Potential Suspicious Change To Sensitive/Critical Files

Detects changes of sensitive and critical files. Monitors files that you don't expect to change without planning on Linux system.

Sigma rule (View on GitHub)

 1title: Potential Suspicious Change To Sensitive/Critical Files
 2id: 86157017-c2b1-4d4a-8c33-93b8e67e4af4
 3status: experimental
 4description: Detects changes of sensitive and critical files. Monitors files that you don't expect to change without planning on Linux system.
 5references:
 6    - https://docs.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor
 7author: '@d4ns4n_ (Wuerth-Phoenix)'
 8date: 2023/05/30
 9tags:
10    - attack.impact
11    - attack.t1565.001
12logsource:
13    category: process_creation
14    product: linux
15detection:
16    selection_img_1:
17        Image|endswith:
18            - '/cat'
19            - '/echo'
20            - '/grep'
21            - '/head'
22            - '/more'
23            - '/tail'
24        CommandLine|contains: '>'
25    selection_img_2:
26        Image|endswith:
27            - '/emacs'
28            - '/nano'
29            - '/sed'
30            - '/vi'
31            - '/vim'
32    selection_paths:
33        CommandLine|contains:
34            - '/bin/login'
35            - '/bin/passwd'
36            - '/boot/'
37            - '/etc/*.conf'
38            - '/etc/cron.' # Covers different cron config files "daily", "hourly", etc.
39            - '/etc/crontab'
40            - '/etc/hosts'
41            - '/etc/init.d'
42            - '/etc/sudoers'
43            - '/opt/bin/'
44            - '/sbin' # Covers: '/opt/sbin', '/usr/local/sbin/', '/usr/sbin/'
45            - '/usr/bin/'
46            - '/usr/local/bin/'
47    condition: 1 of selection_img_* and selection_paths
48falsepositives:
49    - Some false positives are to be expected on user or administrator machines. Apply additional filters as needed.
50level: medium

References

Related rules

to-top