[rule] description = """ This rule detects the execution of suspicious commands and executables by system processes such as systemd and cron. Threat actors may abuse these system processes to execute malicious commands or scripts to maintain persistence or escalate privileges. """ id = "46b142a6-3d54-45e7-ad8a-7a4bc9bfe01c" license = "Elastic License v2" name = "Scheduled Task Unusual Command Execution" os_list = ["linux"] reference = [ "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/", "https://www.elastic.co/security-labs/primer-on-persistence-mechanisms", ] version = "1.0.9" query = ''' process where event.type == "start" and event.action == "exec" and process.parent.name in ("systemd", "cron", "crond") and process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and process.args == "-c" and process.command_line like~ ( "*/dev/tcp*", "*/dev/udp/*", "*import*pty*spawn*", "*import*subprocess*call*", "*TCPSocket.new*", "*TCPSocket.open*", "*io.popen*", "*os.execute*", "*fsockopen*", "*base64*", "*|*sh", "*/dev/shm/*", "*wget*http*|*", "*curl*http*|*", "*socat*exec:*", "*socat*tcp-connect*", "*mkfifo*" ) and process.args_count <= 3 and not ( process.command_line like~ ( "*test*", "*grep*", "*logger*", "/bin/sh -c curl --user*.log", "/bin/sh -c /dev/shm/pty3 > /dev/null 2>&1 &", "/bin/sh -c*backup.sh*logToFile.sh", "*api.github.com/meta*", "*/opt/commvault/*", "/bin/sh -c /home/*/sub/backup-archivelogs.sh*", "*/usr/bin/curl -s https://check.torproject.org/torbulkexitlist*" ) or process.command_line in ( "/bin/sh -c /usr/bin/flock -n /dev/shm/loadwatch.lock -c /usr/local/lp/bin/loadwatch &> /dev/null", "/bin/sh -c curl -L https://chef.io/chef/install.sh | bash", "/bin/sh -c curl -s https://validca.libriciel.fr/retrieve-validca.sh | bash -s /data/certificate > /data/log/valica.log 2>&1 && supervisorctl apache2 reload >>/data/log/valica.log 2>&1", """/bin/bash -c echo "# Generated by a cronjob" > /usr/share/nginx/html/gh.txt; curl --silent https://api.github.com/meta | /usr/bin/jq -r \'.hooks[],.api[],.git[]\' >> /usr/share/nginx/html/gh.txt""", """sh -c /usr/bin/curl http://localhost:9901/server_info | /usr/bin/jq -r ".version"""" ) or process.working_directory like "/opt/nessus_agent/*" ) ''' min_endpoint_version = "7.15.0" optional_actions = [] [[actions]] action = "kill_process" field = "process.entity_id" state = 0 [[threat]] framework = "MITRE ATT&CK" [[threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" [[threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" [threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" [[threat]] framework = "MITRE ATT&CK" [[threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" [[threat.technique.subtechnique]] id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" [[threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" [[threat.technique.subtechnique]] id = "T1543.002" name = "Systemd Service" reference = "https://attack.mitre.org/techniques/T1543/002/" [threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" [[threat]] framework = "MITRE ATT&CK" [[threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" [[threat.technique.subtechnique]] id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" [[threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" [[threat.technique.subtechnique]] id = "T1543.002" name = "Systemd Service" reference = "https://attack.mitre.org/techniques/T1543/002/" [threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" [[threat]] framework = "MITRE ATT&CK" [[threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" [threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" [internal] min_endpoint_version = "7.15.0"