Suspicious File Creation in /etc for Persistence

Detects the manual creation of files in specific etc directories, via user root, used by Linux malware to persist and elevate privileges on compromised systems. File creation in these directories should not be entirely common and could indicate a malicious binary or script installing persistence mechanisms for long term access.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2022/07/22"
  3maturity = "production"
  4min_stack_comments = "New fields added: required_fields, related_integrations, setup"
  5min_stack_version = "8.3.0"
  6updated_date = "2023/08/24"
  7integration = ["endpoint"]
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Detects the manual creation of files in specific etc directories, via user root, used by Linux malware to persist and
 13elevate privileges on compromised systems. File creation in these directories should not be entirely common and could
 14indicate a malicious binary or script installing persistence mechanisms for long term access.
 15"""
 16from = "now-9m"
 17index = ["logs-endpoint.events.*", "endgame-*"]
 18language = "eql"
 19license = "Elastic License v2"
 20name = "Suspicious File Creation in /etc for Persistence"
 21references = [
 22    "https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/",
 23    "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/"
 24]
 25risk_score = 47
 26rule_id = "1c84dd64-7e6c-4bad-ac73-a5014ee37042"
 27severity = "medium"
 28tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Orbit", "Threat: Lightning Framework", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
 29timestamp_override = "event.ingested"
 30type = "eql"
 31
 32query = '''
 33file where host.os.type == "linux" and event.type in ("creation", "file_create_event") and user.name == "root" and
 34file.path : ("/etc/ld.so.conf.d/*", "/etc/cron.d/*", "/etc/sudoers.d/*", "/etc/rc.d/init.d/*", "/etc/systemd/system/*",
 35"/usr/lib/systemd/system/*") and not process.executable : ("*/dpkg", "*/yum", "*/apt", "*/dnf", "*/rpm", "*/systemd",
 36"*/snapd", "*/dnf-automatic","*/yum-cron", "*/elastic-agent", "*/dnfdaemon-system", "*/bin/dockerd", "*/sbin/dockerd",
 37"/kaniko/executor", "/usr/sbin/rhn_check") and not file.extension in ("swp", "swpx", "tmp")
 38'''
 39
 40[[rule.threat]]
 41framework = "MITRE ATT&CK"
 42
 43[rule.threat.tactic]
 44id = "TA0003"
 45name = "Persistence"
 46reference = "https://attack.mitre.org/tactics/TA0003/"
 47
 48[[rule.threat.technique]]
 49id = "T1037"
 50name = "Boot or Logon Initialization Scripts"
 51reference = "https://attack.mitre.org/techniques/T1037/"
 52
 53[[rule.threat.technique.subtechnique]]
 54id = "T1037.004"
 55name = "RC Scripts"
 56reference = "https://attack.mitre.org/techniques/T1037/004/"
 57
 58[[rule.threat.technique]]
 59id = "T1574"
 60name = "Hijack Execution Flow"
 61reference = "https://attack.mitre.org/techniques/T1574/"
 62
 63[[rule.threat.technique.subtechnique]]
 64id = "T1574.006"
 65name = "Dynamic Linker Hijacking"
 66reference = "https://attack.mitre.org/techniques/T1574/006/"
 67
 68[[rule.threat.technique]]
 69id = "T1543"
 70name = "Create or Modify System Process"
 71reference = "https://attack.mitre.org/techniques/T1543/"
 72
 73[[rule.threat.technique.subtechnique]]
 74id = "T1543.002"
 75name = "Systemd Service"
 76reference = "https://attack.mitre.org/techniques/T1543/002/"
 77
 78[[rule.threat]]
 79framework = "MITRE ATT&CK"
 80
 81[rule.threat.tactic]
 82id = "TA0002"
 83name = "Execution"
 84reference = "https://attack.mitre.org/tactics/TA0002/"
 85
 86[[rule.threat.technique]]
 87id = "T1053"
 88name = "Scheduled Task/Job"
 89reference = "https://attack.mitre.org/techniques/T1053/"
 90
 91[[rule.threat.technique.subtechnique]]
 92id = "T1053.003"
 93name = "Cron"
 94reference = "https://attack.mitre.org/techniques/T1053/003/"
 95
 96[[rule.threat]]
 97framework = "MITRE ATT&CK"
 98
 99[rule.threat.tactic]
100id = "TA0004"
101name = "Privilege Escalation"
102reference = "https://attack.mitre.org/tactics/TA0004/"
103
104[[rule.threat.technique]]
105id = "T1548"
106name = "Abuse Elevation Control Mechanism"
107reference = "https://attack.mitre.org/techniques/T1548/"
108
109[[rule.threat.technique.subtechnique]]
110id = "T1548.003"
111name = "Sudo and Sudo Caching"
112reference = "https://attack.mitre.org/techniques/T1548/003/"

References

Related rules

to-top