Elastic Security Detection Rules

Process Spawned from Message-of-the-Day (MOTD)

Last updated 9 months ago on 2025-03-20
Created 3 years ago on 2023-02-28

About

Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the "/etc/update-motd.d/" directory. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command. This rule detects the execution of potentially malicious processes through the MOTD utility.
Tags
Domain: EndpointOS: LinuxUse Case: Threat DetectionTactic: PersistenceData Source: Elastic EndgameData Source: Elastic DefendData Source: SentinelOneLanguage: eql
Severity
high
Risk Score
73
MITRE ATT&CK™

Persistence (TA0003)(external, opens in a new tab or window)

Boot or Logon Initialization Scripts (T1037)(external, opens in a new tab or window)

License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-endpoint.events.process*endgame-*logs-sentinel_one_cloud_funnel.*
Related Integrations

endpoint(external, opens in a new tab or window)

sentinel_one_cloud_funnel(external, opens in a new tab or window)

Query
text code block:
process where event.type == "start" and host.os.type == "linux" and event.action : ("exec", "exec_event", "start") and
  process.parent.executable : "/etc/update-motd.d/*" and
  (
    (
      process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and
      (
        process.args : ("-i", "-l") or
        (process.parent.name == "socat" and process.parent.args : "*exec*")
      )
    ) or
    (
      process.name : ("nc", "ncat", "netcat", "nc.openbsd") and process.args_count >= 3 and 
      not process.args : ("-*z*", "-*l*")
    ) or
    (
      process.name : "python*" and process.args : "-c" and process.args : (
        "*import*pty*spawn*", "*import*subprocess*call*"
      )
    ) or
    (
      process.name : "perl*" and process.args : "-e" and process.args : "*socket*" and process.args : (
        "*exec*", "*system*"
      )
    ) or
    (
      process.name : "ruby*" and process.args : ("-e", "-rsocket") and process.args : (
        "*TCPSocket.new*", "*TCPSocket.open*"
      )
    ) or
    (
      process.name : "lua*" and process.args : "-e" and process.args : "*socket.tcp*" and process.args : (
        "*io.popen*", "*os.execute*"
      )
    ) or
    (process.name : "php*" and process.args : "-r" and process.args : "*fsockopen*" and process.args : "*/bin/*sh*") or 
    (process.name : ("awk", "gawk", "mawk", "nawk") and process.args : "*/inet/tcp/*") or 
    (process.name in ("openssl", "telnet")) or
    (
      process.args : (
        "./*", "/boot/*", "/dev/shm/*", "/etc/cron.*/*", "/etc/init.d/*", "/etc/update-motd.d/*", "/run/*", "/srv/*",
        "/tmp/*", "/var/tmp/*", "/var/log/*", "/opt/*"
      ) and process.args_count == 1
    )
  ) and 
  not (
    process.parent.args == "--force" or
    process.args in ("/usr/games/lolcat", "/usr/bin/screenfetch") or
    process.parent.name == "system-crash-notification"
  )

Install detection rules in Elastic Security

Detect Process Spawned from Message-of-the-Day (MOTD) in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).