Remove Immutable File Attribute - Auditd
Detects removing immutable file attribute.
Sigma rule (View on GitHub)
1title: Remove Immutable File Attribute - Auditd
2id: a5b977d6-8a81-4475-91b9-49dbfcd941f7
3status: test
4description: Detects removing immutable file attribute.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md
7author: Jakob Weinzettl, oscd.community
8date: 2019-09-23
9modified: 2022-11-26
10tags:
11 - attack.defense-evasion
12 - attack.t1222.002
13logsource:
14 product: linux
15 service: auditd
16detection:
17 selection:
18 type: 'EXECVE'
19 a0|contains: 'chattr'
20 a1|contains: '-i'
21 condition: selection
22falsepositives:
23 - Administrator interacting with immutable files (e.g. for instance backups).
24level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Chmod Suspicious Directory
- File or Folder Permissions Change
- Remove Immutable File Attribute
- AD Object WriteDAC Access
- ADS Zone.Identifier Deleted By Uncommon Application