Suspicious File Creation in /etc for Persistence

Sep 5, 2023 · Domain: Endpoint OS: Linux Use Case: Threat Detection Tactic: Persistence Threat: Orbit Threat: Lightning Framework Data Source: Elastic Endgame Data Source: Elastic Defend ·

Share on:

Detects the manual creation of files in specific etc directories, via user root, used by Linux malware to persist and elevate privileges on compromised systems. File creation in these directories should not be entirely common and could indicate a malicious binary or script installing persistence mechanisms for long term access.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2022/07/22"
  3maturity = "production"
  4min_stack_comments = "New fields added: required_fields, related_integrations, setup"
  5min_stack_version = "8.3.0"
  6updated_date = "2023/08/24"
  7integration = ["endpoint"]
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Detects the manual creation of files in specific etc directories, via user root, used by Linux malware to persist and
 13elevate privileges on compromised systems. File creation in these directories should not be entirely common and could
 14indicate a malicious binary or script installing persistence mechanisms for long term access.
 15"""
 16from = "now-9m"
 17index = ["logs-endpoint.events.*", "endgame-*"]
 18language = "eql"
 19license = "Elastic License v2"
 20name = "Suspicious File Creation in /etc for Persistence"
 21references = [
 22    "https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/",
 23    "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/"
 24]
 25risk_score = 47
 26rule_id = "1c84dd64-7e6c-4bad-ac73-a5014ee37042"
 27severity = "medium"
 28tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Orbit", "Threat: Lightning Framework", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
 29timestamp_override = "event.ingested"
 30type = "eql"
 31
 32query = '''
 33file where host.os.type == "linux" and event.type in ("creation", "file_create_event") and user.name == "root" and
 34file.path : ("/etc/ld.so.conf.d/*", "/etc/cron.d/*", "/etc/sudoers.d/*", "/etc/rc.d/init.d/*", "/etc/systemd/system/*",
 35"/usr/lib/systemd/system/*") and not process.executable : ("*/dpkg", "*/yum", "*/apt", "*/dnf", "*/rpm", "*/systemd",
 36"*/snapd", "*/dnf-automatic","*/yum-cron", "*/elastic-agent", "*/dnfdaemon-system", "*/bin/dockerd", "*/sbin/dockerd",
 37"/kaniko/executor", "/usr/sbin/rhn_check") and not file.extension in ("swp", "swpx", "tmp")
 38'''
 39
 40[[rule.threat]]
 41framework = "MITRE ATT&CK"
 42
 43[rule.threat.tactic]
 44id = "TA0003"
 45name = "Persistence"
 46reference = "https://attack.mitre.org/tactics/TA0003/"
 47
 48[[rule.threat.technique]]
 49id = "T1037"
 50name = "Boot or Logon Initialization Scripts"
 51reference = "https://attack.mitre.org/techniques/T1037/"
 52
 53[[rule.threat.technique.subtechnique]]
 54id = "T1037.004"
 55name = "RC Scripts"
 56reference = "https://attack.mitre.org/techniques/T1037/004/"
 57
 58[[rule.threat.technique]]
 59id = "T1574"
 60name = "Hijack Execution Flow"
 61reference = "https://attack.mitre.org/techniques/T1574/"
 62
 63[[rule.threat.technique.subtechnique]]
 64id = "T1574.006"
 65name = "Dynamic Linker Hijacking"
 66reference = "https://attack.mitre.org/techniques/T1574/006/"
 67
 68[[rule.threat.technique]]
 69id = "T1543"
 70name = "Create or Modify System Process"
 71reference = "https://attack.mitre.org/techniques/T1543/"
 72
 73[[rule.threat.technique.subtechnique]]
 74id = "T1543.002"
 75name = "Systemd Service"
 76reference = "https://attack.mitre.org/techniques/T1543/002/"
 77
 78[[rule.threat]]
 79framework = "MITRE ATT&CK"
 80
 81[rule.threat.tactic]
 82id = "TA0002"
 83name = "Execution"
 84reference = "https://attack.mitre.org/tactics/TA0002/"
 85
 86[[rule.threat.technique]]
 87id = "T1053"
 88name = "Scheduled Task/Job"
 89reference = "https://attack.mitre.org/techniques/T1053/"
 90
 91[[rule.threat.technique.subtechnique]]
 92id = "T1053.003"
 93name = "Cron"
 94reference = "https://attack.mitre.org/techniques/T1053/003/"
 95
 96[[rule.threat]]
 97framework = "MITRE ATT&CK"
 98
 99[rule.threat.tactic]
100id = "TA0004"
101name = "Privilege Escalation"
102reference = "https://attack.mitre.org/tactics/TA0004/"
103
104[[rule.threat.technique]]
105id = "T1548"
106name = "Abuse Elevation Control Mechanism"
107reference = "https://attack.mitre.org/techniques/T1548/"
108
109[[rule.threat.technique.subtechnique]]
110id = "T1548.003"
111name = "Sudo and Sudo Caching"
112reference = "https://attack.mitre.org/techniques/T1548/003/"

References

OrBit: New Undetected Linux Threat Uses Unique Hijack of Execution Flow

OrBit is a new Linux malware that hijacks the execution flow, evading and gaining persistence to get remote access and steal information.

Read More
Lightning Framework: New “Swiss Army Knife” Linux Malware

A new Linux malware we're calling Lightning Framework has modular plugins and the ability to install multiple types of rootkits.

Read More

Suspicious File Creation in /etc for Persistence

Elastic rule (View on GitHub)

References

OrBit: New Undetected Linux Threat Uses Unique Hijack of Execution Flow

Lightning Framework: New “Swiss Army Knife” Linux Malware

Related rules