Potential Persistence Through MOTD File Creation Detected
editPotential Persistence Through MOTD File Creation Detected
editMessage of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the "/etc/update-motd.d/" and "/usr/lib/update-notifier/" directories. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command. This rule detects the creation of potentially malicious files within the default MOTD file directories.
Rule type: new_terms
Rule indices:
- logs-endpoint.events.*
- endgame-*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Endpoint
- OS: Linux
- Use Case: Threat Detection
- Tactic: Persistence
- Data Source: Elastic Endgame
Version: 2
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
edithost.os.type :"linux" and event.action:("creation" or "file_create_event" or "rename" or "file_rename_event") and file.path : (/etc/update-motd.d/* or /usr/lib/update-notifier/*) and not process.executable : ("/usr/bin/dpkg" or "/usr/bin/dockerd" or "/bin/rpm") and not file.extension : "swp"
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
-
Technique:
- Name: Boot or Logon Initialization Scripts
- ID: T1037
- Reference URL: https://attack.mitre.org/techniques/T1037/