security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
71186c8788b3f85dba122647e8992dcafe29c7e3
sigma-rules/rules/linux/defense_evasion_chattr_immutable_file.toml
T
shashank-elastic 855ba16299 Linux Rule Tuning (#2753)
2023-05-02 19:12:13 +05:30

59 lines
2.2 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2022/07/22"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/04/26"
[rule]
author = ["Elastic"]
description = """
Detects a file being made immutable using the chattr binary. Making a file immutable means it cannot be deleted or
renamed, no link can be created to this file, most of the file's metadata can not be modified, and the file can not be
opened in write mode. Threat actors will commonly utilize this to prevent tampering or modification of their malicious
files or any system files they have modified for purposes of persistence (e.g .ssh, /etc/passwd, etc.).
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
max_signals = 33
name = "File made Immutable by Chattr"
note = """## Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
"""
risk_score = 47
rule_id = "968ccab9-da51-4a87-9ce2-d3c9782fd759"
severity = "medium"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion", "Elastic Endgame"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and user.name == "root" and
process.executable : "/usr/bin/chattr" and process.args : ("-*i*", "+*i*") and
not process.parent.executable: ("/lib/systemd/systemd", "/usr/local/uems_agent/bin/*")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1222"
name = "File and Directory Permissions Modification"
reference = "https://attack.mitre.org/techniques/T1222/"
[[rule.threat.technique.subtechnique]]
id = "T1222.002"
name = "Linux and Mac File and Directory Permissions Modification"
reference = "https://attack.mitre.org/techniques/T1222/002/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
Reference in New Issue View Git Blame Copy Permalink