rules/linux/auditd/lnx_auditd_debugfs_usage.yml

title: Use of Debugfs to Access a Raw Disk
id: fb0647d7-371a-4553-8e20-33bbbe122956
status: experimental
description: Detects access to a raw disk on a host to evade detection by security products.
references:
    - https://twitter.com/0xm1rch/status/1600857731073654784?s=20&t=MdrBPqv4hnBEfAJBayMCZA
    - https://github.com/Neo23x0/auditd/blob/master/audit.rules # required auditd config
author: Janantha Marasinghe
date: 2022/12/20
tags:
    - attack.defense_evasion
    - attack.t1006
logsource:
    product: linux
    service: auditd
detection:
    selection_debugfs:
        type: 'EXECVE'
        a0: 'debugfs'
    selection_tools:
        type: 'EXECVE'
        a0:
            - 'df'
            - 'lsblk'
            - 'pvs'
            - 'fdisk'
            - 'blkid'
            - 'parted'
            - 'hwinfo'
            - 'inxi'
    timeframe: 5m
    condition: selection_debugfs | near selection_tools # requires both
falsepositives:
    - Unknown
level: medium
lnx_auditd_debugfs_usage.yml 2022-12-24 23:41:20 +11:00			`title: Use of Debugfs to Access a Raw Disk`
			`id: fb0647d7-371a-4553-8e20-33bbbe122956`
			`status: experimental`
			`description: Detects access to a raw disk on a host to evade detection by security products.`
			`references:`
			`- https://twitter.com/0xm1rch/status/1600857731073654784?s=20&t=MdrBPqv4hnBEfAJBayMCZA`
fix: small selection fix for clarity 2022-12-27 16:23:09 +01:00			`- https://github.com/Neo23x0/auditd/blob/master/audit.rules # required auditd config`
lnx_auditd_debugfs_usage.yml 2022-12-24 23:41:20 +11:00			`author: Janantha Marasinghe`
			`date: 2022/12/20`
			`tags:`
			`- attack.defense_evasion`
			`- attack.t1006`
			`logsource:`
			`product: linux`
			`service: auditd`
			`detection:`
fix: small selection fix for clarity 2022-12-27 16:23:09 +01:00			`selection_debugfs:`
			`type: 'EXECVE'`
			`a0: 'debugfs'`
			`selection_tools:`
lnx_auditd_debugfs_usage.yml 2022-12-24 23:41:20 +11:00			`type: 'EXECVE'`
Updated to include additional tools 2022-12-25 07:57:18 +11:00			`a0:`
			`- 'df'`
			`- 'lsblk'`
			`- 'pvs'`
			`- 'fdisk'`
			`- 'blkid'`
			`- 'parted'`
			`- 'hwinfo'`
			`- 'inxi'`
fix: remove correlation 2022-12-27 15:31:51 +01:00			`timeframe: 5m`
fix: small selection fix for clarity 2022-12-27 16:23:09 +01:00			`condition: selection_debugfs \| near selection_tools # requires both`
lnx_auditd_debugfs_usage.yml 2022-12-24 23:41:20 +11:00			`falsepositives:`
			`- Unknown`
			`level: medium`