Unusual DPKG Execution

  1[metadata]
  2creation_date = "2024/07/09"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule detects the execution of the DPKG command by processes not associated with the DPKG package manager. The DPKG
 11command is used to install, remove, and manage Debian packages on a Linux system. Attackers can abuse the DPKG command
 12to install malicious packages on a system.
 13"""
 14from = "now-9m"
 15index = ["logs-endpoint.events.*"]
 16language = "eql"
 17license = "Elastic License v2"
 18name = "Unusual DPKG Execution"
 19references = ["https://www.makeuseof.com/how-deb-packages-are-backdoored-how-to-detect-it/"]
 20risk_score = 21
 21rule_id = "d6241c90-99f2-44db-b50f-299b6ebd7ee9"
 22setup = """## Setup
 23
 24This rule requires data coming in from Elastic Defend.
 25
 26### Elastic Defend Integration Setup
 27Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 28
 29#### Prerequisite Requirements:
 30- Fleet is required for Elastic Defend.
 31- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 32
 33#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
 34- Go to the Kibana home page and click "Add integrations".
 35- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 36- Click "Add Elastic Defend".
 37- Configure the integration name and optionally add a description.
 38- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
 39- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 40- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 41- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 42For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
 43- Click "Save and Continue".
 44- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 45For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 46"""
 47severity = "low"
 48tags = [
 49        "Domain: Endpoint",
 50        "OS: Linux",
 51        "Use Case: Threat Detection",
 52        "Tactic: Persistence",
 53        "Data Source: Elastic Defend",
 54        "Resources: Investigation Guide"
 55        ]
 56timestamp_override = "event.ingested"
 57type = "eql"
 58query = '''
 59process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
 60process.executable : "/var/lib/dpkg/info/*" and process.session_leader.name != null and
 61process.group_leader.name != null and not (
 62  process.parent.name in ("dpkg", "dpkg-reconfigure") or
 63  process.session_leader.name == "dpkg" or
 64  process.group_leader.name == "dpkg" or
 65  process.parent.executable in ("/usr/share/debconf/frontend", "/usr/bin/unattended-upgrade")
 66)
 67'''
 68note = """## Triage and analysis
 69
 70> **Disclaimer**:
 71> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 72
 73### Investigating Unusual DPKG Execution
 74
 75DPKG is a core utility in Debian-based Linux systems for managing software packages. While essential for legitimate software management, adversaries can exploit DPKG to install or manipulate packages for malicious purposes, potentially gaining persistence or executing unauthorized code. The detection rule identifies anomalies by flagging DPKG executions initiated by unexpected processes, which may indicate unauthorized package management activities.
 76
 77### Possible investigation steps
 78
 79- Review the process details to identify the unexpected process that initiated the DPKG execution. Pay attention to the process.executable field to understand which script or binary was executed.
 80- Examine the process.parent.name and process.parent.executable fields to determine the parent process that launched the DPKG command. This can provide insights into whether the execution was part of a legitimate process chain or potentially malicious.
 81- Investigate the process.session_leader.name and process.group_leader.name fields to understand the broader context of the session and group leaders involved in the execution. This can help identify if the execution was part of a larger, coordinated activity.
 82- Check the system logs and any available audit logs around the time of the alert to gather additional context on the activities occurring on the system. Look for any other suspicious or related events.
 83- Assess the system for any unauthorized or unexpected package installations or modifications that may have occurred as a result of the DPKG execution. This can help determine if the system has been compromised.
 84
 85### False positive analysis
 86
 87- System maintenance scripts may trigger the rule if they execute DPKG commands outside of typical package management processes. To handle this, identify and whitelist these scripts by adding their parent process names or executables to the exception list.
 88- Automated software update tools, other than the ones specified in the rule, might cause false positives. Review the tools used in your environment and consider adding their executables to the exclusion criteria if they are verified as safe.
 89- Custom administrative scripts that manage packages could be flagged. Ensure these scripts are reviewed for legitimacy and then exclude their process names or paths from the rule to prevent unnecessary alerts.
 90- Development or testing environments where package manipulation is frequent might generate alerts. In such cases, consider creating environment-specific exceptions to reduce noise while maintaining security in production systems.
 91
 92### Response and remediation
 93
 94- Immediately isolate the affected system from the network to prevent further unauthorized package installations or potential lateral movement by the adversary.
 95- Terminate any suspicious processes identified as executing the DPKG command from unexpected sources to halt any ongoing malicious activities.
 96- Conduct a thorough review of recently installed or modified packages on the affected system to identify and remove any unauthorized or malicious software.
 97- Restore the system from a known good backup if malicious packages have been installed and cannot be safely removed without compromising system integrity.
 98- Update and patch the affected system to ensure all software is up-to-date, reducing the risk of exploitation through known vulnerabilities.
 99- Implement stricter access controls and monitoring on package management utilities to prevent unauthorized use, ensuring only trusted processes can execute DPKG commands.
100- Escalate the incident to the security operations team for further investigation and to assess the potential impact on other systems within the network."""
101
102[[rule.threat]]
103framework = "MITRE ATT&CK"
104
105[[rule.threat.technique]]
106id = "T1546"
107name = "Event Triggered Execution"
108reference = "https://attack.mitre.org/techniques/T1546/"
109
110[[rule.threat.technique.subtechnique]]
111id = "T1546.016"
112name = "Installer Packages"
113reference = "https://attack.mitre.org/techniques/T1546/016/"
114
115[[rule.threat.technique]]
116id = "T1543"
117name = "Create or Modify System Process"
118reference = "https://attack.mitre.org/techniques/T1543/"
119
120[[rule.threat.technique]]
121id = "T1574"
122name = "Hijack Execution Flow"
123reference = "https://attack.mitre.org/techniques/T1574/"
124
125[rule.threat.tactic]
126id = "TA0003"
127name = "Persistence"
128reference = "https://attack.mitre.org/tactics/TA0003/"
129
130[[rule.threat]]
131framework = "MITRE ATT&CK"
132
133[[rule.threat.technique]]
134id = "T1195"
135name = "Supply Chain Compromise"
136reference = "https://attack.mitre.org/techniques/T1195/"
137
138[[rule.threat.technique.subtechnique]]
139id = "T1195.002"
140name = "Compromise Software Supply Chain"
141reference = "https://attack.mitre.org/techniques/T1195/002/"
142
143[rule.threat.tactic]
144name = "Initial Access"
145id = "TA0001"
146reference = "https://attack.mitre.org/tactics/TA0001/"