Potential Persistence via File Modification

  1[metadata]
  2creation_date = "2024/06/03"
  3integration = ["fim"]
  4maturity = "production"
  5updated_date = "2025/12/04"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule leverages the File Integrity Monitoring (FIM) integration to detect file modifications of files that are
 11commonly used for persistence on Linux systems. The rule detects modifications to files that are commonly used for cron
 12jobs, systemd services, message-of-the-day (MOTD), SSH configurations, shell configurations, runtime control, init
 13daemon, passwd/sudoers/shadow files, Systemd udevd, and XDG/KDE autostart entries. To leverage this rule, the paths
 14specified in the query need to be added to the FIM policy in the Elastic Security app.
 15"""
 16from = "now-9m"
 17index = ["logs-fim.event-*", "auditbeat-*"]
 18language = "eql"
 19license = "Elastic License v2"
 20name = "Potential Persistence via File Modification"
 21references = [
 22    "https://www.elastic.co/security-labs/primer-on-persistence-mechanisms",
 23    "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms",
 24    "https://www.elastic.co/security-labs/continuation-on-persistence-mechanisms",
 25    "https://www.elastic.co/security-labs/approaching-the-summit-on-persistence",
 26    "https://www.elastic.co/security-labs/the-grand-finale-on-linux-persistence",
 27    "https://slayer0x.github.io/awscli/",
 28]
 29risk_score = 21
 30rule_id = "192657ba-ab0e-4901-89a2-911d611eee98"
 31setup = """## Setup
 32
 33This rule requires data coming in from the Elastic File Integrity Monitoring (FIM) integration.
 34
 35### Elastic FIM Integration Setup
 36To configure the Elastic FIM integration, follow these steps:
 37
 381. Install and configure the Elastic Agent on your Linux system. You can refer to the [Elastic Agent documentation](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html) for detailed instructions.
 392. Once the Elastic Agent is installed, navigate to the Elastic Security app in Kibana.
 403. In the Kibana home page, click on "Integrations" in the left sidebar.
 414. Search for "File Integrity Monitoring" in the search bar and select the integration.
 425. Provide a name and optional description for the integration.
 436. Select the appropriate agent policy for your Linux system or create a new one.
 447. Configure the FIM policy by specifying the paths that you want to monitor for file modifications. You can use the same paths mentioned in the `query` field of the rule. Note that FIM does not accept wildcards in the paths, so you need to specify the exact paths you want to monitor.
 458. Save the configuration and the Elastic Agent will start monitoring the specified paths for file modifications.
 46
 47For more details on configuring the Elastic FIM integration, you can refer to the [Elastic FIM documentation](https://docs.elastic.co/integrations/fim).
 48"""
 49severity = "low"
 50tags = [
 51    "Domain: Endpoint",
 52    "OS: Linux",
 53    "Use Case: Threat Detection",
 54    "Tactic: Persistence",
 55    "Tactic: Credential Access",
 56    "Tactic: Privilege Escalation",
 57    "Tactic: Defense Evasion",
 58    "Data Source: File Integrity Monitoring",
 59    "Resources: Investigation Guide",
 60]
 61timestamp_override = "event.ingested"
 62type = "eql"
 63
 64query = '''
 65file where host.os.type == "linux" and event.dataset == "fim.event" and event.action == "updated" and
 66file.path : (
 67  // cron, anacron & at
 68  "/etc/cron.d/*", "/etc/cron.daily/*", "/etc/cron.hourly/*", "/etc/cron.monthly/*",
 69  "/etc/cron.weekly/*", "/etc/crontab", "/var/spool/cron/crontabs/*", "/etc/cron.allow",
 70  "/etc/cron.deny",  "/var/spool/anacron/*", "/var/spool/cron/atjobs/*",
 71
 72  // systemd services & timers
 73  "/etc/systemd/system/*", "/usr/local/lib/systemd/system/*", "/lib/systemd/system/*",
 74  "/usr/lib/systemd/system/*", "/home/*/.config/systemd/user/*", "/home/*/.local/share/systemd/user/*",
 75  "/root/.config/systemd/user/*", "/root/.local/share/systemd/user/*",
 76
 77  // LD_PRELOAD
 78  "/etc/ld.so.preload", "/etc/ld.so.conf.d/*", "/etc/ld.so.conf",
 79
 80  // Dynamic linker
 81  "/lib/ld-linux*.so*", "/lib64/ld-linux*.so*", "/usr/lib/ld-linux*.so*", "/usr/lib64/ld-linux*.so*",
 82
 83  // message-of-the-day (MOTD)
 84  "/etc/update-motd.d/*",
 85
 86  // SSH
 87  "/home/*/.ssh/*", "/root/.ssh/*", "/etc/ssh/*",
 88
 89  // system-wide shell configurations
 90  "/etc/profile", "/etc/profile.d/*", "/etc/bash.bashrc", "/etc/zsh/*", "/etc/csh.cshrc",
 91  "/etc/csh.login", "/etc/fish/config.fish", "/etc/ksh.kshrc",
 92
 93  // root and user shell configurations
 94  "/home/*/.profile", "/home/*/.bashrc", "/home/*/.bash_login", "/home/*/.bash_logout",
 95  "/root/.profile", "/root/.bashrc", "/root/.bash_login", "/root/.bash_logout",
 96  "/home/*/.zprofile", "/home/*/.zshrc", "/root/.zprofile", "/root/.zshrc",
 97  "/home/*/.cshrc", "/home/*/.login", "/home/*/.logout", "/root/.cshrc", "/root/.login", "/root/.logout",
 98  "/home/*/.config/fish/config.fish", "/root/.config/fish/config.fish",
 99  "/home/*/.kshrc", "/root/.kshrc",
100
101  // Alias files
102  "/home/*/.bash_aliases", "/root/.bash_aliases", "/home/*/.zsh_aliases", "/root/.zsh_aliases",
103  "/home/*/.aws/cli/alias", "/root/.aws/cli/alias", 
104
105  // runtime control
106  "/etc/rc.common", "/etc/rc.local",
107
108  // System V init/Upstart
109  "/etc/init.d/*", "/etc/init/*",
110
111  // passwd/sudoers/shadow
112  "/etc/passwd", "/etc/shadow", "/etc/sudoers", "/etc/sudoers.d/*",
113
114  // Systemd udevd
115  "/lib/udev/*", "/etc/udev/rules.d/*", "/usr/lib/udev/rules.d/*", "/run/udev/rules.d/*", "/usr/local/lib/udev/rules.d/*",
116
117  // XDG/KDE autostart entries
118  "/home/*/.config/autostart/*", "/root/.config/autostart/*", "/etc/xdg/autostart/*", "/usr/share/autostart/*",
119  "/home/*/.kde/Autostart/*", "/root/.kde/Autostart/*",
120  "/home/*/.kde4/Autostart/*", "/root/.kde4/Autostart/*",
121  "/home/*/.kde/share/autostart/*", "/root/.kde/share/autostart/*",
122  "/home/*/.kde4/share/autostart/*", "/root/.kde4/share/autostart/*",
123  "/home/*/.local/share/autostart/*", "/root/.local/share/autostart/*",
124  "/home/*/.config/autostart-scripts/*", "/root/.config/autostart-scripts/*",
125
126  // LKM configuration files
127  "/etc/modules", "/etc/modprobe.d/*", "/usr/lib/modprobe.d/*", "/etc/modules-load.d/*",
128  "/run/modules-load.d/*", "/usr/local/lib/modules-load.d/*", "/usr/lib/modules-load.d/*",
129
130  // PAM modules & configuration files
131  "/lib/security/*", "/lib64/security/*", "/usr/lib/security/*", "/usr/lib64/security/*",
132  "/lib/x86_64-linux-gnu/security/*", "/usr/lib/x86_64-linux-gnu/security/*",
133  "/etc/pam.d/*", "/etc/security/pam_*", "/etc/pam.conf",
134
135  // Polkit Rule files
136  "/etc/polkit-1/rules.d/*", "/usr/share/polkit-1/rules.d/*",
137
138  // Polkit pkla files
139  "/etc/polkit-1/localauthority/*", "/var/lib/polkit-1/localauthority/*",
140
141  // Polkit Action files
142  "/usr/share/polkit-1/actions/*",
143
144  // Polkit Legacy paths
145  "/lib/polkit-1/rules.d/*", "/lib64/polkit-1/rules.d/*", "/var/lib/polkit-1/rules.d/*",
146
147  // NetworkManager
148  "/etc/NetworkManager/dispatcher.d/*",
149
150  // D-bus Service files
151  "/usr/share/dbus-1/system-services/*", "/etc/dbus-1/system.d/*",
152  "/lib/dbus-1/system-services/*", "/run/dbus/system.d/*",
153  "/home/*/.local/share/dbus-1/services/*", "/home/*/.dbus/session-bus/*",
154  "/usr/share/dbus-1/services/*", "/etc/dbus-1/session.d/*",
155
156  // GRUB
157  "/etc/default/grub.d/*", "/etc/default/grub", "/etc/grub.d/*", "/boot/grub2/grub.cfg",
158  "/boot/grub/grub.cfg", "/boot/efi/EFI/*/grub.cfg", "/etc/sysconfig/grub",
159
160  // Dracut
161  "/lib/dracut/modules.d/*", "/usr/lib/dracut/modules.d/*",
162
163  // Misc.
164  "/etc/shells"
165
166) and not (
167  file.path : (
168    "/var/spool/cron/crontabs/tmp.*", "/run/udev/rules.d/*rules.*", "/home/*/.ssh/known_hosts.*", "/root/.ssh/known_hosts.*"
169  ) or
170  file.extension in ("dpkg-new", "dpkg-remove", "SEQ")
171)
172'''
173note = """## Triage and analysis
174
175> **Disclaimer**:
176> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
177
178### Investigating Potential Persistence via File Modification
179
180File Integrity Monitoring (FIM) is crucial for detecting unauthorized changes to critical files, often targeted by adversaries for persistence. Attackers may modify cron jobs, systemd services, or shell configurations to maintain access or escalate privileges. The detection rule monitors these files for updates, flagging potential persistence attempts by identifying suspicious modifications outside normal operations.
181
182### Possible investigation steps
183
184- Review the file path from the alert to determine which specific file was modified and assess its role in the system, focusing on paths commonly used for persistence such as cron jobs, systemd services, or shell configurations.
185- Check the timestamp of the modification event to correlate it with any known legitimate changes or scheduled maintenance activities, ensuring the modification was not part of normal operations.
186- Investigate the user or process responsible for the modification by examining the associated user ID or process ID, and verify if the user or process has legitimate reasons to alter the file.
187- Analyze recent login and session activity for the user or process involved in the modification to identify any unusual patterns or unauthorized access attempts.
188- Cross-reference the modification event with other security logs or alerts to identify any related suspicious activities, such as privilege escalation attempts or unauthorized access to sensitive files.
189- If the modified file is a configuration file, review its contents for any unauthorized or suspicious entries that could indicate persistence mechanisms, such as new cron jobs or altered systemd service configurations.
190
191### False positive analysis
192
193- Routine system updates or package installations may modify files monitored by the rule, such as those in /etc/cron.d or /etc/systemd/system. To manage these, consider excluding specific file paths or extensions like dpkg-new and dpkg-remove during known maintenance windows.
194- User-specific configuration changes, such as updates to shell profiles in /home/*/.bashrc, can trigger alerts. Implement exceptions for user directories where frequent legitimate changes occur, ensuring these are well-documented and reviewed regularly.
195- Automated scripts or management tools that update system configurations, like /etc/ssh/sshd_config, can cause false positives. Identify these tools and create exceptions for their expected file modification patterns.
196- Temporary files created during system operations, such as /var/spool/cron/crontabs/tmp.*, may be flagged. Exclude these temporary paths to reduce noise while maintaining security oversight.
197- Regular updates to known_hosts files in /home/*/.ssh/known_hosts can be mistaken for suspicious activity. Exclude these files from monitoring to prevent unnecessary alerts while ensuring SSH configurations are still monitored.
198
199### Response and remediation
200
201- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the attacker.
202- Review the specific file modifications flagged by the alert to determine if they are unauthorized or malicious. Restore any altered files to their last known good state using backups or system snapshots.
203- Change all passwords and SSH keys associated with the affected system to prevent unauthorized access using compromised credentials.
204- Conduct a thorough scan of the system for additional indicators of compromise, such as unauthorized user accounts or unexpected running processes, and remove any malicious artifacts found.
205- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if other systems may be affected.
206- Implement additional monitoring on the affected system and similar systems to detect any further unauthorized file modifications or suspicious activities.
207- Review and update access controls and permissions on critical files and directories to minimize the risk of unauthorized modifications in the future."""
208
209[[rule.threat]]
210framework = "MITRE ATT&CK"
211
212[[rule.threat.technique]]
213id = "T1037"
214name = "Boot or Logon Initialization Scripts"
215reference = "https://attack.mitre.org/techniques/T1037/"
216
217[[rule.threat.technique.subtechnique]]
218id = "T1037.004"
219name = "RC Scripts"
220reference = "https://attack.mitre.org/techniques/T1037/004/"
221
222[[rule.threat.technique]]
223id = "T1547"
224name = "Boot or Logon Autostart Execution"
225reference = "https://attack.mitre.org/techniques/T1547/"
226
227[[rule.threat.technique.subtechnique]]
228id = "T1547.006"
229name = "Kernel Modules and Extensions"
230reference = "https://attack.mitre.org/techniques/T1547/006/"
231
232[[rule.threat.technique]]
233id = "T1136"
234name = "Create Account"
235reference = "https://attack.mitre.org/techniques/T1136/"
236
237[[rule.threat.technique.subtechnique]]
238id = "T1136.001"
239name = "Local Account"
240reference = "https://attack.mitre.org/techniques/T1136/001/"
241
242[[rule.threat.technique]]
243id = "T1543"
244name = "Create or Modify System Process"
245reference = "https://attack.mitre.org/techniques/T1543/"
246
247[[rule.threat.technique.subtechnique]]
248id = "T1543.002"
249name = "Systemd Service"
250reference = "https://attack.mitre.org/techniques/T1543/002/"
251
252[[rule.threat.technique]]
253id = "T1556"
254name = "Modify Authentication Process"
255reference = "https://attack.mitre.org/techniques/T1556/"
256
257[[rule.threat.technique]]
258id = "T1574"
259name = "Hijack Execution Flow"
260reference = "https://attack.mitre.org/techniques/T1574/"
261
262[[rule.threat.technique.subtechnique]]
263id = "T1574.006"
264name = "Dynamic Linker Hijacking"
265reference = "https://attack.mitre.org/techniques/T1574/006/"
266
267[rule.threat.tactic]
268id = "TA0003"
269name = "Persistence"
270reference = "https://attack.mitre.org/tactics/TA0003/"
271
272[[rule.threat]]
273framework = "MITRE ATT&CK"
274
275[[rule.threat.technique]]
276id = "T1053"
277name = "Scheduled Task/Job"
278reference = "https://attack.mitre.org/techniques/T1053/"
279
280[[rule.threat.technique.subtechnique]]
281id = "T1053.003"
282name = "Cron"
283reference = "https://attack.mitre.org/techniques/T1053/003/"
284
285[[rule.threat.technique]]
286id = "T1548"
287name = "Abuse Elevation Control Mechanism"
288reference = "https://attack.mitre.org/techniques/T1548/"
289
290[[rule.threat.technique.subtechnique]]
291id = "T1548.003"
292name = "Sudo and Sudo Caching"
293reference = "https://attack.mitre.org/techniques/T1548/003/"
294
295[rule.threat.tactic]
296id = "TA0004"
297name = "Privilege Escalation"
298reference = "https://attack.mitre.org/tactics/TA0004/"
299
300[[rule.threat]]
301framework = "MITRE ATT&CK"
302
303[[rule.threat.technique]]
304id = "T1556"
305name = "Modify Authentication Process"
306reference = "https://attack.mitre.org/techniques/T1556/"
307
308[rule.threat.tactic]
309id = "TA0006"
310name = "Credential Access"
311reference = "https://attack.mitre.org/tactics/TA0006/"
312
313[[rule.threat]]
314framework = "MITRE ATT&CK"
315
316[[rule.threat.technique]]
317id = "T1014"
318name = "Rootkit"
319reference = "https://attack.mitre.org/techniques/T1014/"
320
321[rule.threat.tactic]
322id = "TA0005"
323name = "Defense Evasion"
324reference = "https://attack.mitre.org/tactics/TA0005/"