Techniques
Sample rules
Linux High Frequency Of File Deletion In Etc Folder
- source: splunk
- technicques:
- T1485
- T1070.004
- T1070
Description
This analytic is to detect a high frequency of file deletion relative to process name and process id /etc/ folder. These events was seen in acidrain wiper malware where it tries to delete all files in a non-standard directory in linux directory. This detection already contains some filter that might cause false positive during our testing. But we recommend to add more filter if needed.
Detection logic
| tstats `security_content_summariesonly` values(Filesystem.file_name) as deletedFileNames values(Filesystem.file_path) as deletedFilePath dc(Filesystem.file_path) as numOfDelFilePath count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path = "/etc/*" by _time span=1h Filesystem.dest Filesystem.process_guid Filesystem.action
| `drop_dm_object_name(Filesystem)`
| where numOfDelFilePath >= 200
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_high_frequency_of_file_deletion_in_etc_folder_filter`
Linux High Frequency Of File Deletion In Boot Folder
- source: splunk
- technicques:
- T1485
- T1070.004
- T1070
Description
This analytic is to detect a high frequency of file deletion relative to process name and process id /boot/ folder. These events was seen in industroyer2 wiper malware where it tries to delete all files in a critical directory in linux directory. This detection already contains some filter that might cause false positive during our testing.
Detection logic
| tstats `security_content_summariesonly` values(Filesystem.file_name) as deletedFileNames values(Filesystem.file_path) as deletedFilePath dc(Filesystem.file_path) as numOfDelFilePath count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path = "/boot/*" by _time span=1h Filesystem.dest Filesystem.process_guid Filesystem.action
| `drop_dm_object_name(Filesystem)`
| where numOfDelFilePath >= 200
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_high_frequency_of_file_deletion_in_boot_folder_filter`