Remove Immutable File Attribute
Detects usage of the 'chattr' utility to remove immutable file attribute.
Sigma rule (View on GitHub)
1title: Remove Immutable File Attribute
2id: 34979410-e4b5-4e5d-8cfb-389fdff05c12
3related:
4 - id: a5b977d6-8a81-4475-91b9-49dbfcd941f7
5 type: derived
6status: test
7description: Detects usage of the 'chattr' utility to remove immutable file attribute.
8references:
9 - https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2022-09-15
12tags:
13 - attack.defense-evasion
14 - attack.t1222.002
15logsource:
16 product: linux
17 category: process_creation
18detection:
19 selection:
20 Image|endswith: '/chattr'
21 CommandLine|contains: ' -i '
22 condition: selection
23falsepositives:
24 - Administrator interacting with immutable files (e.g. for instance backups).
25level: medium
References
-
Through our honeypots and telemetry, we were able to observe instances in which malicious actors abused native Linux tools to launch attacks on Linux environments. In this blog entry, we discuss how these utilities were used and provide recommendations on how to minimize their impact.
Read More
Related rules
- Chmod Suspicious Directory
- File or Folder Permissions Change
- Remove Immutable File Attribute - Auditd
- AD Object WriteDAC Access
- ADS Zone.Identifier Deleted By Uncommon Application