Skip to content
17 changes: 10 additions & 7 deletions rules/linux/persistence_shared_object_creation.toml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2023/06/09"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/02/03"
updated_date = "2025/03/11"

[transform]
[[transform.osquery]]
Expand Down Expand Up @@ -160,17 +160,20 @@ tags = [
]
timestamp_override = "event.ingested"
type = "new_terms"

query = '''
host.os.type:linux and event.action:(creation or file_create_event or file_rename_event or rename) and
file.path:(/dev/shm/* or /usr/lib/*) and file.extension:so and process.name:* and not (
host.os.type:"linux" and event.action:("creation" or "file_create_event" or "file_rename_event" or "rename" or "file_write_event") and
(file.extension:"so" or file.name:*.so.*) and
file.path:(
/dev/shm/* or /usr/lib/* or /usr/lib64/* or /usr/local/lib/* or /usr/local/lib64/* or /lib/x86_64-linux-gnu/* or
/usr/lib/x86_64-linux-gnu/* or /lib/i386-linux-gnu/* or /usr/lib/i386-linux-gnu/* or /lib/* or /lib64/*
) and not (
process.name:(
"dockerd" or "dpkg" or "rpm" or "snapd" or "yum" or "vmis-launcher" or "pacman" or "apt-get" or "dnf" or "podman" or
platform-python* or "dnf-automatic" or "unattended-upgrade" or "apk" or "snap-update-ns" or "install" or "exe" or
"systemd" or "root" or "sshd" or "pip" or "jlink" or python* or "update-alternatives" or pip* or
"installer.bin.inst" or "uninstall-bin" or "linux_agent.inst" or crio or ssm-agent-worker or packagekitd
"systemd" or "root" or "sshd" or "pip" or "jlink" or python* or "update-alternatives" or pip* or "crio" or
"ssm-agent-worker" or "packagekitd"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we see if the SSM agent is created the SO because it's running a custom document? If so, this would be very suspicious IMO. AWS-managed SSM docs may do things on Linux systems as a requirement for managing these nodes, however, custom SSM docs can be abused to run whatever on that EC2 instance.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In this case we just have the file creation event, so all I have is a process name and file path. The file path for this FP pattern is: /usr/lib/jvm/java-17-openjdk-17.0.14.0.7-3.el8.x86_64/lib/{file}.so.

As the pattern is easy to exclude based on process/path, I added the following exclusion (process.name:"ssm-agent-worker" and file.path:/usr/lib/jvm/java*) rather than just on process.name. Thanks for the review @terrancedejesus !

) or
(process.name:vmware-install.pl and file.path:/usr/lib/vmware-tools/*) or
(process.name:"vmware-install.pl" and file.path:/usr/lib/vmware-tools/*) or
process.executable : (/dev/fd/* or "/" or "/kaniko/executor" or "/usr/bin/buildah")
)
'''
Expand Down