Potential Persistence via File Modification

This rule leverages the File Integrity Monitoring (FIM) integration to detect file modifications of files that are commonly used for persistence on Linux systems. The rule detects modifications to files that are commonly used for cron jobs, systemd services, message-of-the-day (MOTD), SSH configurations, shell configurations, runtime control, init daemon, passwd/sudoers/shadow files, Systemd udevd, and XDG/KDE autostart entries. To leverage this rule, the paths specified in the query need to be added to the FIM policy in the Elastic Security app.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2024/06/03"
  3integration = ["fim"]
  4maturity = "production"
  5updated_date = "2024/12/17"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule leverages the File Integrity Monitoring (FIM) integration to detect file modifications of files that are
 11commonly used for persistence on Linux systems. The rule detects modifications to files that are commonly used for cron
 12jobs, systemd services, message-of-the-day (MOTD), SSH configurations, shell configurations, runtime control, init
 13daemon, passwd/sudoers/shadow files, Systemd udevd, and XDG/KDE autostart entries. To leverage this rule, the paths
 14specified in the query need to be added to the FIM policy in the Elastic Security app.
 15"""
 16from = "now-9m"
 17index = ["logs-fim.event-*", "auditbeat-*"]
 18language = "eql"
 19license = "Elastic License v2"
 20name = "Potential Persistence via File Modification"
 21references = [
 22    "https://www.elastic.co/security-labs/primer-on-persistence-mechanisms",
 23    "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms",
 24]
 25risk_score = 21
 26rule_id = "192657ba-ab0e-4901-89a2-911d611eee98"
 27setup = """## Setup
 28
 29This rule requires data coming in from the Elastic File Integrity Monitoring (FIM) integration.
 30
 31### Elastic FIM Integration Setup
 32To configure the Elastic FIM integration, follow these steps:
 33
 341. Install and configure the Elastic Agent on your Linux system. You can refer to the [Elastic Agent documentation](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html) for detailed instructions.
 352. Once the Elastic Agent is installed, navigate to the Elastic Security app in Kibana.
 363. In the Kibana home page, click on "Integrations" in the left sidebar.
 374. Search for "File Integrity Monitoring" in the search bar and select the integration.
 385. Provide a name and optional description for the integration.
 396. Select the appropriate agent policy for your Linux system or create a new one.
 407. Configure the FIM policy by specifying the paths that you want to monitor for file modifications. You can use the same paths mentioned in the `query` field of the rule. Note that FIM does not accept wildcards in the paths, so you need to specify the exact paths you want to monitor.
 418. Save the configuration and the Elastic Agent will start monitoring the specified paths for file modifications.
 42
 43For more details on configuring the Elastic FIM integration, you can refer to the [Elastic FIM documentation](https://docs.elastic.co/integrations/fim).
 44"""
 45severity = "low"
 46tags = [
 47    "Domain: Endpoint",
 48    "OS: Linux",
 49    "Use Case: Threat Detection",
 50    "Tactic: Persistence",
 51    "Tactic: Credential Access",
 52    "Tactic: Privilege Escalation",
 53    "Tactic: Defense Evasion",
 54    "Data Source: File Integrity Monitoring",
 55]
 56timestamp_override = "event.ingested"
 57type = "eql"
 58
 59query = '''
 60file where host.os.type == "linux" and event.dataset == "fim.event" and event.action == "updated" and
 61file.path : (
 62  // cron, anacron & at
 63  "/etc/cron.d/*", "/etc/cron.daily/*", "/etc/cron.hourly/*", "/etc/cron.monthly/*",
 64  "/etc/cron.weekly/*", "/etc/crontab", "/var/spool/cron/crontabs/*", "/etc/cron.allow",
 65  "/etc/cron.deny",  "/var/spool/anacron/*", "/var/spool/cron/atjobs/*",
 66
 67  // systemd services & timers
 68  "/etc/systemd/system/*", "/usr/local/lib/systemd/system/*", "/lib/systemd/system/*",
 69  "/usr/lib/systemd/system/*", "/home/*/.config/systemd/user/*", "/home/*/.local/share/systemd/user/*",
 70  "/root/.config/systemd/user/*", "/root/.local/share/systemd/user/*",
 71
 72  // LD_PRELOAD
 73  "/etc/ld.so.preload", "/etc/ld.so.conf.d/*", "/etc/ld.so.conf",
 74
 75  // Dynamic linker
 76  "/lib/ld-linux*.so*", "/lib64/ld-linux*.so*", "/usr/lib/ld-linux*.so*", "/usr/lib64/ld-linux*.so*",
 77
 78  // message-of-the-day (MOTD)
 79  "/etc/update-motd.d/*",
 80
 81  // SSH
 82  "/home/*/.ssh/*", "/root/.ssh/*", "/etc/ssh/*",
 83
 84  // system-wide shell configurations
 85  "/etc/profile", "/etc/profile.d/*", "/etc/bash.bashrc", "/etc/zsh/*", "/etc/csh.cshrc",
 86  "/etc/csh.login", "/etc/fish/config.fish", "/etc/ksh.kshrc",
 87
 88  // root and user shell configurations
 89  "/home/*/.profile", "/home/*/.bashrc", "/home/*/.bash_login", "/home/*/.bash_logout",
 90  "/root/.profile", "/root/.bashrc", "/root/.bash_login", "/root/.bash_logout",
 91  "/home/*/.zprofile", "/home/*/.zshrc", "/root/.zprofile", "/root/.zshrc",
 92  "/home/*/.cshrc", "/home/*/.login", "/home/*/.logout", "/root/.cshrc", "/root/.login", "/root/.logout",
 93  "/home/*/.config/fish/config.fish", "/root/.config/fish/config.fish",
 94  "/home/*/.kshrc", "/root/.kshrc",
 95
 96  // runtime control
 97  "/etc/rc.common", "/etc/rc.local",
 98
 99  // System V init/Upstart
100  "/etc/init.d/*", "/etc/init/*",
101
102  // passwd/sudoers/shadow
103  "/etc/passwd", "/etc/shadow", "/etc/sudoers", "/etc/sudoers.d/*",
104
105  // Systemd udevd
106  "/lib/udev/*", "/etc/udev/rules.d/*", "/usr/lib/udev/rules.d/*", "/run/udev/rules.d/*", "/usr/local/lib/udev/rules.d/*",
107
108  // XDG/KDE autostart entries
109  "/home/*/.config/autostart/*", "/root/.config/autostart/*", "/etc/xdg/autostart/*", "/usr/share/autostart/*",
110  "/home/*/.kde/Autostart/*", "/root/.kde/Autostart/*",
111  "/home/*/.kde4/Autostart/*", "/root/.kde4/Autostart/*",
112  "/home/*/.kde/share/autostart/*", "/root/.kde/share/autostart/*",
113  "/home/*/.kde4/share/autostart/*", "/root/.kde4/share/autostart/*",
114  "/home/*/.local/share/autostart/*", "/root/.local/share/autostart/*",
115  "/home/*/.config/autostart-scripts/*", "/root/.config/autostart-scripts/*",
116
117  // LKM configuration files
118  "/etc/modules", "/etc/modprobe.d/*", "/usr/lib/modprobe.d/*", "/etc/modules-load.d/*",
119  "/run/modules-load.d/*", "/usr/local/lib/modules-load.d/*", "/usr/lib/modules-load.d/*",
120
121  // PAM modules & configuration files
122  "/lib/security/*", "/lib64/security/*", "/usr/lib/security/*", "/usr/lib64/security/*",
123  "/lib/x86_64-linux-gnu/security/*", "/usr/lib/x86_64-linux-gnu/security/*",
124  "/etc/pam.d/*", "/etc/security/pam_*", "/etc/pam.conf",
125
126  // Misc.
127  "/etc/shells"
128
129) and not (
130  file.path : (
131    "/var/spool/cron/crontabs/tmp.*", "/run/udev/rules.d/*rules.*", "/home/*/.ssh/known_hosts.*", "/root/.ssh/known_hosts.*"
132  ) or
133  file.extension in ("dpkg-new", "dpkg-remove", "SEQ")
134)
135'''
136
137[[rule.threat]]
138framework = "MITRE ATT&CK"
139
140[[rule.threat.technique]]
141id = "T1037"
142name = "Boot or Logon Initialization Scripts"
143reference = "https://attack.mitre.org/techniques/T1037/"
144
145[[rule.threat.technique.subtechnique]]
146id = "T1037.004"
147name = "RC Scripts"
148reference = "https://attack.mitre.org/techniques/T1037/004/"
149
150[[rule.threat.technique]]
151id = "T1547"
152name = "Boot or Logon Autostart Execution"
153reference = "https://attack.mitre.org/techniques/T1547/"
154
155[[rule.threat.technique.subtechnique]]
156id = "T1547.006"
157name = "Kernel Modules and Extensions"
158reference = "https://attack.mitre.org/techniques/T1547/006/"
159
160[[rule.threat.technique]]
161id = "T1136"
162name = "Create Account"
163reference = "https://attack.mitre.org/techniques/T1136/"
164
165[[rule.threat.technique.subtechnique]]
166id = "T1136.001"
167name = "Local Account"
168reference = "https://attack.mitre.org/techniques/T1136/001/"
169
170[[rule.threat.technique]]
171id = "T1543"
172name = "Create or Modify System Process"
173reference = "https://attack.mitre.org/techniques/T1543/"
174
175[[rule.threat.technique.subtechnique]]
176id = "T1543.002"
177name = "Systemd Service"
178reference = "https://attack.mitre.org/techniques/T1543/002/"
179
180[[rule.threat.technique]]
181id = "T1556"
182name = "Modify Authentication Process"
183reference = "https://attack.mitre.org/techniques/T1556/"
184
185[[rule.threat.technique]]
186id = "T1574"
187name = "Hijack Execution Flow"
188reference = "https://attack.mitre.org/techniques/T1574/"
189
190[[rule.threat.technique.subtechnique]]
191id = "T1574.006"
192name = "Dynamic Linker Hijacking"
193reference = "https://attack.mitre.org/techniques/T1574/006/"
194
195[rule.threat.tactic]
196id = "TA0003"
197name = "Persistence"
198reference = "https://attack.mitre.org/tactics/TA0003/"
199
200[[rule.threat]]
201framework = "MITRE ATT&CK"
202
203[[rule.threat.technique]]
204id = "T1053"
205name = "Scheduled Task/Job"
206reference = "https://attack.mitre.org/techniques/T1053/"
207
208[[rule.threat.technique.subtechnique]]
209id = "T1053.003"
210name = "Cron"
211reference = "https://attack.mitre.org/techniques/T1053/003/"
212
213[[rule.threat.technique]]
214id = "T1548"
215name = "Abuse Elevation Control Mechanism"
216reference = "https://attack.mitre.org/techniques/T1548/"
217
218[[rule.threat.technique.subtechnique]]
219id = "T1548.003"
220name = "Sudo and Sudo Caching"
221reference = "https://attack.mitre.org/techniques/T1548/003/"
222
223[rule.threat.tactic]
224id = "TA0004"
225name = "Privilege Escalation"
226reference = "https://attack.mitre.org/tactics/TA0004/"
227
228[[rule.threat]]
229framework = "MITRE ATT&CK"
230
231[[rule.threat.technique]]
232id = "T1556"
233name = "Modify Authentication Process"
234reference = "https://attack.mitre.org/techniques/T1556/"
235
236[rule.threat.tactic]
237id = "TA0006"
238name = "Credential Access"
239reference = "https://attack.mitre.org/tactics/TA0006/"
240
241[[rule.threat]]
242framework = "MITRE ATT&CK"
243
244[[rule.threat.technique]]
245id = "T1014"
246name = "Rootkit"
247reference = "https://attack.mitre.org/techniques/T1014/"
248
249[rule.threat.tactic]
250id = "TA0005"
251name = "Defense Evasion"
252reference = "https://attack.mitre.org/tactics/TA0005/"

References

Related rules

to-top