[New Hunt] General Kernel Manipulation (#4403)

* [New Hunt] General Kernel Manipulation * Update index.yml (cherry picked from commit 6fa8a86)
elastic · Feb 5, 2025 · 3aaadb5 · 3aaadb5
1 parent 40fa6b3
commit 3aaadb5
Show file tree

Hide file tree

Showing 4 changed files with 177 additions and 0 deletions.
diff --git a/hunting/index.md b/hunting/index.md
@@ -30,6 +30,7 @@ Here are the queries currently available:
 - [Defense Evasion via Capitalized Process Execution](./linux/docs/defense_evasion_via_capitalized_process_execution.md) (ES|QL)
 - [Drivers Load with Low Occurrence Frequency](./linux/docs/persistence_via_driver_load_with_low_occurrence_frequency.md) (ES|QL)
 - [Excessive SSH Network Activity to Unique Destinations](./linux/docs/excessive_ssh_network_activity_unique_destinations.md) (ES|QL)
+- [General Kernel Manipulation](./linux/docs/persistence_general_kernel_manipulation.md) (ES|QL)
 - [Git Hook/Pager Persistence](./linux/docs/persistence_via_git_hook_pager.md) (ES|QL)
 - [Hidden Process Execution](./linux/docs/defense_evasion_via_hidden_process_execution.md) (ES|QL)
 - [Logon Activity by Source IP](./linux/docs/login_activity_by_source_address.md) (ES|QL)

diff --git a/hunting/index.yml b/hunting/index.yml
@@ -250,6 +250,11 @@ linux:
     path: ./linux/queries/persistence_via_malicious_docker_container.toml
     mitre:
     - T1610
+  9997c6fb-4e01-477f-9011-fc7fc6b000b6:
+    name: General Kernel Manipulation
+    path: ./linux/queries/persistence_general_kernel_manipulation.toml
+    mitre:
+    - T1542
   1206f5e2-aee6-4e5c-bda0-718fe440b1cf:
     name: Persistence via Initramfs
     path: ./linux/queries/persistence_via_initramfs.toml

diff --git a/hunting/linux/docs/persistence_general_kernel_manipulation.md b/hunting/linux/docs/persistence_general_kernel_manipulation.md
@@ -0,0 +1,98 @@
+# General Kernel Manipulation
+
+---
+
+## Metadata
+
+- **Author:** Elastic
+- **Description:** This hunt focuses on detecting general kernel and bootloader manipulations on Linux systems, which are critical for system integrity and security. Attackers may target kernel components, bootloader configurations, or secure boot settings to establish persistence or compromise the system at a low level. By monitoring changes to `/boot/` files, examining kernel and platform information, and detecting processes spawned by `systemd`, this hunt provides visibility into potential kernel and boot-related threats. The combination of ES|QL and OSQuery queries ensures robust detection and hunting capabilities for kernel manipulation and persistence attempts.
+
+- **UUID:** `9997c6fb-4e01-477f-9011-fc7fc6b000b6`
+- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint)
+- **Language:** `[ES|QL, SQL]`
+- **Source File:** [General Kernel Manipulation](../queries/persistence_general_kernel_manipulation.toml)
+
+## Query
+
+```sql
+sql
+from logs-endpoint.events.file-*
+| keep @timestamp, host.os.type, event.type, event.action, file.path, file.extension, process.executable, agent.id
+| where @timestamp > now() - 30 day
+| where host.os.type == "linux" and event.type in ("creation", "change") and file.path like "/boot/*" and
+not file.extension in ("dpkg-new", "swp")
+| stats cc = count(), agent_count = count_distinct(agent.id) by file.path, process.executable
+| where agent_count <= 3 and cc <= 5
+| sort cc asc
+| limit 100
+```
+
+```sql
+sql
+from logs-endpoint.events.process-*
+| keep @timestamp, host.os.type, event.type, event.action, process.parent.name, process.executable, process.command_line, process.parent.executable, agent.id
+| where @timestamp > now() - 30 day
+| where host.os.type == "linux" and event.type == "info" and event.action == "already_running" and process.parent.name == "systemd"
+| stats cc = count(), agent_count = count_distinct(agent.id) by process.executable, process.command_line
+| where agent_count <= 3 and cc < 25
+| sort cc asc
+| limit 100
+```
+
+```sql
+sql
+SELECT
+    f.filename,
+    f.path,
+    u.username AS file_owner,
+    g.groupname AS group_owner,
+    datetime(f.atime, 'unixepoch') AS file_last_access_time,
+    datetime(f.mtime, 'unixepoch') AS file_last_modified_time,
+    datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,
+    datetime(f.btime, 'unixepoch') AS file_created_time,
+    f.size AS size_bytes
+FROM
+    file f
+LEFT JOIN
+    users u ON f.uid = u.uid
+LEFT JOIN
+    groups g ON f.gid = g.gid
+WHERE f.path LIKE '/boot/%'
+AND (mtime > strftime('%s', 'now') - (7 * 86400)); -- Modified in the last 7 days
+```
+
+```sql
+sql
+SELECT * FROM kernel_info;
+```
+
+```sql
+sql
+SELECT * FROM secureboot;
+```
+
+```sql
+sql
+SELECT * FROM platform_info;
+```
+
+```sql
+sql
+SELECT * FROM kernel_keys;
+```
+
+## Notes
+
+- Tracks file creations and modifications within the `/boot/` directory to identify potential tampering with kernel or bootloader files, such as the kernel image, GRUB configuration, or Initramfs.
+- Monitors processes spawned by `systemd` with the `already_running` action to detect unusual behavior linked to kernel manipulations.
+- Retrieves metadata for kernel and boot-related files, including file ownership, last access times, and modification timestamps, to identify unauthorized changes.
+- Leverages OSQuery tables like `kernel_info`, `secureboot`, `platform_info`, and `kernel_keys` to gain insights into the system's boot and kernel integrity, ensuring comprehensive coverage of kernel manipulation activities.
+- Helps identify rare or anomalous events by providing statistics on processes and file activities, enabling analysts to detect subtle signs of compromise or persistence.
+
+## MITRE ATT&CK Techniques
+
+- [T1542](https://attack.mitre.org/techniques/T1542)
+
+## License
+
+- `Elastic License v2`
diff --git a/hunting/linux/queries/persistence_general_kernel_manipulation.toml b/hunting/linux/queries/persistence_general_kernel_manipulation.toml
@@ -0,0 +1,73 @@
+[hunt]
+author = "Elastic"
+description = """
+This hunt focuses on detecting general kernel and bootloader manipulations on Linux systems, which are critical for system integrity and security. Attackers may target kernel components, bootloader configurations, or secure boot settings to establish persistence or compromise the system at a low level. By monitoring changes to `/boot/` files, examining kernel and platform information, and detecting processes spawned by `systemd`, this hunt provides visibility into potential kernel and boot-related threats. The combination of ES|QL and OSQuery queries ensures robust detection and hunting capabilities for kernel manipulation and persistence attempts.
+"""
+integration = ["endpoint"]
+uuid = "9997c6fb-4e01-477f-9011-fc7fc6b000b6"
+name = "General Kernel Manipulation"
+language = ["ES|QL", "SQL"]
+license = "Elastic License v2"
+notes = [
+    "Tracks file creations and modifications within the `/boot/` directory to identify potential tampering with kernel or bootloader files, such as the kernel image, GRUB configuration, or Initramfs.",
+    "Monitors processes spawned by `systemd` with the `already_running` action to detect unusual behavior linked to kernel manipulations.",
+    "Retrieves metadata for kernel and boot-related files, including file ownership, last access times, and modification timestamps, to identify unauthorized changes.",
+    "Leverages OSQuery tables like `kernel_info`, `secureboot`, `platform_info`, and `kernel_keys` to gain insights into the system's boot and kernel integrity, ensuring comprehensive coverage of kernel manipulation activities.",
+    "Helps identify rare or anomalous events by providing statistics on processes and file activities, enabling analysts to detect subtle signs of compromise or persistence."
+]
+mitre = ["T1542"]
+query = [
+'''sql
+from logs-endpoint.events.file-*
+| keep @timestamp, host.os.type, event.type, event.action, file.path, file.extension, process.executable, agent.id
+| where @timestamp > now() - 30 day
+| where host.os.type == "linux" and event.type in ("creation", "change") and file.path like "/boot/*" and
+not file.extension in ("dpkg-new", "swp")
+| stats cc = count(), agent_count = count_distinct(agent.id) by file.path, process.executable
+| where agent_count <= 3 and cc <= 5
+| sort cc asc
+| limit 100
+''',
+'''sql
+from logs-endpoint.events.process-*
+| keep @timestamp, host.os.type, event.type, event.action, process.parent.name, process.executable, process.command_line, process.parent.executable, agent.id
+| where @timestamp > now() - 30 day
+| where host.os.type == "linux" and event.type == "info" and event.action == "already_running" and process.parent.name == "systemd"
+| stats cc = count(), agent_count = count_distinct(agent.id) by process.executable, process.command_line
+| where agent_count <= 3 and cc < 25
+| sort cc asc
+| limit 100
+''',
+'''sql
+SELECT
+    f.filename,
+    f.path,
+    u.username AS file_owner,
+    g.groupname AS group_owner,
+    datetime(f.atime, 'unixepoch') AS file_last_access_time,
+    datetime(f.mtime, 'unixepoch') AS file_last_modified_time,
+    datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,
+    datetime(f.btime, 'unixepoch') AS file_created_time,
+    f.size AS size_bytes
+FROM
+    file f
+LEFT JOIN
+    users u ON f.uid = u.uid
+LEFT JOIN
+    groups g ON f.gid = g.gid
+WHERE f.path LIKE '/boot/%'
+AND (mtime > strftime('%s', 'now') - (7 * 86400)); -- Modified in the last 7 days
+''',
+'''sql
+SELECT * FROM kernel_info;
+''',
+'''sql
+SELECT * FROM secureboot;
+''',
+'''sql
+SELECT * FROM platform_info;
+''',
+'''sql
+SELECT * FROM kernel_keys;
+''',
+]