Remove Immutable File Attribute - Auditd
Detects removing immutable file attribute.
Sigma rule (View on GitHub)
1title: Remove Immutable File Attribute - Auditd
2id: a5b977d6-8a81-4475-91b9-49dbfcd941f7
3status: test
4description: Detects removing immutable file attribute.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md
7author: Jakob Weinzettl, oscd.community
8date: 2019-09-23
9modified: 2022-11-26
10tags:
11 - attack.defense-evasion
12 - attack.t1222.002
13logsource:
14 product: linux
15 service: auditd
16detection:
17 selection:
18 type: 'EXECVE'
19 a0|contains: 'chattr'
20 a1|contains: '-i'
21 condition: selection
22falsepositives:
23 - Administrator interacting with immutable files (e.g. for instance backups).
24level: medium
25simulation:
26 - type: atomic-red-team
27 name: Remove immutable file attribute
28 technique: T1222.002
29 atomic_guid: e7469fe2-ad41-4382-8965-99b94dd3c13f
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- File or Folder Permissions Change
- Chmod Suspicious Directory
- Remove Immutable File Attribute
- ASLR Disabled Via Sysctl or Direct Syscall - Linux
- Auditing Configuration Changes on Linux Host