Suspicious APT Package Manager Execution
editSuspicious APT Package Manager Execution
editDetects suspicious process events executed by the APT package manager, potentially indicating persistence through an APT backdoor. In Linux, APT (Advanced Package Tool) is a command-line utility used for handling packages on Debian-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor APT to gain persistence by injecting malicious code into scripts that APT runs, thereby ensuring continued unauthorized access or control each time APT is used for package management.
Rule type: eql
Rule indices:
- logs-endpoint.events.*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References: None
Tags:
- Domain: Endpoint
- OS: Linux
- Use Case: Threat Detection
- Tactic: Persistence
- Tactic: Execution
- Tactic: Defense Evasion
- Data Source: Elastic Defend
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editsequence by host.id with maxspan=5s [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and process.parent.name == "apt" and process.args == "-c" and process.name in ( "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish" ) ] by process.entity_id [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and process.name : ( "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk" ) ] by process.parent.entity_id
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
-
Technique:
- Name: Create or Modify System Process
- ID: T1543
- Reference URL: https://attack.mitre.org/techniques/T1543/
-
Technique:
- Name: Hijack Execution Flow
- ID: T1574
- Reference URL: https://attack.mitre.org/techniques/T1574/
-
Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
-
Technique:
- Name: Command and Scripting Interpreter
- ID: T1059
- Reference URL: https://attack.mitre.org/techniques/T1059/
-
Sub-technique:
- Name: Unix Shell
- ID: T1059.004
- Reference URL: https://attack.mitre.org/techniques/T1059/004/
-
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/