Samirbous
f13e9ce0d0
* [New Rule] Shell Profile Modification * added auditbeat index * Update persistence_shell_profile_modification.toml * excluding noisy processes * Update rules/cross-platform/persistence_shell_profile_modification.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/cross-platform/persistence_shell_profile_modification.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/cross-platform/persistence_shell_profile_modification.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted * Update rules/cross-platform/persistence_shell_profile_modification.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * added note short desc * Update persistence_shell_profile_modification.toml * added FPs note Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
72 lines
2.4 KiB
TOML
72 lines
2.4 KiB
TOML
[metadata]
|
||
creation_date = "2021/01/19"
|
||
maturity = "production"
|
||
updated_date = "2021/01/19"
|
||
|
||
[rule]
|
||
author = ["Elastic"]
|
||
description = """
|
||
Both ~/.bash_profile and ~/.bashrc are files containing shell commands that are run when Bash is invoked. These files
|
||
are executed in a user's context, either interactively or non-interactively, when a user logs in so that their
|
||
environment is set correctly. Adversaries may abuse this to establish persistence by executing malicious content
|
||
triggered by a user’s shell.
|
||
"""
|
||
false_positives = ["Changes to the Shell Profile tend to be noisy, a tuning per your environment will be required."]
|
||
from = "now-9m"
|
||
index = ["logs-endpoint.events.*", "auditbeat-*"]
|
||
language = "kuery"
|
||
license = "Elastic License"
|
||
name = "Bash Shell Profile Modification"
|
||
references = ["https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat"]
|
||
risk_score = 47
|
||
rule_id = "e6c1a552-7776-44ad-ae0f-8746cc07773c"
|
||
severity = "medium"
|
||
tags = ["Elastic", "Host", "macOS", "Linux", "Threat Detection", "Execution", "Persistence"]
|
||
type = "query"
|
||
|
||
query = '''
|
||
event.category:file and event.type:change and
|
||
process.name:(* and not (sudo or
|
||
vim or
|
||
zsh or
|
||
env or
|
||
nano or
|
||
bash or
|
||
Terminal or
|
||
xpcproxy or
|
||
login or
|
||
cat or
|
||
cp or
|
||
launchctl or
|
||
java)) and
|
||
not process.executable:(/Applications/* or /private/var/folders/* or /usr/local/*) and
|
||
file.path:(/private/etc/rc.local or
|
||
/etc/rc.local or
|
||
/home/*/.profile or
|
||
/home/*/.profile1 or
|
||
/home/*/.bash_profile or
|
||
/home/*/.bash_profile1 or
|
||
/home/*/.bashrc or
|
||
/Users/*/.bash_profile or
|
||
/Users/*/.zshenv)
|
||
'''
|
||
|
||
|
||
[[rule.threat]]
|
||
framework = "MITRE ATT&CK"
|
||
[[rule.threat.technique]]
|
||
id = "T1546"
|
||
name = "Event Triggered Execution"
|
||
reference = "https://attack.mitre.org/techniques/T1546/"
|
||
[[rule.threat.technique.subtechnique]]
|
||
id = "T1546.004"
|
||
name = ".bash_profile and .bashrc"
|
||
reference = "https://attack.mitre.org/techniques/T1546/004/"
|
||
|
||
|
||
|
||
[rule.threat.tactic]
|
||
id = "TA0003"
|
||
name = "Persistence"
|
||
reference = "https://attack.mitre.org/tactics/TA0003/"
|