Potential Suspicious Change To Sensitive/Critical Files

calendar Apr 27, 2026 · attack.impact attack.t1565.001  ·
Share on: linkedin copy

Detects changes of sensitive and critical files. Monitors files that you don't expect to change without planning on Linux system. These files include, but are not limited to, system configuration files, authentication files, and critical application files. Attackers often target these files to maintain persistence, escalate privileges, or disrupt system operations.

Sigma rule (View on GitHub)

 1title: Potential Suspicious Change To Sensitive/Critical Files
 2id: 86157017-c2b1-4d4a-8c33-93b8e67e4af4
 3status: test
 4description: |
 5    Detects changes of sensitive and critical files. Monitors files that you don't expect to change without planning on Linux system.
 6    These files include, but are not limited to, system configuration files, authentication files, and critical application files.
 7    Attackers often target these files to maintain persistence, escalate privileges, or disrupt system operations.    
 8references:
 9    - https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor
10author: '@d4ns4n_ (Wuerth-Phoenix)'
11date: 2023-05-30
12modified: 2026-03-18
13tags:
14    - attack.impact
15    - attack.t1565.001
16logsource:
17    category: process_creation
18    product: linux
19detection:
20    selection_img_1:
21        Image|endswith:
22            - '/cat'
23            - '/echo'
24            - '/grep'
25            - '/head'
26            - '/more'
27            - '/tail'
28        CommandLine|contains: '>'
29    selection_img_2:
30        Image|endswith:
31            - '/emacs'
32            - '/nano'
33            - '/sed'
34            - '/vi'
35            - '/vim'
36    selection_paths:
37        CommandLine|contains:
38            - '/bin/login'
39            - '/bin/passwd'
40            - '/boot/'
41            - '/etc/*.conf'
42            - '/etc/cron.' # Covers different cron config files "daily", "hourly", etc.
43            - '/etc/crontab'
44            - '/etc/hosts'
45            - '/etc/init.d'
46            - '/etc/sudoers'
47            - '/opt/bin/'
48            - '/sbin' # Covers: '/opt/sbin', '/usr/local/sbin/', '/usr/sbin/'
49            - '/usr/bin/'
50            - '/usr/local/bin/'
51    filter_main_mdadm.conf:
52        Image|endswith: '/bin/sed'
53        CommandLine|startswith:
54            - 'sed -i /^*'
55            - 'sed -ne s/^'
56        CommandLine|endswith: '/etc/mdadm/mdadm.conf'
57    condition: 1 of selection_img_* and selection_paths and not 1 of filter_main_*
58falsepositives:
59    - Some false positives are to be expected on user or administrator machines. Apply additional filters as needed.
60level: medium

References

Related rules

to-top