Dynamic Linker Copy

Detects the copying of the Linux dynamic loader binary and subsequent file creation for the purpose of creating a backup copy. This technique was seen recently being utilized by Linux malware prior to patching the dynamic loader in order to inject and preload a malicious shared object file. This activity should never occur and if it does then it should be considered highly suspicious or malicious.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2022/07/12"
 3maturity = "production"
 4min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 5min_stack_version = "8.3.0"
 6updated_date = "2023/06/22"
 7integration = ["endpoint"]
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Detects the copying of the Linux dynamic loader binary and subsequent file creation for the purpose of creating a backup copy. This technique was seen recently being utilized by Linux malware prior to patching the dynamic loader in order to inject and preload a malicious shared object file. This activity should never occur and if it does then it should be considered highly suspicious or malicious.
13"""
14from = "now-9m"
15index = ["logs-endpoint.events.*"]
16language = "eql"
17license = "Elastic License v2"
18name = "Dynamic Linker Copy"
19references = [
20    "https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/"
21]
22risk_score = 73
23rule_id = "df6f62d9-caab-4b88-affa-044f4395a1e0"
24severity = "high"
25tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Orbit", "Data Source: Elastic Defend"]
26type = "eql"
27
28query = '''
29sequence by process.entity_id with maxspan=1m
30[process where host.os.type == "linux" and event.type == "start" and process.name : ("cp", "rsync") and
31   process.args : ("/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2", "/etc/ld.so.preload")]
32[file where host.os.type == "linux" and event.action == "creation" and file.extension == "so"]
33'''
34
35[[rule.threat]]
36framework = "MITRE ATT&CK"
37[[rule.threat.technique]]
38id = "T1574"
39name = "Hijack Execution Flow"
40reference = "https://attack.mitre.org/techniques/T1574/"
41
42[[rule.threat.technique.subtechnique]]
43id = "T1574.006"
44name = "Dynamic Linker Hijacking"
45reference = "https://attack.mitre.org/techniques/T1574/006/"
46
47[rule.threat.tactic]
48id = "TA0003"
49name = "Persistence"
50reference = "https://attack.mitre.org/tactics/TA0003/"

References

Related rules

to-top