/
linux_deletion_of_init_daemon_script.yml
73 lines (73 loc) · 2.81 KB
/
linux_deletion_of_init_daemon_script.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
name: Linux Deletion Of Init Daemon Script
id: 729aab57-d26f-4156-b97f-ab8dda8f44b1
version: 2
date: '2023-04-27'
author: Teoderick Contreras, Splunk
status: production
type: TTP
description: This analytic is to detect a deletion of init daemon script in a linux
machine. daemon script that place in /etc/init.d/ is a directory that can start
and stop some daemon services in linux machines. attacker may delete or modify daemon
script to impair some security features or act as defense evasion in a compromised
linux machine. This TTP can be also a good indicator of a malware trying to wipe
or delete several files in compromised host as part of its destructive payload like
what acidrain malware does in linux or router machines. This detection can be a
good pivot to check what process and user tries to delete this type of files which
is not so common and need further investigation.
data_source:
- Sysmon for Linux EventID 11
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path
IN ( "/etc/init.d/*") by _time span=1h Filesystem.file_name Filesystem.file_path
Filesystem.dest Filesystem.process_guid Filesystem.action | `drop_dm_object_name(Filesystem)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`| `linux_deletion_of_init_daemon_script_filter`'
how_to_implement: To successfully implement this search, you need to be ingesting
logs with the process name, parent process, and command-line executions from your
endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from
Splunkbase.
known_false_positives: Administrator or network operator can execute this command.
Please update the filter macros to remove false positives.
references:
- https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/
tags:
analytic_story:
- AcidRain
- Data Destruction
asset_type: Endpoint
confidence: 70
impact: 70
message: Init daemon script deleted on host $dest$ by process GUID- $process_guid$
mitre_attack_id:
- T1485
- T1070.004
- T1070
observable:
- name: dest
type: Hostname
role:
- Victim
- name: file_name
type: File Name
role:
- Attacker
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- Filesystem.dest
- Filesystem.file_create_time
- Filesystem.file_name
- Filesystem.process_guid
- Filesystem.file_path
- Filesystem.action
risk_score: 49
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/acidrain/sysmon_linux.log
source: Syslog:Linux-Sysmon/Operational
sourcetype: sysmon_linux