Persistence via KDE AutoStart Script or Desktop File Modification
Identifies the creation or modification of a K Desktop Environment (KDE) AutoStart script or desktop file that will execute upon each user logon. Adversaries may abuse this method for persistence.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/01/06"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/08/24"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies the creation or modification of a K Desktop Environment (KDE) AutoStart script or desktop file that will
13execute upon each user logon. Adversaries may abuse this method for persistence.
14"""
15from = "now-9m"
16index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Persistence via KDE AutoStart Script or Desktop File Modification"
20note = """## Setup
21
22If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
23"""
24references = [
25 "https://userbase.kde.org/System_Settings/Autostart",
26 "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/",
27 "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/",
28]
29risk_score = 47
30rule_id = "e3e904b3-0a8e-4e68-86a8-977a163e21d3"
31severity = "medium"
32tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
33timestamp_override = "event.ingested"
34type = "eql"
35
36query = '''
37file where host.os.type == "linux" and event.type != "deletion" and
38 file.extension in ("sh", "desktop") and
39 file.path :
40 (
41 "/home/*/.config/autostart/*", "/root/.config/autostart/*",
42 "/home/*/.kde/Autostart/*", "/root/.kde/Autostart/*",
43 "/home/*/.kde4/Autostart/*", "/root/.kde4/Autostart/*",
44 "/home/*/.kde/share/autostart/*", "/root/.kde/share/autostart/*",
45 "/home/*/.kde4/share/autostart/*", "/root/.kde4/share/autostart/*",
46 "/home/*/.local/share/autostart/*", "/root/.local/share/autostart/*",
47 "/home/*/.config/autostart-scripts/*", "/root/.config/autostart-scripts/*",
48 "/etc/xdg/autostart/*", "/usr/share/autostart/*"
49 ) and
50 not process.name in ("yum", "dpkg", "install", "dnf", "teams", "yum-cron", "dnf-automatic", "docker", "dockerd",
51 "rpm")
52'''
53
54
55[[rule.threat]]
56framework = "MITRE ATT&CK"
57[[rule.threat.technique]]
58id = "T1547"
59name = "Boot or Logon Autostart Execution"
60reference = "https://attack.mitre.org/techniques/T1547/"
61
62
63[rule.threat.tactic]
64id = "TA0003"
65name = "Persistence"
66reference = "https://attack.mitre.org/tactics/TA0003/"
Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define event.ingested and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate event.ingested to @timestamp for this rule to work.
References
-
Here, you can configure which applications or scripts will execute as soon as you log into Plasma Desktop Workspace, and also scripts for when you log out. You might want to add applications which ...
Read More -
• FinSpy is a commercial spyware suite produced by the Munich-based company FinFisher Gmbh. Since 2011 researchers have documented numerous cases of targeting of Human Rights Defenders (HRDs) - including activists, journalists, and dissidents with the use of FinSpy in many countries, including Bahrain, Ethiopia, UAE, and more. Because of this, Amnesty International’s Security Lab tracks FinSpy usage and development as part of our continuous monitoring of digital threats to Human Rights Defenders. • Amnesty International published a report in March 2019 describing phishing attacks targeting Egyptian human rights defenders and media and civil society organizations staff carried out by an attacker group known as “NilePhish”. While continuing research into this group’s activity, we discovered it has distributed samples of FinSpy for Microsoft Windows through a fake Adobe Flash Player download website. Amnesty International has not documented human rights violations by NilePhish directly linked to FinFisher products. • Through additional technical investigations into this most recent variant, Amnesty’s Security Lab also discovered, exposed online by an unknown actor, new samples of FinSpy for Windows, Android, and previously undisclosed versions for Linux and MacOS computers. • This report provides technical information on these recent FinSpy samples in order to aid the cybersecurity research community in further investigations, enable cybersecurity vendors implement protection mechanisms against these newly discovered variants, and to raise awareness among HRDs of evolving digital attack techniques.
Read More -
Extensive campaign already with thousands of victims promotes trojanized applications on cryptocurrency forums and social media.
Read More
Related rules
- Chkconfig Service Add
- Cron Job Created or Changed by Previously Unknown Process
- Kernel module load via insmod
- Linux User Added to Privileged Group
- Modification of OpenSSH Binaries