LoFP / linux package installer/uninstaller may cause this event. please update you filter macro to remove false positives.

Techniques

• T1070
• T1070.004
• T1485

Sample rules

Linux High Frequency Of File Deletion In Boot Folder

• source: splunk
• technicques:
  • T1485
  • T1070.004
  • T1070

Description

The following analytic detects a high frequency of file deletions in the /boot/ folder on Linux systems. It leverages filesystem event logs to identify when 200 or more files are deleted within an hour by the same process. This behavior is significant as it may indicate the presence of wiper malware, such as Industroyer2, which targets critical system directories. If confirmed malicious, this activity could lead to system instability or failure, hindering the boot process and potentially causing a complete system compromise.

Detection logic

| tstats `security_content_summariesonly` values(Filesystem.file_name) as deletedFileNames values(Filesystem.file_path) as deletedFilePath dc(Filesystem.file_path) as numOfDelFilePath count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path = "/boot/*" by _time span=1h  Filesystem.dest Filesystem.process_guid Filesystem.action 
| `drop_dm_object_name(Filesystem)` 
| where  numOfDelFilePath >= 200 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `linux_high_frequency_of_file_deletion_in_boot_folder_filter`

Linux High Frequency Of File Deletion In Etc Folder

• source: splunk
• technicques:
  • T1485
  • T1070.004
  • T1070

Description

The following analytic detects a high frequency of file deletions in the /etc/ folder on Linux systems. It leverages the Endpoint.Filesystem data model to identify instances where 200 or more files are deleted within an hour, grouped by process name and process ID. This behavior is significant as it may indicate the presence of wiper malware, such as AcidRain, which aims to delete critical system files. If confirmed malicious, this activity could lead to severe system instability, data loss, and potential disruption of services.

Detection logic

| tstats `security_content_summariesonly` values(Filesystem.file_name) as deletedFileNames values(Filesystem.file_path) as deletedFilePath dc(Filesystem.file_path) as numOfDelFilePath count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path = "/etc/*" by _time span=1h  Filesystem.dest Filesystem.process_guid Filesystem.action 
| `drop_dm_object_name(Filesystem)`  
| where  numOfDelFilePath >= 200 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `linux_high_frequency_of_file_deletion_in_etc_folder_filter`