Skip to content
Merged
Show file tree
Hide file tree
Changes from 10 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 34 additions & 12 deletions rules/linux/persistence_apt_package_manager_execution.toml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2024/02/01"
integration = ["endpoint", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2025/10/17"
updated_date = "2025/12/22"

[rule]
author = ["Elastic"]
Expand Down Expand Up @@ -54,7 +54,7 @@ The APT package manager is a vital tool for managing software on Debian-based Li
- Monitor the affected host and network for any signs of re-infection or further suspicious activity, focusing on the execution of shell scripts and unauthorized network connections.
- Escalate the incident to the security operations team for further investigation and to determine if additional systems have been compromised."""
references = ["https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms"]
risk_score = 47
risk_score = 21
rule_id = "ad959eeb-2b7b-4722-ba08-a45f6622f005"
setup = """## Setup

Expand Down Expand Up @@ -82,7 +82,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "medium"
severity = "low"
tags = [
"Domain: Endpoint",
"OS: Linux",
Expand All @@ -96,24 +96,46 @@ tags = [
"Data Source: Crowdstrike",
]
type = "eql"

query = '''
sequence by host.id with maxspan=5s
[process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "start", "ProcessRollup2") and
process.parent.name == "apt" and process.args == "-c" and process.name in (
"bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish"
) and not process.executable == "/usr/lib/venv-salt-minion/bin/python.original"
] by process.entity_id
[process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "start", "ProcessRollup2") and process.name : (
[process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "start", "ProcessRollup2") and process.name like (
"bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "python*", "php*",
"perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk"
)
) and not (
?process.parent.executable like (
"/run/k3s/containerd*", "/tmp/newroot/*", "/usr/share/debconf/frontend", "/var/tmp/buildah*", "./merged/*",
"./*/vz/root/*", "/usr/bin/adequate"
) or
process.executable like ("/usr/lib/venv-salt-minion/bin/python.original", "./merged/var/lib/containers/*") or
process.command_line in (
"python3 /usr/sbin/omv-mkaptidx", "python3 /usr/local/bin/abr-upgrade --upgrade",
"sh -c apt-get indextargets -o Dir::State::lists=/var/lib/apt/lists/ --format='$(FILENAME)' 'Created-By: Packages'",
"/usr/bin/perl /usr/sbin/dpkg-preconfigure --apt", "/bin/sh -e /usr/lib/update-notifier/update-motd-updates-available",
"/usr/bin/python3 /usr/lib/cnf-update-db", "/usr/bin/python3 /usr/bin/apt-listchanges --apt",
"/usr/bin/perl -w /usr/sbin/dpkg-preconfigure --apt", "/bin/sh /usr/lib/needrestart/apt-pinvoke",
"/bin/sh /usr/bin/kali-check-apt-sources", "/bin/sh /usr/lib/needrestart/apt-pinvoke -m u",
"/usr/bin/perl /usr/sbin/needrestart", "/usr/bin/perl -w /usr/bin/apt-show-versions -i",
"/usr/bin/perl -w /usr/bin/apt-show-versions -i", "/usr/bin/perl -w /bin/apt-show-versions -i",
"/usr/bin/perl /bin/adequate --help", "/usr/bin/perl /usr/sbin/needrestart -m u",
"/usr/bin/perl -w /usr/share/debconf/frontend /usr/sbin/needrestart",
"/usr/bin/python3 /sbin/katello-tracer-upload",
"/usr/bin/python3 /usr/bin/package-profile-upload"
) or
?process.parent.command_line like ("sh -c if [ -x*", "sh -c -- if [ -x*") or
process.args in ("/usr/sbin/needrestart", "/usr/lib/needrestart/apt-pinvoke", "/usr/share/proxmox-ve/pve-apt-hook", "/usr/bin/dpkg-source") or
?process.parent.args == "/usr/share/debconf/frontend"
)
] by process.parent.entity_id
'''


[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1543"
name = "Create or Modify System Process"
Expand All @@ -123,44 +145,44 @@ reference = "https://attack.mitre.org/techniques/T1543/"
id = "T1546"
name = "Event Triggered Execution"
reference = "https://attack.mitre.org/techniques/T1546/"

[[rule.threat.technique.subtechnique]]
id = "T1546.016"
name = "Installer Packages"
reference = "https://attack.mitre.org/techniques/T1546/016/"


[[rule.threat.technique]]
id = "T1574"
name = "Hijack Execution Flow"
reference = "https://attack.mitre.org/techniques/T1574/"


[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"

[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"



[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"

[[rule.threat]]
framework = "MITRE ATT&CK"

[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"

108 changes: 61 additions & 47 deletions rules/linux/persistence_apt_package_manager_file_creation.toml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2024/06/03"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/01/24"
updated_date = "2025/12/22"

[rule]
author = ["Elastic"]
Expand All @@ -18,11 +18,46 @@ index = ["logs-endpoint.events.file*"]
language = "eql"
license = "Elastic License v2"
name = "APT Package Manager Configuration File Creation"
note = """## Triage and analysis

> **Disclaimer**:
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

### Investigating APT Package Manager Configuration File Creation

APT is a crucial tool for managing software on Debian-based Linux systems, handling tasks like installation and updates. Adversaries may exploit APT by inserting malicious scripts into its configuration files, ensuring persistent access. The detection rule monitors for unauthorized file creation or renaming in APT's configuration directory, excluding legitimate processes, to identify potential tampering.

### Possible investigation steps

- Review the file creation or renaming event details, focusing on the file path to confirm it is within the APT configuration directory (/etc/apt/apt.conf.d/).
- Identify the process responsible for the file creation or renaming by examining the process.executable field, ensuring it is not one of the legitimate processes listed in the query.
- Investigate the origin and purpose of the newly created or renamed file by checking its contents for any suspicious or unauthorized scripts or configurations.
- Correlate the event with recent system activity to determine if there are any other related alerts or anomalies, such as unusual user logins or network connections, that could indicate a broader attack.
- Check the file's metadata, such as timestamps and ownership, to identify any discrepancies or signs of tampering that could suggest malicious activity.
- If the process responsible for the event is unknown or suspicious, conduct a deeper analysis of the process, including its parent process, command-line arguments, and any associated network activity.

### False positive analysis

- Legitimate package management operations by system tools like dpkg or apt-get can trigger alerts. To manage this, ensure these processes are included in the exclusion list within the detection rule.
- Temporary files created during package updates or installations, such as those with extensions like swp or dpkg-new, may cause false positives. Exclude these file extensions from triggering alerts.
- Automated system maintenance scripts or tools like puppet or chef-client might modify APT configuration files as part of their normal operations. Add these processes to the exclusion list to prevent unnecessary alerts.
- Custom scripts or administrative tasks that involve renaming or creating files in the APT configuration directory should be reviewed. If deemed safe, add these specific scripts or processes to the exclusion criteria.
- Processes running from directories like /nix/store or /var/lib/dpkg may be part of legitimate system operations. Consider excluding these paths if they are verified as non-threatening.

### Response and remediation

- Immediately isolate the affected system from the network to prevent further unauthorized access or potential lateral movement by the adversary.
- Conduct a thorough review of the newly created or renamed files in the /etc/apt/apt.conf.d/ directory to identify any malicious scripts or unauthorized changes.
- Remove any identified malicious files or scripts from the APT configuration directory to eliminate the persistence mechanism.
- Restore any legitimate configuration files from a known good backup to ensure the integrity of the APT configuration.
- Perform a comprehensive scan of the system using updated antivirus or endpoint detection tools to identify and remove any additional malware or unauthorized changes.
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
- Implement enhanced monitoring and logging for the APT configuration directory and related processes to detect similar threats in the future."""
references = [
"https://packetstormsecurity.com/files/152668/APT-Package-Manager-Persistence.html",
"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms",
]
risk_score = 47
risk_score = 21
rule_id = "7c2e1297-7664-42bc-af11-6d5d35220b6b"
setup = """## Setup

Expand All @@ -49,7 +84,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "medium"
severity = "low"
tags = [
"Domain: Endpoint",
"OS: Linux",
Expand All @@ -61,7 +96,6 @@ tags = [
]
timestamp_override = "event.ingested"
type = "eql"

query = '''
file where host.os.type == "linux" and event.action in ("rename", "creation") and
file.path : "/etc/apt/apt.conf.d/*" and not (
Expand All @@ -74,60 +108,41 @@ file.path : "/etc/apt/apt.conf.d/*" and not (
"/bin/puppet", "/opt/puppetlabs/puppet/bin/puppet", "/usr/bin/chef-client", "/bin/chef-client",
"/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/dev/fd/*", "/usr/bin/pamac-daemon",
"/bin/pamac-daemon", "/usr/lib/snapd/snapd", "/usr/local/bin/dockerd", "/usr/libexec/netplan/generate",
"/usr/local/bin/apt-get", "/usr/bin/apt-get"
"/usr/local/bin/apt-get", "/usr/bin/apt-get", "./usr/bin/podman", "/usr/bin/buildah", "/.envbuilder/bin/envbuilder",
"/opt/puppetlabs/puppet/bin/ruby", "/usr/bin/pvedaemon", "/usr/bin/percona-release", "/usr/bin/crio"
) or
file.path :("/etc/apt/apt.conf.d/*.tmp*") or
file.extension in ("swp", "swpx", "swx", "dpkg-remove") or
file.extension in ("swp", "swpx", "swx", "dpkg-remove", "dpkg-new") or
file.Ext.original.extension == "dpkg-new" or
file.Ext.original.name == ".source" or
process.executable : (
"/nix/store/*", "/var/lib/dpkg/*", "/tmp/vmis.*", "/snap/*", "/dev/fd/*", "/usr/lib/*", "/usr/libexec/*",
"/etc/kernel/*"
"/etc/kernel/*", "/opt/saltstack/salt/bin/python*"
) or
process.executable == null or
process.name in ("pveupdate", "perl", "executor", "crio", "docker-init", "dockerd", "pvedaemon") or
(process.name == "sed" and file.name : "sed*") or
(process.name == "perl" and file.name : "e2scrub_all.tmp*")
(process.name == "perl" and file.name : "e2scrub_all.tmp*") or
/* adding known file paths to reduce false positives */
file.path in (
"/etc/apt/apt.conf.d/50unattended-upgrades",
"/etc/apt/apt.conf.d/02autoremove-postgresql",
"/etc/apt/apt.conf.d/99rain-noautoupgrades",
"/etc/apt/apt.conf.d/99no-check-valid-until",
"/etc/apt/apt.conf.d/50isar-apt",
"/etc/apt/apt.conf.d/99gitlab-ci-cache",
"/etc/apt/apt.conf.d/50unattended-upgrades.ucf-dist",
"/etc/apt/apt.conf.d/01autoremove-kernels",
"/etc/apt/apt.conf.d/01autoremove",
"/etc/apt/apt.conf.d/95proxies",
"/etc/apt/apt.conf.d/99-noninteractive"
)
)
'''
note = """## Triage and analysis

> **Disclaimer**:
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

### Investigating APT Package Manager Configuration File Creation

APT is a crucial tool for managing software on Debian-based Linux systems, handling tasks like installation and updates. Adversaries may exploit APT by inserting malicious scripts into its configuration files, ensuring persistent access. The detection rule monitors for unauthorized file creation or renaming in APT's configuration directory, excluding legitimate processes, to identify potential tampering.

### Possible investigation steps

- Review the file creation or renaming event details, focusing on the file path to confirm it is within the APT configuration directory (/etc/apt/apt.conf.d/).
- Identify the process responsible for the file creation or renaming by examining the process.executable field, ensuring it is not one of the legitimate processes listed in the query.
- Investigate the origin and purpose of the newly created or renamed file by checking its contents for any suspicious or unauthorized scripts or configurations.
- Correlate the event with recent system activity to determine if there are any other related alerts or anomalies, such as unusual user logins or network connections, that could indicate a broader attack.
- Check the file's metadata, such as timestamps and ownership, to identify any discrepancies or signs of tampering that could suggest malicious activity.
- If the process responsible for the event is unknown or suspicious, conduct a deeper analysis of the process, including its parent process, command-line arguments, and any associated network activity.

### False positive analysis

- Legitimate package management operations by system tools like dpkg or apt-get can trigger alerts. To manage this, ensure these processes are included in the exclusion list within the detection rule.
- Temporary files created during package updates or installations, such as those with extensions like swp or dpkg-new, may cause false positives. Exclude these file extensions from triggering alerts.
- Automated system maintenance scripts or tools like puppet or chef-client might modify APT configuration files as part of their normal operations. Add these processes to the exclusion list to prevent unnecessary alerts.
- Custom scripts or administrative tasks that involve renaming or creating files in the APT configuration directory should be reviewed. If deemed safe, add these specific scripts or processes to the exclusion criteria.
- Processes running from directories like /nix/store or /var/lib/dpkg may be part of legitimate system operations. Consider excluding these paths if they are verified as non-threatening.

### Response and remediation

- Immediately isolate the affected system from the network to prevent further unauthorized access or potential lateral movement by the adversary.
- Conduct a thorough review of the newly created or renamed files in the /etc/apt/apt.conf.d/ directory to identify any malicious scripts or unauthorized changes.
- Remove any identified malicious files or scripts from the APT configuration directory to eliminate the persistence mechanism.
- Restore any legitimate configuration files from a known good backup to ensure the integrity of the APT configuration.
- Perform a comprehensive scan of the system using updated antivirus or endpoint detection tools to identify and remove any additional malware or unauthorized changes.
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
- Implement enhanced monitoring and logging for the APT configuration directory and related processes to detect similar threats in the future."""


[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1543"
name = "Create or Modify System Process"
Expand All @@ -137,27 +152,26 @@ reference = "https://attack.mitre.org/techniques/T1543/"
id = "T1546"
name = "Event Triggered Execution"
reference = "https://attack.mitre.org/techniques/T1546/"

[[rule.threat.technique.subtechnique]]
id = "T1546.016"
name = "Installer Packages"
reference = "https://attack.mitre.org/techniques/T1546/016/"


[[rule.threat.technique]]
id = "T1574"
name = "Hijack Execution Flow"
reference = "https://attack.mitre.org/techniques/T1574/"


[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"

[[rule.threat]]
framework = "MITRE ATT&CK"

[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"

Loading
Loading