Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[New Rule] Suspicious File Modification #3746

Merged
merged 10 commits into from
Jun 11, 2024
Merged

[New Rule] Suspicious File Modification #3746

merged 10 commits into from
Jun 11, 2024

Conversation

Aegrah
Copy link
Contributor

@Aegrah Aegrah commented Jun 3, 2024

Summary

Research related to this PR is conducted and documented in https://github.com/elastic/ia-trade-team/issues/374. This issue also contains the query + validation aspect.

This PR:

  • Adds a rule that leverages FIM to detect file modification in directories/files that are commonly abused for persistence.

@Aegrah Aegrah self-assigned this Jun 3, 2024
@Aegrah Aegrah marked this pull request as ready for review June 3, 2024 12:27
Aegrah and others added 3 commits June 3, 2024 15:28
@Aegrah @w0rk3r
Update rules/linux/persistence_suspicious_file_modifications.toml
d1c7947 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
@Aegrah @w0rk3r
Update rules/linux/persistence_suspicious_file_modifications.toml
35c9f9b 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
@brokensound77
Merge branch 'main' into new-rule-fim-sus-file-modifications
89966e1
@terrancedejesus
Copy link
Contributor

Nice! Couple of things:

  • As we don't have any previous FIM rules, we should add the folder and dump this rule there to stay consistent.
  • Pull integration manifests and schemas via python -m detection_rules dev integrations build-manifests -o -i fim then python -m detection_rules dev integrations build-schemas -i fim -> while the query validation unit tests are passing, that is because they are checking ECS which include all the file related fields.
  • We should update test_related_tags and add FIM.
  • Add Data Source: File Integrity Monitoring tag

terrancedejesus
terrancedejesus approved these changes Jun 4, 2024
View reviewed changes
Copy link
Contributor

@terrancedejesus terrancedejesus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving to not be a blocker. Added some things we should complete prior to merging. Great work!

@Aegrah
Copy link
Contributor Author

Aegrah commented Jun 5, 2024

Pushed the updates as requested. Is this correct? @terrancedejesus

Mikaayenson
Mikaayenson approved these changes Jun 11, 2024
View reviewed changes
Copy link
Contributor

@Mikaayenson Mikaayenson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Aegrah Aegrah merged commit ec223a4 into main Jun 11, 2024
9 checks passed
@Aegrah Aegrah deleted the new-rule-fim-sus-file-modifications branch June 11, 2024 11:03
protectionsmachine pushed a commit that referenced this pull request Jun 11, 2024
@Aegrah @github-actions
[New Rule] Suspicious File Modification (#3746)
a2d7595 
* [New Rule] Suspicious File Modification

* Update persistence_suspicious_file_modifications.toml

* Update rules/linux/persistence_suspicious_file_modifications.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/persistence_suspicious_file_modifications.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Updates

* Update rules/integrations/fim/persistence_suspicious_file_modifications.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

(cherry picked from commit ec223a4)
protectionsmachine pushed a commit that referenced this pull request Jun 11, 2024
@Aegrah @github-actions
[New Rule] Suspicious File Modification (#3746)
603abf9 
* [New Rule] Suspicious File Modification

* Update persistence_suspicious_file_modifications.toml

* Update rules/linux/persistence_suspicious_file_modifications.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/persistence_suspicious_file_modifications.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Updates

* Update rules/integrations/fim/persistence_suspicious_file_modifications.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

(cherry picked from commit ec223a4)
protectionsmachine pushed a commit that referenced this pull request Jun 11, 2024
@Aegrah @github-actions
[New Rule] Suspicious File Modification (#3746)
d26951d 
* [New Rule] Suspicious File Modification

* Update persistence_suspicious_file_modifications.toml

* Update rules/linux/persistence_suspicious_file_modifications.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/persistence_suspicious_file_modifications.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Updates

* Update rules/integrations/fim/persistence_suspicious_file_modifications.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

(cherry picked from commit ec223a4)
protectionsmachine pushed a commit that referenced this pull request Jun 11, 2024
@Aegrah @github-actions
[New Rule] Suspicious File Modification (#3746)
f4bf85f 
* [New Rule] Suspicious File Modification

* Update persistence_suspicious_file_modifications.toml

* Update rules/linux/persistence_suspicious_file_modifications.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/persistence_suspicious_file_modifications.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Updates

* Update rules/integrations/fim/persistence_suspicious_file_modifications.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

(cherry picked from commit ec223a4)
protectionsmachine pushed a commit that referenced this pull request Jun 11, 2024
@Aegrah @github-actions
[New Rule] Suspicious File Modification (#3746)
936473c 
* [New Rule] Suspicious File Modification

* Update persistence_suspicious_file_modifications.toml

* Update rules/linux/persistence_suspicious_file_modifications.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/persistence_suspicious_file_modifications.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Updates

* Update rules/integrations/fim/persistence_suspicious_file_modifications.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

(cherry picked from commit ec223a4)
protectionsmachine pushed a commit that referenced this pull request Jun 11, 2024
@Aegrah @github-actions
[New Rule] Suspicious File Modification (#3746)
58b3115 
* [New Rule] Suspicious File Modification

* Update persistence_suspicious_file_modifications.toml

* Update rules/linux/persistence_suspicious_file_modifications.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/persistence_suspicious_file_modifications.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Updates

* Update rules/integrations/fim/persistence_suspicious_file_modifications.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

(cherry picked from commit ec223a4)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mikaayenson Mikaayenson Mikaayenson approved these changes

@w0rk3r w0rk3r w0rk3r approved these changes

@Samirbous Samirbous Samirbous approved these changes

@terrancedejesus terrancedejesus terrancedejesus approved these changes

@imays11 imays11 Awaiting requested review from imays11

@brokensound77 brokensound77 Awaiting requested review from brokensound77

@eric-forte-elastic eric-forte-elastic Awaiting requested review from eric-forte-elastic eric-forte-elastic is a code owner

Assignees

@Aegrah Aegrah

Labels
backport: auto Domain: Endpoint OS: Linux Rule: New Proposal for new rule Team: TRADE
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@Aegrah @terrancedejesus @Mikaayenson @w0rk3r @Samirbous @brokensound77