Access Control List Modification via setfacl

 1[metadata]
 2creation_date = "2024/08/23"
 3integration = ["endpoint", "auditd_manager"]
 4maturity = "production"
 5updated_date = "2024/10/18"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10This rule detects Linux Access Control List (ACL) modification via the setfacl command.
11"""
12from = "now-9m"
13index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
14language = "eql"
15license = "Elastic License v2"
16name = "Access Control List Modification via setfacl"
17references = ["https://www.uptycs.com/blog/threat-research-report-team/evasive-techniques-used-by-malicious-linux-shell-scripts"]
18risk_score = 21
19rule_id = "999565a2-fc52-4d72-91e4-ba6712c0377e"
20severity = "low"
21tags = [
22    "Domain: Endpoint",
23    "OS: Linux",
24    "Use Case: Threat Detection",
25    "Tactic: Defense Evasion",
26    "Data Source: Elastic Defend",
27    "Data Source: Elastic Endgame",
28    "Data Source: Auditd Manager",
29]
30timestamp_override = "event.ingested"
31type = "eql"
32query = '''
33process where host.os.type == "linux" and event.type == "start" and
34event.action in ("exec", "exec_event", "executed", "process_started") and
35process.name == "setfacl" and not (
36  process.command_line == "/bin/setfacl --restore=-" or
37  process.args == "/var/log/journal/"
38)
39'''
40
41[[rule.threat]]
42framework = "MITRE ATT&CK"
43
44[[rule.threat.technique]]
45id = "T1222"
46name = "File and Directory Permissions Modification"
47reference = "https://attack.mitre.org/techniques/T1222/"
48
49[[rule.threat.technique.subtechnique]]
50id = "T1222.002"
51name = "Linux and Mac File and Directory Permissions Modification"
52reference = "https://attack.mitre.org/techniques/T1222/002/"
53
54[rule.threat.tactic]
55id = "TA0005"
56name = "Defense Evasion"
57reference = "https://attack.mitre.org/tactics/TA0005/"