Techniques
Sample rules
Linux Hardware Addition SwapOff
- source: splunk
- technicques:
- T1200
Description
This analytic looks for process execution to disable the swapping of paging devices. This technique was seen in Awfulshred malware that disables the swapping of the specified devices and files. This anomaly detection can be a good indicator that a process or a user tries to disable this Linux feature in a targeted host.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "swapoff" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `linux_hardware_addition_swapoff_filter`