LoFP / administrator interacting with immutable files (e.g. for instance backups).

Techniques

• t1222
• t1222.002

Sample rules

Remove Immutable File Attribute

• source: sigma
• technicques:
  • t1222
  • t1222.002

Description

Detects usage of the ‘chattr’ utility to remove immutable file attribute.

Detection logic

condition: selection
selection:
  CommandLine|contains: ' -i '
  Image|endswith: /chattr

Remove Immutable File Attribute - Auditd

• source: sigma
• technicques:
  • t1222
  • t1222.002

Description

Detects removing immutable file attribute.

Detection logic

condition: selection
selection:
  a0|contains: chattr
  a1|contains: -i
  type: EXECVE