Techniques
Sample rules
Potential Suspicious Change To Sensitive/Critical Files
- source: sigma
- technicques:
- t1565
- t1565.001
Description
Detects changes of sensitive and critical files. Monitors files that you don’t expect to change without planning on Linux system. These files include, but are not limited to, system configuration files, authentication files, and critical application files. Attackers often target these files to maintain persistence, escalate privileges, or disrupt system operations.
Detection logic
condition: 1 of selection_img_* and selection_paths and not 1 of filter_main_*
filter_main_mdadm.conf:
CommandLine|endswith: /etc/mdadm/mdadm.conf
CommandLine|startswith:
- sed -i /^*
- sed -ne s/^
Image|endswith: /bin/sed
selection_img_1:
CommandLine|contains: '>'
Image|endswith:
- /cat
- /echo
- /grep
- /head
- /more
- /tail
selection_img_2:
Image|endswith:
- /emacs
- /nano
- /sed
- /vi
- /vim
selection_paths:
CommandLine|contains:
- /bin/login
- /bin/passwd
- /boot/
- /etc/*.conf
- /etc/cron.
- /etc/crontab
- /etc/hosts
- /etc/init.d
- /etc/sudoers
- /opt/bin/
- /sbin
- /usr/bin/
- /usr/local/bin/