/
linux_account_manipulation_of_ssh_config_and_keys.yml
67 lines (67 loc) · 2.64 KB
/
linux_account_manipulation_of_ssh_config_and_keys.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
name: Linux Account Manipulation Of SSH Config and Keys
id: 73a56508-1cf5-4df7-b8d9-5737fbdc27d2
version: 2
date: '2023-04-27'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
description: This analytic is to detect a deletion of ssh key in a linux machine.
attacker may delete or modify ssh key to impair some security features or act as
defense evasion in compromised linux machine. This Anomaly can be also a good indicator
of a malware trying to wipe or delete several files in a compromised host as part
of its destructive payload like what acidrain malware does in linux or router machines.
This detection can be a good pivot to check what process and user tries to delete
this type of files which is not so common and need further investigation.
data_source:
- Sysmon for Linux EventID 11
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted AND
Filesystem.file_path IN ("/etc/ssh/*", "~/.ssh/*") by _time span=1h Filesystem.file_name
Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action |
`drop_dm_object_name(Filesystem)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`| `linux_account_manipulation_of_ssh_config_and_keys_filter`'
how_to_implement: To successfully implement this search, you need to be ingesting
logs with the process name, parent process, and command-line executions from your
endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from
Splunkbase.
known_false_positives: Administrator or network operator can execute this command.
Please update the filter macros to remove false positives.
references:
- https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/
tags:
analytic_story:
- AcidRain
asset_type: Endpoint
confidence: 70
impact: 70
message: SSH Config and keys are deleted on $dest$ by Process GUID - $process_guid$
mitre_attack_id:
- T1485
- T1070.004
- T1070
observable:
- name: dest
type: Hostname
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- Filesystem.dest
- Filesystem.file_create_time
- Filesystem.file_name
- Filesystem.process_guid
- Filesystem.file_path
- Filesystem.action
risk_score: 49
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/acidrain/sysmon_linux.log
source: Syslog:Linux-Sysmon/Operational
sourcetype: sysmon_linux