Potential Persistence via File Modification

  1[metadata]
  2creation_date = "2024/06/03"
  3integration = ["fim"]
  4maturity = "production"
  5updated_date = "2025/01/22"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule leverages the File Integrity Monitoring (FIM) integration to detect file modifications of files that are
 11commonly used for persistence on Linux systems. The rule detects modifications to files that are commonly used for cron
 12jobs, systemd services, message-of-the-day (MOTD), SSH configurations, shell configurations, runtime control, init
 13daemon, passwd/sudoers/shadow files, Systemd udevd, and XDG/KDE autostart entries. To leverage this rule, the paths
 14specified in the query need to be added to the FIM policy in the Elastic Security app.
 15"""
 16from = "now-9m"
 17index = ["logs-fim.event-*", "auditbeat-*"]
 18language = "eql"
 19license = "Elastic License v2"
 20name = "Potential Persistence via File Modification"
 21references = [
 22    "https://www.elastic.co/security-labs/primer-on-persistence-mechanisms",
 23    "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms",
 24]
 25risk_score = 21
 26rule_id = "192657ba-ab0e-4901-89a2-911d611eee98"
 27setup = """## Setup
 28
 29This rule requires data coming in from the Elastic File Integrity Monitoring (FIM) integration.
 30
 31### Elastic FIM Integration Setup
 32To configure the Elastic FIM integration, follow these steps:
 33
 341. Install and configure the Elastic Agent on your Linux system. You can refer to the [Elastic Agent documentation](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html) for detailed instructions.
 352. Once the Elastic Agent is installed, navigate to the Elastic Security app in Kibana.
 363. In the Kibana home page, click on "Integrations" in the left sidebar.
 374. Search for "File Integrity Monitoring" in the search bar and select the integration.
 385. Provide a name and optional description for the integration.
 396. Select the appropriate agent policy for your Linux system or create a new one.
 407. Configure the FIM policy by specifying the paths that you want to monitor for file modifications. You can use the same paths mentioned in the `query` field of the rule. Note that FIM does not accept wildcards in the paths, so you need to specify the exact paths you want to monitor.
 418. Save the configuration and the Elastic Agent will start monitoring the specified paths for file modifications.
 42
 43For more details on configuring the Elastic FIM integration, you can refer to the [Elastic FIM documentation](https://docs.elastic.co/integrations/fim).
 44"""
 45severity = "low"
 46tags = [
 47    "Domain: Endpoint",
 48    "OS: Linux",
 49    "Use Case: Threat Detection",
 50    "Tactic: Persistence",
 51    "Tactic: Credential Access",
 52    "Tactic: Privilege Escalation",
 53    "Tactic: Defense Evasion",
 54    "Data Source: File Integrity Monitoring",
 55    "Resources: Investigation Guide",
 56]
 57timestamp_override = "event.ingested"
 58type = "eql"
 59
 60query = '''
 61file where host.os.type == "linux" and event.dataset == "fim.event" and event.action == "updated" and
 62file.path : (
 63  // cron, anacron & at
 64  "/etc/cron.d/*", "/etc/cron.daily/*", "/etc/cron.hourly/*", "/etc/cron.monthly/*",
 65  "/etc/cron.weekly/*", "/etc/crontab", "/var/spool/cron/crontabs/*", "/etc/cron.allow",
 66  "/etc/cron.deny",  "/var/spool/anacron/*", "/var/spool/cron/atjobs/*",
 67
 68  // systemd services & timers
 69  "/etc/systemd/system/*", "/usr/local/lib/systemd/system/*", "/lib/systemd/system/*",
 70  "/usr/lib/systemd/system/*", "/home/*/.config/systemd/user/*", "/home/*/.local/share/systemd/user/*",
 71  "/root/.config/systemd/user/*", "/root/.local/share/systemd/user/*",
 72
 73  // LD_PRELOAD
 74  "/etc/ld.so.preload", "/etc/ld.so.conf.d/*", "/etc/ld.so.conf",
 75
 76  // Dynamic linker
 77  "/lib/ld-linux*.so*", "/lib64/ld-linux*.so*", "/usr/lib/ld-linux*.so*", "/usr/lib64/ld-linux*.so*",
 78
 79  // message-of-the-day (MOTD)
 80  "/etc/update-motd.d/*",
 81
 82  // SSH
 83  "/home/*/.ssh/*", "/root/.ssh/*", "/etc/ssh/*",
 84
 85  // system-wide shell configurations
 86  "/etc/profile", "/etc/profile.d/*", "/etc/bash.bashrc", "/etc/zsh/*", "/etc/csh.cshrc",
 87  "/etc/csh.login", "/etc/fish/config.fish", "/etc/ksh.kshrc",
 88
 89  // root and user shell configurations
 90  "/home/*/.profile", "/home/*/.bashrc", "/home/*/.bash_login", "/home/*/.bash_logout",
 91  "/root/.profile", "/root/.bashrc", "/root/.bash_login", "/root/.bash_logout",
 92  "/home/*/.zprofile", "/home/*/.zshrc", "/root/.zprofile", "/root/.zshrc",
 93  "/home/*/.cshrc", "/home/*/.login", "/home/*/.logout", "/root/.cshrc", "/root/.login", "/root/.logout",
 94  "/home/*/.config/fish/config.fish", "/root/.config/fish/config.fish",
 95  "/home/*/.kshrc", "/root/.kshrc",
 96
 97  // runtime control
 98  "/etc/rc.common", "/etc/rc.local",
 99
100  // System V init/Upstart
101  "/etc/init.d/*", "/etc/init/*",
102
103  // passwd/sudoers/shadow
104  "/etc/passwd", "/etc/shadow", "/etc/sudoers", "/etc/sudoers.d/*",
105
106  // Systemd udevd
107  "/lib/udev/*", "/etc/udev/rules.d/*", "/usr/lib/udev/rules.d/*", "/run/udev/rules.d/*", "/usr/local/lib/udev/rules.d/*",
108
109  // XDG/KDE autostart entries
110  "/home/*/.config/autostart/*", "/root/.config/autostart/*", "/etc/xdg/autostart/*", "/usr/share/autostart/*",
111  "/home/*/.kde/Autostart/*", "/root/.kde/Autostart/*",
112  "/home/*/.kde4/Autostart/*", "/root/.kde4/Autostart/*",
113  "/home/*/.kde/share/autostart/*", "/root/.kde/share/autostart/*",
114  "/home/*/.kde4/share/autostart/*", "/root/.kde4/share/autostart/*",
115  "/home/*/.local/share/autostart/*", "/root/.local/share/autostart/*",
116  "/home/*/.config/autostart-scripts/*", "/root/.config/autostart-scripts/*",
117
118  // LKM configuration files
119  "/etc/modules", "/etc/modprobe.d/*", "/usr/lib/modprobe.d/*", "/etc/modules-load.d/*",
120  "/run/modules-load.d/*", "/usr/local/lib/modules-load.d/*", "/usr/lib/modules-load.d/*",
121
122  // PAM modules & configuration files
123  "/lib/security/*", "/lib64/security/*", "/usr/lib/security/*", "/usr/lib64/security/*",
124  "/lib/x86_64-linux-gnu/security/*", "/usr/lib/x86_64-linux-gnu/security/*",
125  "/etc/pam.d/*", "/etc/security/pam_*", "/etc/pam.conf",
126
127  // Polkit Rule files
128  "/etc/polkit-1/rules.d/*", "/usr/share/polkit-1/rules.d/*",
129
130  // Polkit pkla files
131  "/etc/polkit-1/localauthority/*", "/var/lib/polkit-1/localauthority/*",
132
133  // Polkit Action files
134  "/usr/share/polkit-1/actions/*",
135
136  // Polkit Legacy paths
137  "/lib/polkit-1/rules.d/*", "/lib64/polkit-1/rules.d/*", "/var/lib/polkit-1/rules.d/*",
138
139  // NetworkManager
140  "/etc/NetworkManager/dispatcher.d/*",
141
142  // D-bus Service files
143  "/usr/share/dbus-1/system-services/*", "/etc/dbus-1/system.d/*",
144  "/lib/dbus-1/system-services/*", "/run/dbus/system.d/*",
145  "/home/*/.local/share/dbus-1/services/*", "/home/*/.dbus/session-bus/*",
146  "/usr/share/dbus-1/services/*", "/etc/dbus-1/session.d/*",
147
148  // GRUB
149  "/etc/default/grub.d/*", "/etc/default/grub", "/etc/grub.d/*", "/boot/grub2/grub.cfg",
150  "/boot/grub/grub.cfg", "/boot/efi/EFI/*/grub.cfg", "/etc/sysconfig/grub",
151
152  // Dracut
153  "/lib/dracut/modules.d/*", "/usr/lib/dracut/modules.d/*",
154
155  // Misc.
156  "/etc/shells"
157
158) and not (
159  file.path : (
160    "/var/spool/cron/crontabs/tmp.*", "/run/udev/rules.d/*rules.*", "/home/*/.ssh/known_hosts.*", "/root/.ssh/known_hosts.*"
161  ) or
162  file.extension in ("dpkg-new", "dpkg-remove", "SEQ")
163)
164'''
165note = """## Triage and analysis
166
167> **Disclaimer**:
168> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
169
170### Investigating Potential Persistence via File Modification
171
172File Integrity Monitoring (FIM) is crucial for detecting unauthorized changes to critical files, often targeted by adversaries for persistence. Attackers may modify cron jobs, systemd services, or shell configurations to maintain access or escalate privileges. The detection rule monitors these files for updates, flagging potential persistence attempts by identifying suspicious modifications outside normal operations.
173
174### Possible investigation steps
175
176- Review the file path from the alert to determine which specific file was modified and assess its role in the system, focusing on paths commonly used for persistence such as cron jobs, systemd services, or shell configurations.
177- Check the timestamp of the modification event to correlate it with any known legitimate changes or scheduled maintenance activities, ensuring the modification was not part of normal operations.
178- Investigate the user or process responsible for the modification by examining the associated user ID or process ID, and verify if the user or process has legitimate reasons to alter the file.
179- Analyze recent login and session activity for the user or process involved in the modification to identify any unusual patterns or unauthorized access attempts.
180- Cross-reference the modification event with other security logs or alerts to identify any related suspicious activities, such as privilege escalation attempts or unauthorized access to sensitive files.
181- If the modified file is a configuration file, review its contents for any unauthorized or suspicious entries that could indicate persistence mechanisms, such as new cron jobs or altered systemd service configurations.
182
183### False positive analysis
184
185- Routine system updates or package installations may modify files monitored by the rule, such as those in /etc/cron.d or /etc/systemd/system. To manage these, consider excluding specific file paths or extensions like dpkg-new and dpkg-remove during known maintenance windows.
186- User-specific configuration changes, such as updates to shell profiles in /home/*/.bashrc, can trigger alerts. Implement exceptions for user directories where frequent legitimate changes occur, ensuring these are well-documented and reviewed regularly.
187- Automated scripts or management tools that update system configurations, like /etc/ssh/sshd_config, can cause false positives. Identify these tools and create exceptions for their expected file modification patterns.
188- Temporary files created during system operations, such as /var/spool/cron/crontabs/tmp.*, may be flagged. Exclude these temporary paths to reduce noise while maintaining security oversight.
189- Regular updates to known_hosts files in /home/*/.ssh/known_hosts can be mistaken for suspicious activity. Exclude these files from monitoring to prevent unnecessary alerts while ensuring SSH configurations are still monitored.
190
191### Response and remediation
192
193- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the attacker.
194- Review the specific file modifications flagged by the alert to determine if they are unauthorized or malicious. Restore any altered files to their last known good state using backups or system snapshots.
195- Change all passwords and SSH keys associated with the affected system to prevent unauthorized access using compromised credentials.
196- Conduct a thorough scan of the system for additional indicators of compromise, such as unauthorized user accounts or unexpected running processes, and remove any malicious artifacts found.
197- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if other systems may be affected.
198- Implement additional monitoring on the affected system and similar systems to detect any further unauthorized file modifications or suspicious activities.
199- Review and update access controls and permissions on critical files and directories to minimize the risk of unauthorized modifications in the future."""
200
201[[rule.threat]]
202framework = "MITRE ATT&CK"
203
204[[rule.threat.technique]]
205id = "T1037"
206name = "Boot or Logon Initialization Scripts"
207reference = "https://attack.mitre.org/techniques/T1037/"
208
209[[rule.threat.technique.subtechnique]]
210id = "T1037.004"
211name = "RC Scripts"
212reference = "https://attack.mitre.org/techniques/T1037/004/"
213
214[[rule.threat.technique]]
215id = "T1547"
216name = "Boot or Logon Autostart Execution"
217reference = "https://attack.mitre.org/techniques/T1547/"
218
219[[rule.threat.technique.subtechnique]]
220id = "T1547.006"
221name = "Kernel Modules and Extensions"
222reference = "https://attack.mitre.org/techniques/T1547/006/"
223
224[[rule.threat.technique]]
225id = "T1136"
226name = "Create Account"
227reference = "https://attack.mitre.org/techniques/T1136/"
228
229[[rule.threat.technique.subtechnique]]
230id = "T1136.001"
231name = "Local Account"
232reference = "https://attack.mitre.org/techniques/T1136/001/"
233
234[[rule.threat.technique]]
235id = "T1543"
236name = "Create or Modify System Process"
237reference = "https://attack.mitre.org/techniques/T1543/"
238
239[[rule.threat.technique.subtechnique]]
240id = "T1543.002"
241name = "Systemd Service"
242reference = "https://attack.mitre.org/techniques/T1543/002/"
243
244[[rule.threat.technique]]
245id = "T1556"
246name = "Modify Authentication Process"
247reference = "https://attack.mitre.org/techniques/T1556/"
248
249[[rule.threat.technique]]
250id = "T1574"
251name = "Hijack Execution Flow"
252reference = "https://attack.mitre.org/techniques/T1574/"
253
254[[rule.threat.technique.subtechnique]]
255id = "T1574.006"
256name = "Dynamic Linker Hijacking"
257reference = "https://attack.mitre.org/techniques/T1574/006/"
258
259[rule.threat.tactic]
260id = "TA0003"
261name = "Persistence"
262reference = "https://attack.mitre.org/tactics/TA0003/"
263
264[[rule.threat]]
265framework = "MITRE ATT&CK"
266
267[[rule.threat.technique]]
268id = "T1053"
269name = "Scheduled Task/Job"
270reference = "https://attack.mitre.org/techniques/T1053/"
271
272[[rule.threat.technique.subtechnique]]
273id = "T1053.003"
274name = "Cron"
275reference = "https://attack.mitre.org/techniques/T1053/003/"
276
277[[rule.threat.technique]]
278id = "T1548"
279name = "Abuse Elevation Control Mechanism"
280reference = "https://attack.mitre.org/techniques/T1548/"
281
282[[rule.threat.technique.subtechnique]]
283id = "T1548.003"
284name = "Sudo and Sudo Caching"
285reference = "https://attack.mitre.org/techniques/T1548/003/"
286
287[rule.threat.tactic]
288id = "TA0004"
289name = "Privilege Escalation"
290reference = "https://attack.mitre.org/tactics/TA0004/"
291
292[[rule.threat]]
293framework = "MITRE ATT&CK"
294
295[[rule.threat.technique]]
296id = "T1556"
297name = "Modify Authentication Process"
298reference = "https://attack.mitre.org/techniques/T1556/"
299
300[rule.threat.tactic]
301id = "TA0006"
302name = "Credential Access"
303reference = "https://attack.mitre.org/tactics/TA0006/"
304
305[[rule.threat]]
306framework = "MITRE ATT&CK"
307
308[[rule.threat.technique]]
309id = "T1014"
310name = "Rootkit"
311reference = "https://attack.mitre.org/techniques/T1014/"
312
313[rule.threat.tactic]
314id = "TA0005"
315name = "Defense Evasion"
316reference = "https://attack.mitre.org/tactics/TA0005/"