Potential Suspicious Change To Sensitive/Critical Files
Detects changes of sensitive and critical files. Monitors files that you don't expect to change without planning on Linux system.
Sigma rule (View on GitHub)
1title: Potential Suspicious Change To Sensitive/Critical Files
2id: 86157017-c2b1-4d4a-8c33-93b8e67e4af4
3status: test
4description: Detects changes of sensitive and critical files. Monitors files that you don't expect to change without planning on Linux system.
5references:
6 - https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor
7author: '@d4ns4n_ (Wuerth-Phoenix)'
8date: 2023-05-30
9tags:
10 - attack.impact
11 - attack.t1565.001
12logsource:
13 category: process_creation
14 product: linux
15detection:
16 selection_img_1:
17 Image|endswith:
18 - '/cat'
19 - '/echo'
20 - '/grep'
21 - '/head'
22 - '/more'
23 - '/tail'
24 CommandLine|contains: '>'
25 selection_img_2:
26 Image|endswith:
27 - '/emacs'
28 - '/nano'
29 - '/sed'
30 - '/vi'
31 - '/vim'
32 selection_paths:
33 CommandLine|contains:
34 - '/bin/login'
35 - '/bin/passwd'
36 - '/boot/'
37 - '/etc/*.conf'
38 - '/etc/cron.' # Covers different cron config files "daily", "hourly", etc.
39 - '/etc/crontab'
40 - '/etc/hosts'
41 - '/etc/init.d'
42 - '/etc/sudoers'
43 - '/opt/bin/'
44 - '/sbin' # Covers: '/opt/sbin', '/usr/local/sbin/', '/usr/sbin/'
45 - '/usr/bin/'
46 - '/usr/local/bin/'
47 condition: 1 of selection_img_* and selection_paths
48falsepositives:
49 - Some false positives are to be expected on user or administrator machines. Apply additional filters as needed.
50level: medium
References
-
Learn about tracking changes to system files and registry keys with file integrity monitoring in Microsoft Defender for Cloud.
Read More
Related rules
- Azure DNS Zone Modified or Deleted
- Azure Device or Configuration Modified or Deleted
- Cisco Denial of Service
- Commands to Clear or Remove the Syslog - Builtin
- History File Deletion