Suspicious Symbolic Link Created

 1[metadata]
 2creation_date = "2023/07/27"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/08/24"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies the creation of a symbolic link to a suspicious file or location. A symbolic link is a reference to a file or
13directory that acts as a pointer or shortcut, allowing users to access the target file or directory from a different
14location in the file system. An attacker can potentially leverage symbolic links for privilege escalation by tricking a
15privileged process into following the symbolic link to a sensitive file, giving the attacker access to data or
16capabilities they would not normally have.
17"""
18from = "now-9m"
19index = ["logs-endpoint.events.*", "endgame-*"]
20language = "eql"
21license = "Elastic License v2"
22name = "Suspicious Symbolic Link Created"
23risk_score = 21
24rule_id = "8a024633-c444-45c0-a4fe-78128d8c1ab6"
25severity = "low"
26tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
27timestamp_override = "event.ingested"
28type = "eql"
29query = '''
30process where host.os.type == "linux" and event.action in ("exec", "exec_event") and 
31event.type == "start" and process.name == "ln" and 
32  (
33    /* suspicious files */
34    (process.args in ("/etc/shadow", "/etc/shadow-", "/etc/shadow~", "/etc/gshadow", "/etc/gshadow-") or 
35    (process.working_directory == "/etc" and process.args in ("shadow", "shadow-", "shadow~", "gshadow", "gshadow-"))) or 
36    
37    /* suspicious bins */
38    (process.args in ("/bin/bash", "/bin/dash", "/bin/sh", "/bin/tcsh", "/bin/csh", "/bin/zsh", "/bin/ksh", "/bin/fish") or 
39    (process.working_directory == "/bin" and process.args : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish"))) or 
40    (process.args in ("/usr/bin/bash", "/usr/bin/dash", "/usr/bin/sh", "/usr/bin/tcsh", "/usr/bin/csh", "/usr/bin/zsh", "/usr/bin/ksh", "/usr/bin/fish") or 
41    (process.working_directory == "/usr/bin" and process.args in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish"))) or
42    
43    /* suspicious locations */
44    (process.args : ("/etc/cron.d/*", "/etc/cron.daily/*", "/etc/cron.hourly/*", "/etc/cron.weekly/*", "/etc/cron.monthly/*")) or
45    (process.args : ("/home/*/.ssh/*", "/root/.ssh/*","/etc/sudoers.d/*", "/dev/shm/*"))
46  ) and 
47  process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and 
48  not user.Ext.real.id == "0" and not group.Ext.real.id == "0"
49'''
50
51[[rule.threat]]
52framework = "MITRE ATT&CK"
53
54[[rule.threat.technique]]
55id = "T1548"
56name = "Abuse Elevation Control Mechanism"
57reference = "https://attack.mitre.org/techniques/T1548/"
58
59[rule.threat.tactic]
60id = "TA0004"
61name = "Privilege Escalation"
62reference = "https://attack.mitre.org/tactics/TA0004/"
63
64[[rule.threat]]
65framework = "MITRE ATT&CK"
66
67[[rule.threat.technique]]
68id = "T1003"
69name = "OS Credential Dumping"
70reference = "https://attack.mitre.org/techniques/T1003/"
71
72[[rule.threat.technique.subtechnique]]
73id = "T1003.008"
74name = "/etc/passwd and /etc/shadow"
75reference = "https://attack.mitre.org/techniques/T1003/008/"
76
77[rule.threat.tactic]
78id = "TA0006"
79name = "Credential Access"
80reference = "https://attack.mitre.org/tactics/TA0006/"