Potential Disabling of AppArmor
This rule monitors for potential attempts to disable AppArmor. AppArmor is a Linux security module that enforces fine-grained access control policies to restrict the actions and resources that specific applications and processes can access. Adversaries may disable security tools to avoid possible detection of their tools and activities.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/08/28"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/08/28"
8
9[rule]
10author = ["Elastic"]
11description = """
12This rule monitors for potential attempts to disable AppArmor. AppArmor is a Linux security module that enforces
13fine-grained access control policies to restrict the actions and resources that specific applications and processes can
14access. Adversaries may disable security tools to avoid possible detection of their tools and activities.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Potential Disabling of AppArmor"
21risk_score = 21
22rule_id = "fac52c69-2646-4e79-89c0-fd7653461010"
23severity = "low"
24tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
25timestamp_override = "event.ingested"
26type = "eql"
27query = '''
28process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and (
29 (process.name == "systemctl" and process.args == "disable" and process.args == "apparmor") or
30 (process.name == "ln" and process.args : "/etc/apparmor.d/*" and process.args : "/etc/apparmor.d/disable/")
31)
32'''
33
34[[rule.threat]]
35framework = "MITRE ATT&CK"
36
37[[rule.threat.technique]]
38id = "T1562"
39name = "Impair Defenses"
40reference = "https://attack.mitre.org/techniques/T1562/"
41
42[[rule.threat.technique.subtechnique]]
43id = "T1562.001"
44name = "Disable or Modify Tools"
45reference = "https://attack.mitre.org/techniques/T1562/001/"
46
47[rule.threat.tactic]
48id = "TA0005"
49name = "Defense Evasion"
50reference = "https://attack.mitre.org/tactics/TA0005/"
Related rules
- System Binary Copied and/or Moved to Suspicious Directory
- Potential Sudo Privilege Escalation via CVE-2019-14287
- Network Connection via Recently Compiled Executable
- Potential Privilege Escalation via Recently Compiled Executable
- Potential Linux Tunneling and/or Port Forwarding