Potential Persistence Through MOTD File Creation Detected

edit

Potential Persistence Through MOTD File Creation Detected

edit

Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the "/etc/update-motd.d/" and "/usr/lib/update-notifier/" directories. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command. This rule detects the creation of potentially malicious files within the default MOTD file directories.

Rule type: new_terms

Rule indices:

  • logs-endpoint.events.*
  • endgame-*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Linux
  • Threat Detection
  • Persistence
  • Elastic Endgame

Version: 1

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
host.os.type :"linux" and event.action:("creation" or "file_create_event" or "rename" or "file_rename_event") and
file.path : (/etc/update-motd.d/* or /usr/lib/update-notifier/*) and not
process.executable : ("/usr/bin/dpkg" or "/usr/bin/dockerd" or "/bin/rpm") and not
file.extension : "swp"

Framework: MITRE ATT&CKTM