Potential Persistence via File Modification

This rule leverages the File Integrity Monitoring (FIM) integration to detect file modifications of files that are commonly used for persistence on Linux systems. The rule detects modifications to files that are commonly used for cron jobs, systemd services, message-of-the-day (MOTD), SSH configurations, shell configurations, runtime control, init daemon, passwd/sudoers/shadow files, Systemd udevd, and XDG/KDE autostart entries. To leverage this rule, the paths specified in the query need to be added to the FIM policy in the Elastic Security app.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2024/06/03"
  3maturity = "production"
  4integration = ["fim"]
  5updated_date = "2024/06/12"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule leverages the File Integrity Monitoring (FIM) integration to detect file modifications of files that are
 11commonly used for persistence on Linux systems. The rule detects modifications to files that are commonly used for
 12cron jobs, systemd services, message-of-the-day (MOTD), SSH configurations, shell configurations, runtime control,
 13init daemon, passwd/sudoers/shadow files, Systemd udevd, and XDG/KDE autostart entries. To leverage this rule, the
 14paths specified in the query need to be added to the FIM policy in the Elastic Security app.
 15"""
 16from = "now-9m"
 17index = ["logs-fim.event-*", "auditbeat-*"]
 18language = "eql"
 19license = "Elastic License v2"
 20name = "Potential Persistence via File Modification"
 21risk_score = 21
 22rule_id = "192657ba-ab0e-4901-89a2-911d611eee98"
 23setup = """
 24## Setup
 25
 26This rule requires data coming in from the Elastic File Integrity Monitoring (FIM) integration.
 27
 28### Elastic FIM Integration Setup
 29To configure the Elastic FIM integration, follow these steps:
 30
 311. Install and configure the Elastic Agent on your Linux system. You can refer to the [Elastic Agent documentation](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html) for detailed instructions.
 322. Once the Elastic Agent is installed, navigate to the Elastic Security app in Kibana.
 333. In the Kibana home page, click on "Integrations" in the left sidebar.
 344. Search for "File Integrity Monitoring" in the search bar and select the integration.
 355. Provide a name and optional description for the integration.
 366. Select the appropriate agent policy for your Linux system or create a new one.
 377. Configure the FIM policy by specifying the paths that you want to monitor for file modifications. You can use the same paths mentioned in the `query` field of the rule. Note that FIM does not accept wildcards in the paths, so you need to specify the exact paths you want to monitor.
 388. Save the configuration and the Elastic Agent will start monitoring the specified paths for file modifications.
 39
 40For more details on configuring the Elastic FIM integration, you can refer to the [Elastic FIM documentation](https://docs.elastic.co/integrations/fim).
 41"""
 42severity = "low"
 43tags = [
 44    "Domain: Endpoint",
 45    "OS: Linux",
 46    "Use Case: Threat Detection",
 47    "Tactic: Persistence",
 48    "Tactic: Privilege Escalation",
 49    "Data Source: File Integrity Monitoring"
 50]
 51timestamp_override = "event.ingested"
 52type = "eql"
 53query = '''
 54file where host.os.type == "linux" and event.dataset == "fim.event" and event.action == "updated" and
 55file.path : (
 56  // cron, anacron & at
 57  "/etc/cron.d/*", "/etc/cron.daily/*", "/etc/cron.hourly/*", "/etc/cron.monthly/*",
 58  "/etc/cron.weekly/*", "/etc/crontab", "/var/spool/cron/crontabs/*", "/etc/cron.allow",
 59  "/etc/cron.deny",  "/var/spool/anacron/*", "/var/spool/cron/atjobs/*",
 60
 61  // systemd services & timers
 62  "/etc/systemd/system/*", "/usr/local/lib/systemd/system/*", "/lib/systemd/system/*",
 63  "/usr/lib/systemd/system/*", "/home/*/.config/systemd/user/*", "/home/*/.local/share/systemd/user/*",
 64  "/root/.config/systemd/user/*", "/root/.local/share/systemd/user/*",
 65
 66  // LD_PRELOAD
 67  "/etc/ld.so.preload", "/etc/ld.so.conf.d/*", "/etc/ld.so.conf",
 68
 69  // message-of-the-day (MOTD)
 70  "/etc/update-motd.d/*",
 71
 72  // SSH
 73  "/home/*/.ssh/*", "/root/.ssh/*", "/etc/ssh/*",
 74
 75  // system-wide shell configurations
 76  "/etc/profile", "/etc/profile.d/*", "/etc/bash.bashrc", "/etc/zsh/*", "/etc/csh.cshrc",
 77  "/etc/csh.login", "/etc/fish/config.fish", "/etc/ksh.kshrc",
 78
 79  // root and user shell configurations
 80  "/home/*/.profile", "/home/*/.bashrc", "/home/*/.bash_login", "/home/*/.bash_logout",
 81  "/root/.profile", "/root/.bashrc", "/root/.bash_login", "/root/.bash_logout",
 82  "/home/*/.zprofile", "/home/*/.zshrc", "/root/.zprofile", "/root/.zshrc",
 83  "/home/*/.cshrc", "/home/*/.login", "/home/*/.logout", "/root/.cshrc", "/root/.login", "/root/.logout",
 84  "/home/*/.config/fish/config.fish", "/root/.config/fish/config.fish",
 85  "/home/*/.kshrc", "/root/.kshrc",
 86
 87  // runtime control
 88  "/etc/rc.common", "/etc/rc.local",
 89
 90  // init daemon
 91  "/etc/init.d/*",
 92
 93  // passwd/sudoers/shadow
 94  "/etc/passwd", "/etc/shadow", "/etc/sudoers", "/etc/sudoers.d/*",
 95
 96  // Systemd udevd
 97  "/lib/udev/*", "/etc/udev/rules.d/*", "/usr/lib/udev/rules.d/*", "/run/udev/rules.d/*",
 98
 99  // XDG/KDE autostart entries
100  "/home/*/.config/autostart/*", "/root/.config/autostart/*", "/etc/xdg/autostart/*", "/usr/share/autostart/*",
101  "/home/*/.kde/Autostart/*", "/root/.kde/Autostart/*",
102  "/home/*/.kde4/Autostart/*", "/root/.kde4/Autostart/*",
103  "/home/*/.kde/share/autostart/*", "/root/.kde/share/autostart/*",
104  "/home/*/.kde4/share/autostart/*", "/root/.kde4/share/autostart/*",
105  "/home/*/.local/share/autostart/*", "/root/.local/share/autostart/*",
106  "/home/*/.config/autostart-scripts/*", "/root/.config/autostart-scripts/*"
107) and not (
108  file.path : (
109    "/var/spool/cron/crontabs/tmp.*", "/run/udev/rules.d/*rules.*", "/home/*/.ssh/known_hosts.*", "/root/.ssh/known_hosts.*"
110  ) or
111  file.extension in ("dpkg-new", "dpkg-remove", "SEQ")
112)
113'''
114
115[[rule.threat]]
116framework = "MITRE ATT&CK"
117
118[[rule.threat.technique]]
119id = "T1037"
120name = "Boot or Logon Initialization Scripts"
121reference = "https://attack.mitre.org/techniques/T1037/"
122
123[[rule.threat.technique.subtechnique]]
124id = "T1037.004"
125name = "RC Scripts"
126reference = "https://attack.mitre.org/techniques/T1037/004/"
127
128[[rule.threat.technique]]
129id = "T1543"
130name = "Create or Modify System Process"
131reference = "https://attack.mitre.org/techniques/T1543/"
132
133[[rule.threat.technique.subtechnique]]
134id = "T1543.002"
135name = "Systemd Service"
136reference = "https://attack.mitre.org/techniques/T1543/002/"
137
138[[rule.threat.technique]]
139id = "T1556"
140name = "Modify Authentication Process"
141reference = "https://attack.mitre.org/techniques/T1556/"
142
143[[rule.threat.technique]]
144id = "T1574"
145name = "Hijack Execution Flow"
146reference = "https://attack.mitre.org/techniques/T1574/"
147
148[[rule.threat.technique.subtechnique]]
149id = "T1574.006"
150name = "Dynamic Linker Hijacking"
151reference = "https://attack.mitre.org/techniques/T1574/006/"
152
153[[rule.threat.technique]]
154id = "T1136"
155name = "Create Account"
156reference = "https://attack.mitre.org/techniques/T1136/"
157
158[[rule.threat.technique.subtechnique]]
159id = "T1136.001"
160name = "Local Account"
161reference = "https://attack.mitre.org/techniques/T1136/001/"
162
163[rule.threat.tactic]
164id = "TA0003"
165name = "Persistence"
166reference = "https://attack.mitre.org/tactics/TA0003/"
167
168[[rule.threat]]
169framework = "MITRE ATT&CK"
170
171[[rule.threat.technique]]
172id = "T1053"
173name = "Scheduled Task/Job"
174reference = "https://attack.mitre.org/techniques/T1053/"
175
176[[rule.threat.technique.subtechnique]]
177id = "T1053.003"
178name = "Cron"
179reference = "https://attack.mitre.org/techniques/T1053/003/"
180
181[[rule.threat.technique]]
182id = "T1548"
183name = "Abuse Elevation Control Mechanism"
184reference = "https://attack.mitre.org/techniques/T1548/"
185
186[[rule.threat.technique.subtechnique]]
187id = "T1548.003"
188name = "Sudo and Sudo Caching"
189reference = "https://attack.mitre.org/techniques/T1548/003/"
190
191[rule.threat.tactic]
192id = "TA0004"
193name = "Privilege Escalation"
194reference = "https://attack.mitre.org/tactics/TA0004/"

Related rules

to-top