Skip to content

Commit c888fdd

Browse files
Aegrahgithub-actions[bot]
Aegrah
authored and
github-actions[bot]
committed
[New BBR] Potential Suspicious File Edit (#2960)
* [New BBR] Potential Suspicious File Edit * Added a few more interesting files --------- Co-authored-by: shashank-elastic <[email protected]> (cherry picked from commit 9cc4b0e)
1 parent da77c68 commit c888fdd

File tree

1 file changed

+108
-0
lines changed

1 file changed

+108
-0
lines changed

rules_building_block/persistence_suspicious_file_opened_through_editor.toml

Lines changed: 108 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,108 @@
1+
[metadata]
2+
creation_date = "2023/07/25"
3+
maturity = "production"
4+
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
5+
min_stack_version = "8.3.0"
6+
updated_date = "2023/07/25"
7+
integration = ["endpoint"]
8+
9+
[rule]
10+
author = ["Elastic"]
11+
description = """
12+
This rule monitors for the potential edit of a suspicious file. In Linux, when editing a file through an editor, a
13+
temporary .swp file is created. By monitoring for the creation of this .swp file, we can detect potential file edits of
14+
suspicious files. The execution of this rule is not a clear sign of the file being edited, as just opening the file
15+
through an editor will trigger this event. Attackers may alter any of the files added in this rule to establish
16+
persistence, escalate privileges or perform reconnaisance on the system.
17+
"""
18+
from = "now-119m"
19+
interval = "60m"
20+
index = ["logs-endpoint.events.*", "endgame-*"]
21+
language = "eql"
22+
license = "Elastic License v2"
23+
name = "Potential Suspicious File Edit"
24+
risk_score = 21
25+
rule_id = "3728c08d-9b70-456b-b6b8-007c7d246128"
26+
severity = "low"
27+
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Rule Type: BBR"]
28+
timestamp_override = "event.ingested"
29+
type = "eql"
30+
building_block_type = "default"
31+
32+
query = '''
33+
file where event.action in ("creation", "file_create_event") and file.extension == "swp" and
34+
file.path : (
35+
/* common interesting files and locations */
36+
"/etc/.shadow.swp", "/etc/.shadow-.swp", "/etc/.shadow~.swp", "/etc/.gshadow.swp", "/etc/.gshadow-.swp",
37+
"/etc/.passwd.swp", "/etc/.pwd.db.swp", "/etc/.master.passwd.swp", "/etc/.spwd.db.swp", "/etc/security/.opasswd.swp",
38+
"/etc/.hosts.swp", "/etc/.environment.swp", "/etc/.profile.swp", "/etc/sudoers.d/.*.swp",
39+
"/etc/ld.so.conf.d/.*.swp", "/etc/init.d/.*.swp", "/etc/.rc.local.swp", "/etc/rc*.d/.*.swp",
40+
"/dev/shm/.*.swp", "/etc/update-motd.d/.*.swp", "/usr/lib/update-notifier/.*.swp",
41+
42+
/* service, timer, want, socket and lock files */
43+
"/etc/systemd/system/.*.swp", "/usr/local/lib/systemd/system/.*.swp", "/lib/systemd/system/.*.swp",
44+
"/usr/lib/systemd/system/.*.swp","/home/*/.config/systemd/user/.*.swp", "/run/.*.swp", "/var/run/.*.swp/",
45+
46+
/* profile and shell configuration files */
47+
"/home/*.profile.swp", "/home/*.bash_profile.swp", "/home/*.bash_login.swp", "/home/*.bashrc.swp", "/home/*.bash_logout.swp",
48+
"/home/*.zshrc.swp", "/home/*.zlogin.swp", "/home/*.tcshrc.swp", "/home/*.kshrc.swp", "/home/*.config.fish.swp",
49+
"/root/*.profile.swp", "/root/*.bash_profile.swp", "/root/*.bash_login.swp", "/root/*.bashrc.swp", "/root/*.bash_logout.swp",
50+
"/root/*.zshrc.swp", "/root/*.zlogin.swp", "/root/*.tcshrc.swp", "/root/*.kshrc.swp", "/root/*.config.fish.swp"
51+
)
52+
'''
53+
54+
[[rule.threat]]
55+
framework = "MITRE ATT&CK"
56+
57+
[rule.threat.tactic]
58+
id = "TA0003"
59+
name = "Persistence"
60+
reference = "https://attack.mitre.org/tactics/TA0003/"
61+
62+
[[rule.threat.technique]]
63+
id = "T1037"
64+
name = "Boot or Logon Initialization Scripts"
65+
reference = "https://attack.mitre.org/techniques/T1037/"
66+
67+
[[rule.threat.technique.subtechnique]]
68+
id = "T1037.004"
69+
name = "RC Scripts"
70+
reference = "https://attack.mitre.org/techniques/T1037/004/"
71+
72+
[[rule.threat.technique]]
73+
id = "T1574"
74+
name = "Hijack Execution Flow"
75+
reference = "https://attack.mitre.org/techniques/T1574/"
76+
77+
[[rule.threat.technique.subtechnique]]
78+
id = "T1574.006"
79+
name = "Dynamic Linker Hijacking"
80+
reference = "https://attack.mitre.org/techniques/T1574/006/"
81+
82+
[[rule.threat.technique]]
83+
id = "T1543"
84+
name = "Create or Modify System Process"
85+
reference = "https://attack.mitre.org/techniques/T1543/"
86+
87+
[[rule.threat.technique.subtechnique]]
88+
id = "T1543.002"
89+
name = "Systemd Service"
90+
reference = "https://attack.mitre.org/techniques/T1543/002/"
91+
92+
[[rule.threat]]
93+
framework = "MITRE ATT&CK"
94+
95+
[rule.threat.tactic]
96+
id = "TA0004"
97+
name = "Privilege Escalation"
98+
reference = "https://attack.mitre.org/tactics/TA0004/"
99+
100+
[[rule.threat.technique]]
101+
id = "T1548"
102+
name = "Abuse Elevation Control Mechanism"
103+
reference = "https://attack.mitre.org/techniques/T1548/"
104+
105+
[[rule.threat.technique.subtechnique]]
106+
id = "T1548.003"
107+
name = "Sudo and Sudo Caching"
108+
reference = "https://attack.mitre.org/techniques/T1548/003/"

0 commit comments

Comments
 (0)