Persistence via KDE AutoStart Script or Desktop File Modification
Identifies the creation or modification of a K Desktop Environment (KDE) AutoStart script or desktop file that will execute upon each user logon. Adversaries may abuse this method for persistence.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/01/06"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/08/24"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies the creation or modification of a K Desktop Environment (KDE) AutoStart script or desktop file that will
13execute upon each user logon. Adversaries may abuse this method for persistence.
14"""
15from = "now-9m"
16index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Persistence via KDE AutoStart Script or Desktop File Modification"
20note = """## Setup
21
22If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
23"""
24references = [
25 "https://userbase.kde.org/System_Settings/Autostart",
26 "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/",
27 "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/",
28]
29risk_score = 47
30rule_id = "e3e904b3-0a8e-4e68-86a8-977a163e21d3"
31severity = "medium"
32tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
33timestamp_override = "event.ingested"
34type = "eql"
35
36query = '''
37file where host.os.type == "linux" and event.type != "deletion" and
38 file.extension in ("sh", "desktop") and
39 file.path :
40 (
41 "/home/*/.config/autostart/*", "/root/.config/autostart/*",
42 "/home/*/.kde/Autostart/*", "/root/.kde/Autostart/*",
43 "/home/*/.kde4/Autostart/*", "/root/.kde4/Autostart/*",
44 "/home/*/.kde/share/autostart/*", "/root/.kde/share/autostart/*",
45 "/home/*/.kde4/share/autostart/*", "/root/.kde4/share/autostart/*",
46 "/home/*/.local/share/autostart/*", "/root/.local/share/autostart/*",
47 "/home/*/.config/autostart-scripts/*", "/root/.config/autostart-scripts/*",
48 "/etc/xdg/autostart/*", "/usr/share/autostart/*"
49 ) and
50 not process.name in ("yum", "dpkg", "install", "dnf", "teams", "yum-cron", "dnf-automatic", "docker", "dockerd",
51 "rpm")
52'''
53
54
55[[rule.threat]]
56framework = "MITRE ATT&CK"
57[[rule.threat.technique]]
58id = "T1547"
59name = "Boot or Logon Autostart Execution"
60reference = "https://attack.mitre.org/techniques/T1547/"
61
62
63[rule.threat.tactic]
64id = "TA0003"
65name = "Persistence"
66reference = "https://attack.mitre.org/tactics/TA0003/"
Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define event.ingested
and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate event.ingested
to @timestamp for this rule to work.
References
Related rules
- Chkconfig Service Add
- Cron Job Created or Changed by Previously Unknown Process
- Kernel module load via insmod
- Linux User Added to Privileged Group
- Modification of OpenSSH Binaries