rule.threat.technique]]
|
|
id = "T1037"
|
|
name = "Boot or Logon Initialization Scripts"
|
|
reference = "https://attack.mitre.org/techniques/T1037/"
|
|
|
|
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0003"
|
|
name = "Persistence"
|
|
reference = "https://attack.mitre.org/tactics/TA0003/"
|