-
Notifications
You must be signed in to change notification settings - Fork 558
/
Copy pathpersistence_via_message_of_the_day.toml
68 lines (67 loc) · 2.92 KB
/
persistence_via_message_of_the_day.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
[hunt]
author = "Elastic"
description = """
This hunt identifies potential persistence mechanisms via the message-of-the-day (motd) on Linux systems. It monitors for file creation or modification events in the /etc/update-motd.d directory and processes started by these motd scripts. These scripts launch on SSH/terminal connection events, and execute the scripts as root. These activities can indicate attempts to establish persistence through motd modifications.
"""
integration = ["endpoint"]
uuid = "5984a354-d76c-43e6-bdd9-228456f1b371"
name = "Persistence via Message-of-the-Day"
language = ["ES|QL", "SQL"]
license = "Elastic License v2"
notes = [
"This hunt includes multiple ES|QL and OSQuery queries to identify potential persistence mechanisms via the message-of-the-day (motd) on Linux systems.",
"Detects file creation or modification events in the /etc/update-motd.d directory, which is used for message-of-the-day scripts.",
"Excludes common legitimate processes to minimize false positives.",
"Uses EVAL to tag potential persistence events and counts occurrences to identify unusual activity.",
"Monitors processes started by motd scripts to detect potential persistence mechanisms.",
"OSQuery query is provided to complement the detection by retrieving detailed file information related to motd scripts."
]
mitre = ["T1036.005", "T1546.003"]
query = [
'''
from logs-endpoint.events.file-*
| where @timestamp > now() - 30 day
| where host.os.type == "linux" and event.type in ("creation", "change") and file.path like "/etc/update-motd.d/*" and
not process.name in ("dpkg", "dockerd", "yum", "dnf", "snapd", "pacman")
| eval persistence = case(file.path like "/etc/update-motd.d/*", process.name, null)
| stats pers_count = count(persistence), agent_count = count_distinct(agent.id) by process.executable, file.path
| where pers_count > 0 and pers_count <= 20 and agent_count <= 5
| sort pers_count asc
| limit 100
''',
'''
from logs-endpoint.events.process-*
| where @timestamp > now() - 30 day
| where host.os.type == "linux" and event.action == "exec" and event.type == "start" and process.parent.executable like "/etc/update-motd.d/*" and
not process.args like "/tmp/tmp.*"
| stats cc = count(), host_count = count_distinct(host.name) by process.executable, process.parent.executable
| where host_count <= 5
| sort cc asc
| limit 100
''',
'''
SELECT
f.filename,
f.path,
u.username AS file_owner,
g.groupname AS group_owner,
datetime(f.atime, 'unixepoch') AS file_last_access_time,
datetime(f.mtime, 'unixepoch') AS file_last_modified_time,
datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,
datetime(f.btime, 'unixepoch') AS file_created_time,
f.size AS size_bytes,
h.md5
FROM
file f
LEFT JOIN
users u ON f.uid = u.uid
LEFT JOIN
groups g ON f.gid = g.gid
LEFT JOIN
hash h ON f.path = h.path
WHERE
f.directory IN ('/etc/update-motd.d/')
ORDER BY
f.mtime DESC;
'''
]