Potential Persistence via File Modification
This rule leverages the File Integrity Monitoring (FIM) integration to detect file modifications of files that are commonly used for persistence on Linux systems. The rule detects modifications to files that are commonly used for cron jobs, systemd services, message-of-the-day (MOTD), SSH configurations, shell configurations, runtime control, init daemon, passwd/sudoers/shadow files, Systemd udevd, and XDG/KDE autostart entries. To leverage this rule, the paths specified in the query need to be added to the FIM policy in the Elastic Security app.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/06/03"
3integration = ["fim"]
4maturity = "production"
5updated_date = "2024/09/23"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule leverages the File Integrity Monitoring (FIM) integration to detect file modifications of files that are
11commonly used for persistence on Linux systems. The rule detects modifications to files that are commonly used for cron
12jobs, systemd services, message-of-the-day (MOTD), SSH configurations, shell configurations, runtime control, init
13daemon, passwd/sudoers/shadow files, Systemd udevd, and XDG/KDE autostart entries. To leverage this rule, the paths
14specified in the query need to be added to the FIM policy in the Elastic Security app.
15"""
16from = "now-9m"
17index = ["logs-fim.event-*", "auditbeat-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Potential Persistence via File Modification"
21references = [
22 "https://www.elastic.co/security-labs/primer-on-persistence-mechanisms",
23 "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms",
24]
25risk_score = 21
26rule_id = "192657ba-ab0e-4901-89a2-911d611eee98"
27setup = """## Setup
28
29This rule requires data coming in from the Elastic File Integrity Monitoring (FIM) integration.
30
31### Elastic FIM Integration Setup
32To configure the Elastic FIM integration, follow these steps:
33
341. Install and configure the Elastic Agent on your Linux system. You can refer to the [Elastic Agent documentation](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html) for detailed instructions.
352. Once the Elastic Agent is installed, navigate to the Elastic Security app in Kibana.
363. In the Kibana home page, click on "Integrations" in the left sidebar.
374. Search for "File Integrity Monitoring" in the search bar and select the integration.
385. Provide a name and optional description for the integration.
396. Select the appropriate agent policy for your Linux system or create a new one.
407. Configure the FIM policy by specifying the paths that you want to monitor for file modifications. You can use the same paths mentioned in the `query` field of the rule. Note that FIM does not accept wildcards in the paths, so you need to specify the exact paths you want to monitor.
418. Save the configuration and the Elastic Agent will start monitoring the specified paths for file modifications.
42
43For more details on configuring the Elastic FIM integration, you can refer to the [Elastic FIM documentation](https://docs.elastic.co/integrations/fim).
44"""
45severity = "low"
46tags = [
47 "Domain: Endpoint",
48 "OS: Linux",
49 "Use Case: Threat Detection",
50 "Tactic: Persistence",
51 "Tactic: Privilege Escalation",
52 "Data Source: File Integrity Monitoring",
53]
54timestamp_override = "event.ingested"
55type = "eql"
56
57query = '''
58file where host.os.type == "linux" and event.dataset == "fim.event" and event.action == "updated" and
59file.path : (
60 // cron, anacron & at
61 "/etc/cron.d/*", "/etc/cron.daily/*", "/etc/cron.hourly/*", "/etc/cron.monthly/*",
62 "/etc/cron.weekly/*", "/etc/crontab", "/var/spool/cron/crontabs/*", "/etc/cron.allow",
63 "/etc/cron.deny", "/var/spool/anacron/*", "/var/spool/cron/atjobs/*",
64
65 // systemd services & timers
66 "/etc/systemd/system/*", "/usr/local/lib/systemd/system/*", "/lib/systemd/system/*",
67 "/usr/lib/systemd/system/*", "/home/*/.config/systemd/user/*", "/home/*/.local/share/systemd/user/*",
68 "/root/.config/systemd/user/*", "/root/.local/share/systemd/user/*",
69
70 // LD_PRELOAD
71 "/etc/ld.so.preload", "/etc/ld.so.conf.d/*", "/etc/ld.so.conf",
72
73 // message-of-the-day (MOTD)
74 "/etc/update-motd.d/*",
75
76 // SSH
77 "/home/*/.ssh/*", "/root/.ssh/*", "/etc/ssh/*",
78
79 // system-wide shell configurations
80 "/etc/profile", "/etc/profile.d/*", "/etc/bash.bashrc", "/etc/zsh/*", "/etc/csh.cshrc",
81 "/etc/csh.login", "/etc/fish/config.fish", "/etc/ksh.kshrc",
82
83 // root and user shell configurations
84 "/home/*/.profile", "/home/*/.bashrc", "/home/*/.bash_login", "/home/*/.bash_logout",
85 "/root/.profile", "/root/.bashrc", "/root/.bash_login", "/root/.bash_logout",
86 "/home/*/.zprofile", "/home/*/.zshrc", "/root/.zprofile", "/root/.zshrc",
87 "/home/*/.cshrc", "/home/*/.login", "/home/*/.logout", "/root/.cshrc", "/root/.login", "/root/.logout",
88 "/home/*/.config/fish/config.fish", "/root/.config/fish/config.fish",
89 "/home/*/.kshrc", "/root/.kshrc",
90
91 // runtime control
92 "/etc/rc.common", "/etc/rc.local",
93
94 // System V init/Upstart
95 "/etc/init.d/*", "/etc/init/*",
96
97 // passwd/sudoers/shadow
98 "/etc/passwd", "/etc/shadow", "/etc/sudoers", "/etc/sudoers.d/*",
99
100 // Systemd udevd
101 "/lib/udev/*", "/etc/udev/rules.d/*", "/usr/lib/udev/rules.d/*", "/run/udev/rules.d/*", "/usr/local/lib/udev/rules.d/*",
102
103 // XDG/KDE autostart entries
104 "/home/*/.config/autostart/*", "/root/.config/autostart/*", "/etc/xdg/autostart/*", "/usr/share/autostart/*",
105 "/home/*/.kde/Autostart/*", "/root/.kde/Autostart/*",
106 "/home/*/.kde4/Autostart/*", "/root/.kde4/Autostart/*",
107 "/home/*/.kde/share/autostart/*", "/root/.kde/share/autostart/*",
108 "/home/*/.kde4/share/autostart/*", "/root/.kde4/share/autostart/*",
109 "/home/*/.local/share/autostart/*", "/root/.local/share/autostart/*",
110 "/home/*/.config/autostart-scripts/*", "/root/.config/autostart-scripts/*"
111) and not (
112 file.path : (
113 "/var/spool/cron/crontabs/tmp.*", "/run/udev/rules.d/*rules.*", "/home/*/.ssh/known_hosts.*", "/root/.ssh/known_hosts.*"
114 ) or
115 file.extension in ("dpkg-new", "dpkg-remove", "SEQ")
116)
117'''
118
119
120[[rule.threat]]
121framework = "MITRE ATT&CK"
122[[rule.threat.technique]]
123id = "T1037"
124name = "Boot or Logon Initialization Scripts"
125reference = "https://attack.mitre.org/techniques/T1037/"
126[[rule.threat.technique.subtechnique]]
127id = "T1037.004"
128name = "RC Scripts"
129reference = "https://attack.mitre.org/techniques/T1037/004/"
130
131
132[[rule.threat.technique]]
133id = "T1136"
134name = "Create Account"
135reference = "https://attack.mitre.org/techniques/T1136/"
136[[rule.threat.technique.subtechnique]]
137id = "T1136.001"
138name = "Local Account"
139reference = "https://attack.mitre.org/techniques/T1136/001/"
140
141
142[[rule.threat.technique]]
143id = "T1543"
144name = "Create or Modify System Process"
145reference = "https://attack.mitre.org/techniques/T1543/"
146[[rule.threat.technique.subtechnique]]
147id = "T1543.002"
148name = "Systemd Service"
149reference = "https://attack.mitre.org/techniques/T1543/002/"
150
151
152[[rule.threat.technique]]
153id = "T1556"
154name = "Modify Authentication Process"
155reference = "https://attack.mitre.org/techniques/T1556/"
156
157[[rule.threat.technique]]
158id = "T1574"
159name = "Hijack Execution Flow"
160reference = "https://attack.mitre.org/techniques/T1574/"
161[[rule.threat.technique.subtechnique]]
162id = "T1574.006"
163name = "Dynamic Linker Hijacking"
164reference = "https://attack.mitre.org/techniques/T1574/006/"
165
166
167
168[rule.threat.tactic]
169id = "TA0003"
170name = "Persistence"
171reference = "https://attack.mitre.org/tactics/TA0003/"
172[[rule.threat]]
173framework = "MITRE ATT&CK"
174[[rule.threat.technique]]
175id = "T1053"
176name = "Scheduled Task/Job"
177reference = "https://attack.mitre.org/techniques/T1053/"
178[[rule.threat.technique.subtechnique]]
179id = "T1053.003"
180name = "Cron"
181reference = "https://attack.mitre.org/techniques/T1053/003/"
182
183
184[[rule.threat.technique]]
185id = "T1548"
186name = "Abuse Elevation Control Mechanism"
187reference = "https://attack.mitre.org/techniques/T1548/"
188[[rule.threat.technique.subtechnique]]
189id = "T1548.003"
190name = "Sudo and Sudo Caching"
191reference = "https://attack.mitre.org/techniques/T1548/003/"
192
193
194
195[rule.threat.tactic]
196id = "TA0004"
197name = "Privilege Escalation"
198reference = "https://attack.mitre.org/tactics/TA0004/"
References
-
In this second part of the Linux Detection Engineering series, we map multiple Linux persistence mechanisms to the MITRE ATT&CK framework, explain how they work, and how to detect them.
Read More -
In this final part of this Linux persistence series, we'll continue exploring persistence mechanisms on Linux systems, focusing on more advanced techniques and how to detect them.
Read More
Related rules
- At Job Created or Modified
- Potential Sudo Hijacking
- Systemd Service Started by Unusual Parent Process
- Process Capability Set via setcap Utility
- Potential Suspicious File Edit