Threat: Lightning Framework | Detection.FYI

Chkconfig Service Add

Oct 18, 2024 · Domain: Endpoint OS: Linux Use Case: Threat Detection Tactic: Persistence Threat: Lightning Framework Data Source: Elastic Endgame Data Source: Elastic Defend ·
Share on:

Detects the use of the chkconfig binary to manually add a service for management by chkconfig. Threat actors may utilize this technique to maintain persistence on a system. When a new service is added, chkconfig ensures that the service has either a start or a kill entry in every runlevel and when the system is rebooted the service file added will run providing long-term persistence.

Read More
Suspicious File Creation in /etc for Persistence

Sep 25, 2024 · Domain: Endpoint OS: Linux Use Case: Threat Detection Tactic: Persistence Threat: Orbit Threat: Lightning Framework Data Source: Elastic Endgame Data Source: Elastic Defend ·
Share on:

Detects the manual creation of files in specific etc directories, via user root, used by Linux malware to persist and elevate privileges on compromised systems. File creation in these directories should not be entirely common and could indicate a malicious binary or script installing persistence mechanisms for long term access.

Read More