Process Spawned from Message-of-the-Day (MOTD)

Last updated 5 months ago on 2025-03-20

Created 2 years ago on 2023-02-28

About

Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the "/etc/update-motd.d/" directory. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command. This rule detects the execution of potentially malicious processes through the MOTD utility.

Tags

Domain: EndpointOS: LinuxUse Case: Threat DetectionTactic: PersistenceData Source: Elastic EndgameData Source: Elastic DefendData Source: SentinelOneLanguage: eql

Severity

high

Risk Score

MITRE ATT&CK™

Persistence (TA0003)(opens in a new tab or window)

↳ Boot or Logon Initialization Scripts (T1037)(opens in a new tab or window)

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type

Event Correlation Rule

Integration Pack

Prebuilt Security Detection Rules

Index Patterns

logs-endpoint.events.process*endgame-*logs-sentinel_one_cloud_funnel.*

Related Integrations

endpoint(opens in a new tab or window)

sentinel_one_cloud_funnel(opens in a new tab or window)

Query

process where event.type == "start" and host.os.type == "linux" and event.action : ("exec", "exec_event", "start") and
  process.parent.executable : "/etc/update-motd.d/*" and
  (
    (
      process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and
      (
        process.args : ("-i", "-l") or
        (process.parent.name == "socat" and process.parent.args : "*exec*")
      )
    ) or
    (
      process.name : ("nc", "ncat", "netcat", "nc.openbsd") and process.args_count >= 3 and 
      not process.args : ("-*z*", "-*l*")
    ) or
    (
      process.name : "python*" and process.args : "-c" and process.args : (
        "*import*pty*spawn*", "*import*subprocess*call*"
      )
    ) or
    (
      process.name : "perl*" and process.args : "-e" and process.args : "*socket*" and process.args : (
        "*exec*", "*system*"
      )
    ) or
    (
      process.name : "ruby*" and process.args : ("-e", "-rsocket") and process.args : (
        "*TCPSocket.new*", "*TCPSocket.open*"
      )
    ) or
    (
      process.name : "lua*" and process.args : "-e" and process.args : "*socket.tcp*" and process.args : (
        "*io.popen*", "*os.execute*"
      )
    ) or
    (process.name : "php*" and process.args : "-r" and process.args : "*fsockopen*" and process.args : "*/bin/*sh*") or 
    (process.name : ("awk", "gawk", "mawk", "nawk") and process.args : "*/inet/tcp/*") or 
    (process.name in ("openssl", "telnet")) or
    (
      process.args : (
        "./*", "/boot/*", "/dev/shm/*", "/etc/cron.*/*", "/etc/init.d/*", "/etc/update-motd.d/*", "/run/*", "/srv/*",
        "/tmp/*", "/var/tmp/*", "/var/log/*", "/opt/*"
      ) and process.args_count == 1
    )
  ) and 
  not (
    process.parent.args == "--force" or
    process.args in ("/usr/games/lolcat", "/usr/bin/screenfetch") or
    process.parent.name == "system-crash-notification"
  )

Install detection rules in Elastic Security

Detect Process Spawned from Message-of-the-Day (MOTD) in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).