Techniques
Sample rules
Potential Suspicious Change To Sensitive/Critical Files
- source: sigma
- technicques:
- t1565
- t1565.001
Description
Detects changes of sensitive and critical files. Monitors files that you don’t expect to change without planning on Linux system.
Detection logic
condition: 1 of selection_img_* and selection_paths
selection_img_1:
CommandLine|contains: '>'
Image|endswith:
- /cat
- /echo
- /grep
- /head
- /more
- /tail
selection_img_2:
Image|endswith:
- /emacs
- /nano
- /sed
- /vi
- /vim
selection_paths:
CommandLine|contains:
- /bin/login
- /bin/passwd
- /boot/
- /etc/*.conf
- /etc/cron.
- /etc/crontab
- /etc/hosts
- /etc/init.d
- /etc/sudoers
- /opt/bin/
- /sbin
- /usr/bin/
- /usr/local/bin/