<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>File_integrity_monitoring - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/file_integrity_monitoring/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 14 Nov 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/file_integrity_monitoring/feed.xml" rel="self" type="application/rss+xml"/><item><title>Potential Persistence via Linux File Modification</title><link>https://feed.craftedsignal.io/briefs/2024-11-linux-persistence-file-modification/</link><pubDate>Thu, 14 Nov 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-11-linux-persistence-file-modification/</guid><description>This rule detects potential persistence attempts on Linux systems by monitoring file modifications of files commonly used for persistence, such as cron jobs, systemd services, message-of-the-day (MOTD), SSH configurations, shell configurations, runtime control, init daemon, passwd/sudoers/shadow files, Systemd udevd, and XDG/KDE autostart entries.</description><content:encoded><![CDATA[<p>This detection rule leverages File Integrity Monitoring (FIM) data to identify potential persistence mechanisms employed on Linux systems. Attackers often modify critical system files to ensure their malicious code persists across reboots or user logons. This rule focuses on detecting unauthorized modifications to files associated with cron jobs, systemd services, SSH configurations, shell profiles, and other persistence-related configurations. By monitoring these files for unexpected changes, defenders can identify potential compromises and prevent attackers from maintaining long-term access. The rule is designed to work with the Elastic FIM integration and requires proper configuration of the FIM policy to monitor the relevant file paths. It is crucial to tune the rule with appropriate exclusions for legitimate administrative activities to minimize false positives.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access:</strong> An attacker gains initial access to a Linux system, potentially through exploiting a vulnerability or using compromised credentials.</li>
<li><strong>Privilege Escalation:</strong> The attacker escalates privileges to root or another highly privileged account using techniques such as exploiting kernel vulnerabilities or misconfigured SUID/SGID binaries.</li>
<li><strong>Cron Job Modification:</strong> The attacker modifies cron job files (e.g., <code>/etc/crontab</code>, <code>/etc/cron.d/*</code>) to schedule malicious scripts or commands to run periodically.</li>
<li><strong>Systemd Service Modification:</strong> The attacker modifies systemd service files (e.g., <code>/etc/systemd/system/*</code>) to create a new service or modify an existing one to execute malicious code upon system startup.</li>
<li><strong>Shell Profile Modification:</strong> The attacker modifies shell profile files (e.g., <code>/etc/profile</code>, <code>~/.bashrc</code>) to execute malicious code when a user logs in.</li>
<li><strong>SSH Configuration Modification:</strong> The attacker modifies SSH configuration files (e.g., <code>/etc/ssh/sshd_config</code>, <code>~/.ssh/authorized_keys</code>) to enable unauthorized access to the system.</li>
<li><strong>LD_PRELOAD Modification:</strong> The attacker modifies <code>/etc/ld.so.preload</code> to inject malicious code into other processes.</li>
<li><strong>Persistence Achieved:</strong> The attacker achieves persistence by ensuring their malicious code is executed automatically at system startup or user logon, allowing them to maintain long-term access to the compromised system.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful persistence attack can allow attackers to maintain unauthorized access to a compromised Linux system indefinitely. This can lead to data theft, system disruption, or further exploitation of the network. The rule aims to detect these persistence attempts early, minimizing the potential damage. The rule can trigger on legitimate admin activity if not tuned properly, so careful whitelisting is needed.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable the Elastic FIM integration and configure it to monitor the file paths specified in the rule query. Refer to the Elastic FIM documentation for detailed instructions.</li>
<li>Deploy the provided Sigma rule to your SIEM and tune it for your environment.</li>
<li>Investigate any alerts generated by the Sigma rule by reviewing the modified file and the user or process responsible for the modification.</li>
<li>Implement appropriate whitelists to exclude legitimate administrative activities from triggering the rule. Pay special attention to temporary files.</li>
<li>Ensure that access controls and permissions on critical system files are properly configured to prevent unauthorized modifications.</li>
<li>Regularly review and update the FIM policy to ensure it covers all relevant file paths.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>persistence</category><category>linux</category><category>file_integrity_monitoring</category></item></channel></rss>