{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/file_integrity_monitoring/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Linux"],"_cs_severities":["medium"],"_cs_tags":["persistence","linux","file_integrity_monitoring"],"_cs_type":"advisory","_cs_vendors":["Linux"],"content_html":"\u003cp\u003eThis detection rule leverages File Integrity Monitoring (FIM) data to identify potential persistence mechanisms employed on Linux systems. Attackers often modify critical system files to ensure their malicious code persists across reboots or user logons. This rule focuses on detecting unauthorized modifications to files associated with cron jobs, systemd services, SSH configurations, shell profiles, and other persistence-related configurations. By monitoring these files for unexpected changes, defenders can identify potential compromises and prevent attackers from maintaining long-term access. The rule is designed to work with the Elastic FIM integration and requires proper configuration of the FIM policy to monitor the relevant file paths. It is crucial to tune the rule with appropriate exclusions for legitimate administrative activities to minimize false positives.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains initial access to a Linux system, potentially through exploiting a vulnerability or using compromised credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker escalates privileges to root or another highly privileged account using techniques such as exploiting kernel vulnerabilities or misconfigured SUID/SGID binaries.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCron Job Modification:\u003c/strong\u003e The attacker modifies cron job files (e.g., \u003ccode\u003e/etc/crontab\u003c/code\u003e, \u003ccode\u003e/etc/cron.d/*\u003c/code\u003e) to schedule malicious scripts or commands to run periodically.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSystemd Service Modification:\u003c/strong\u003e The attacker modifies systemd service files (e.g., \u003ccode\u003e/etc/systemd/system/*\u003c/code\u003e) to create a new service or modify an existing one to execute malicious code upon system startup.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eShell Profile Modification:\u003c/strong\u003e The attacker modifies shell profile files (e.g., \u003ccode\u003e/etc/profile\u003c/code\u003e, \u003ccode\u003e~/.bashrc\u003c/code\u003e) to execute malicious code when a user logs in.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSSH Configuration Modification:\u003c/strong\u003e The attacker modifies SSH configuration files (e.g., \u003ccode\u003e/etc/ssh/sshd_config\u003c/code\u003e, \u003ccode\u003e~/.ssh/authorized_keys\u003c/code\u003e) to enable unauthorized access to the system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLD_PRELOAD Modification:\u003c/strong\u003e The attacker modifies \u003ccode\u003e/etc/ld.so.preload\u003c/code\u003e to inject malicious code into other processes.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence Achieved:\u003c/strong\u003e The attacker achieves persistence by ensuring their malicious code is executed automatically at system startup or user logon, allowing them to maintain long-term access to the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful persistence attack can allow attackers to maintain unauthorized access to a compromised Linux system indefinitely. This can lead to data theft, system disruption, or further exploitation of the network. The rule aims to detect these persistence attempts early, minimizing the potential damage. The rule can trigger on legitimate admin activity if not tuned properly, so careful whitelisting is needed.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable the Elastic FIM integration and configure it to monitor the file paths specified in the rule query. Refer to the Elastic FIM documentation for detailed instructions.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM and tune it for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by reviewing the modified file and the user or process responsible for the modification.\u003c/li\u003e\n\u003cli\u003eImplement appropriate whitelists to exclude legitimate administrative activities from triggering the rule. Pay special attention to temporary files.\u003c/li\u003e\n\u003cli\u003eEnsure that access controls and permissions on critical system files are properly configured to prevent unauthorized modifications.\u003c/li\u003e\n\u003cli\u003eRegularly review and update the FIM policy to ensure it covers all relevant file paths.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-11-14T12:00:00Z","date_published":"2024-11-14T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-11-linux-persistence-file-modification/","summary":"This rule detects potential persistence attempts on Linux systems by monitoring file modifications of files commonly used for persistence, such as cron jobs, systemd services, message-of-the-day (MOTD), SSH configurations, shell configurations, runtime control, init daemon, passwd/sudoers/shadow files, Systemd udevd, and XDG/KDE autostart entries.","title":"Potential Persistence via Linux File Modification","url":"https://feed.craftedsignal.io/briefs/2024-11-linux-persistence-file-modification/"}],"language":"en","title":"CraftedSignal Threat Feed - File_integrity_monitoring","version":"https://jsonfeed.org/version/1.1"}