Suspicious Write Attempt to AppArmor Policy Management Files

  1[metadata]
  2creation_date = "2026/03/17"
  3integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2026/03/17"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects processes attempting to write to AppArmor policy management pseudo-files located
 11under "/sys/kernel/security/apparmor/". These special kernel interfaces are used to load,
 12replace, or remove AppArmor profiles (".load", ".replace", ".remove"). In normal environments,
 13AppArmor policy management is typically performed by administrative tools such as "apparmor_parser"
 14during system initialization or package installation. Direct interaction with these pseudo-files
 15from shell utilities, interpreters, or scripting environments is uncommon and may indicate attempts
 16to modify security policy at runtime. Adversaries may abuse these interfaces to weaken or disable
 17AppArmor protections, introduce malicious profiles, or exploit vulnerabilities in the AppArmor policy
 18parser as part of local privilege escalation chains.
 19"""
 20from = "now-9m"
 21index = [
 22    "logs-endpoint.events.process*",
 23    "endgame-*",
 24    "logs-crowdstrike.fdr*",
 25    "logs-sentinel_one_cloud_funnel.*",
 26]
 27language = "eql"
 28license = "Elastic License v2"
 29name = "Suspicious Write Attempt to AppArmor Policy Management Files"
 30note = """## Triage and analysis
 31
 32> **Disclaimer**:
 33> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 34
 35### Investigating Suspicious Write Attempt to AppArmor Policy Management Files
 36
 37This rule flags shells, scripting runtimes, and basic file utilities trying to write directly to AppArmor’s policy control files, an unusual action that can change or remove enforcement while the system is running. An attacker with local code execution may echo a crafted profile into `.replace` or write to `.remove` from a shell script to weaken confinement before dumping credentials or launching a privilege-escalation chain.
 38
 39### Possible investigation steps
 40
 41- Determine whether the activity aligns with authorized package installation, configuration management, or AppArmor maintenance by correlating the timestamp with change tickets, software updates, and administrator sessions.
 42- Reconstruct the full parent-child execution chain and user context to identify how the write was initiated, whether it came from an interactive shell, script, container entrypoint, or remotely spawned session, and whether elevated privileges were obtained just beforehand.
 43- Capture the exact payload or referenced file used in the write attempt and compare it to approved AppArmor profiles to determine whether the action was loading a new profile, weakening an existing one, or removing confinement entirely.
 44- Verify the system’s current AppArmor state immediately after the event, including enforcement mode, recently modified or unloaded profiles, and any audit or kernel messages indicating parser errors, profile replacement, or successful policy removal.
 45- Investigate adjacent activity from the same user, session, and host for signs of defense evasion or privilege escalation, such as sudo abuse, exploitation traces, disabling other security controls, credential access, or rapid execution of binaries that would normally be confined.
 46
 47### False positive analysis
 48
 49- A legitimate system initialization or package maintenance script may use `echo`, `tee`, `cat`, or a shell redirection to load or replace an approved AppArmor profile, so verify the parent process and event timing align with boot activity or an authorized update and that the profile content matches a known file under `/etc/apparmor.d/`.
 50- An administrator or deployment script may temporarily reload or remove a profile during sanctioned application troubleshooting, so confirm the executing user or service account, the script location and change record, and that the expected AppArmor profile was restored or reloaded immediately afterward.
 51
 52### Response and remediation
 53
 54- Isolate the affected Linux host from the network and suspend interactive access while preserving the shell history, the script or payload used to write to `/sys/kernel/security/apparmor/.load`, `.replace`, or `.remove`, and any related dropped files for forensic review.
 55- Re-enable AppArmor enforcement from trusted administration tooling, compare currently loaded profiles with the approved baseline under `/etc/apparmor.d/`, and remove any unauthorized profile loads, replacements, or profile removals introduced by the attacker.
 56- Hunt for and delete persistence established around the same activity, including new or modified `systemd` services, cron jobs, startup scripts, SSH `authorized_keys` entries, `sudoers` changes, and binaries or scripts placed in writable directories.
 57- Escalate immediately to incident response if AppArmor protections were successfully weakened or removed, a privileged service profile was altered, root access is suspected, or similar write attempts appear on additional Linux systems.
 58- Restore the host to a known-good state from a trusted image or approved configuration backup when system integrity is uncertain, then rotate credentials used on the host and harden access so only authorized administrators and deployment tooling can modify AppArmor policies.
 59"""
 60references = [
 61    "https://cdn2.qualys.com/advisory/2026/03/10/crack-armor.txt",
 62    "https://blog.qualys.com/vulnerabilities-threat-research/2026/03/12/crackarmor-critical-apparmor-flaws-enable-local-privilege-escalation-to-root",
 63]
 64risk_score = 47
 65rule_id = "8293bf1f-8dd0-434e-b52a-1aa6ec101777"
 66setup = """## Setup
 67
 68This rule requires data coming in from Elastic Defend.
 69
 70### Elastic Defend Integration Setup
 71Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 72
 73#### Prerequisite Requirements:
 74- Fleet is required for Elastic Defend.
 75- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 76
 77#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
 78- Go to the Kibana home page and click "Add integrations".
 79- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 80- Click "Add Elastic Defend".
 81- Configure the integration name and optionally add a description.
 82- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
 83- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 84- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 85- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 86For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
 87- Click "Save and Continue".
 88- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 89For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 90"""
 91severity = "medium"
 92tags = [
 93    "Domain: Endpoint",
 94    "OS: Linux",
 95    "Use Case: Threat Detection",
 96    "Tactic: Defense Evasion",
 97    "Data Source: Elastic Defend",
 98    "Data Source: Elastic Endgame",
 99    "Data Source: Crowdstrike",
100    "Data Source: SentinelOne",
101    "Resources: Investigation Guide",
102]
103timestamp_override = "event.ingested"
104type = "eql"
105query = '''
106process where host.os.type == "linux" and event.type == "start" and
107event.action in ("exec", "exec_event", "start", "ProcessRollup2") and
108( 
109  process.name in (
110    "cat", "echo", "tee", "dd", "truncate", "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish",
111    "busybox", "awk", "sed", "xargs", "find", "grep", "node", "timeout", "env"
112  ) or
113  process.name like (".*", "python*", "perl*", "ruby*", "lua*", "php*")
114) and
115process.command_line like (
116  "*/sys/kernel/security/apparmor/.load*",
117  "*/sys/kernel/security/apparmor/.replace*",
118  "*/sys/kernel/security/apparmor/.remove*"
119)
120'''
121
122[[rule.threat]]
123framework = "MITRE ATT&CK"
124
125[[rule.threat.technique]]
126id = "T1562"
127name = "Impair Defenses"
128reference = "https://attack.mitre.org/techniques/T1562/"
129
130[[rule.threat.technique.subtechnique]]
131id = "T1562.001"
132name = "Disable or Modify Tools"
133reference = "https://attack.mitre.org/techniques/T1562/001/"
134
135[rule.threat.tactic]
136id = "TA0005"
137name = "Defense Evasion"
138reference = "https://attack.mitre.org/tactics/TA0005/"