security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0308e32ea00a8ba0dcc5d214b1fae6ec31ef1a82
sigma-rules/rules/linux/defense_evasion_chattr_immutable_file.toml
T
Jonhnathan 063386829c [Security Content] Include "Data Source: Elastic Defend" tag (#3002) 
* win folder

* Other folders

* Update test_all_rules.py

* .

* updated missing elastic defend tags

---------

Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>

(cherry picked from commit 4233fef238)
2023-09-05 18:28:40 +00:00

59 lines
2.3 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2022/07/22"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/08/24"
[rule]
author = ["Elastic"]
description = """
Detects a file being made immutable using the chattr binary. Making a file immutable means it cannot be deleted or
renamed, no link can be created to this file, most of the file's metadata can not be modified, and the file can not be
opened in write mode. Threat actors will commonly utilize this to prevent tampering or modification of their malicious
files or any system files they have modified for purposes of persistence (e.g .ssh, /etc/passwd, etc.).
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
max_signals = 33
name = "File made Immutable by Chattr"
note = """## Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
"""
risk_score = 47
rule_id = "968ccab9-da51-4a87-9ce2-d3c9782fd759"
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and user.name == "root" and
process.executable : "/usr/bin/chattr" and process.args : ("-*i*", "+*i*") and
not process.parent.executable: ("/lib/systemd/systemd", "/usr/local/uems_agent/bin/*", "/usr/lib/systemd/systemd")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1222"
name = "File and Directory Permissions Modification"
reference = "https://attack.mitre.org/techniques/T1222/"
[[rule.threat.technique.subtechnique]]
id = "T1222.002"
name = "Linux and Mac File and Directory Permissions Modification"
reference = "https://attack.mitre.org/techniques/T1222/002/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
Reference in New Issue View Git Blame Copy Permalink