LoFP LoFP / some false positives are to be expected. apply additional filters as needed before pushing to production.

Techniques

Sample rules

Chmod Targeting Sensitive Directories

Description

Detects chmod targeting files in sensitive directory paths on Linux systems. Attackers may use chmod to change permissions of files in these directories to maintain persistence, escalate privileges, or disrupt system operations.

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_apt_key:
  CommandLine|startswith: chmod 700 /tmp/apt-key-gpghome.
filter_main_landscape:
  CommandLine: chmod 0775 /etc/landscape/
filter_main_mkinitramfs:
  CommandLine|startswith: chmod 755 /var/tmp/mkinitramfs
filter_main_postinst:
  CommandLine|contains: /etc/
  ParentCommandLine|contains|all:
  - /var/lib/dpkg/info/
  - .postinst configure
filter_main_ubuntu_apparmor:
  CommandLine: chmod 644 /etc/apparmor.d/tunables/home.d/ubuntu
filter_main_update_shells:
  CommandLine|contains: chmod --reference=/etc/shells
  ParentCommandLine|endswith: /update-shells
selection:
  CommandLine|contains:
  - /tmp/
  - /.Library/
  - /etc/
  - /opt/
  Image|endswith: /chmod

Disable Or Stop Services

Description

Detects the usage of utilities such as ‘systemctl’, ‘service’…etc to stop or disable tools and services on Linux systems. Attackers may stop or disable security tools and services to evade detection, maintain persistence, or disrupt system operations.

Detection logic

condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_legit_snapd:
  CommandLine|contains:
  - --no-reload disable snap-snapd-
  - ' stop snap-snapd-'
  Image|endswith: /systemctl
filter_main_ssh_preinstall:
  CommandLine|contains|all:
  - ' stop '
  - ssh.
  Image|endswith: /systemctl
  ParentCommandLine|contains: tmp.ci/preinst upgrade
filter_main_ubuntu_upgrade:
  Image|endswith: /systemctl
  ParentCommandLine|contains: /dpkg/info/ubuntu-pro-client.prerm upgrade
filter_optional_aws_agent:
  CommandLine|endswith: snap.amazon-ssm-agent.amazon-ssm-agent.service
  Image|endswith: /systemctl
selection:
  CommandLine|contains:
  - ' stop '
  - ' disable '
  Image|endswith:
  - /service
  - /systemctl
  - /chkconfig