From 0d47dd61279c0799f2e1f032c121034c8f88fe4c Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Thu, 27 Nov 2025 15:36:14 +0100 Subject: [PATCH 1/5] fix_cwd_path_detections --- .../linux_auditd_doas_conf_file_creation.yml | 30 +++++++++++----- ...ss_or_modification_of_sshd_config_file.yml | 28 ++++++++++----- ...auditd_possible_access_to_sudoers_file.yml | 30 +++++++++++----- ...cronjob_entry_on_existing_cronjob_file.yml | 36 ++++++++++++------- ...auditd_preload_hijack_via_preload_file.yml | 30 +++++++++++----- ..._unix_shell_configuration_modification.yml | 33 ++++++++++------- .../endpoint/linux_magic_sysrq_key_abuse.yml | 25 +++++++++---- 7 files changed, 146 insertions(+), 66 deletions(-) diff --git a/detections/endpoint/linux_auditd_doas_conf_file_creation.yml b/detections/endpoint/linux_auditd_doas_conf_file_creation.yml index a6233db487..c8dbd44a6b 100644 --- a/detections/endpoint/linux_auditd_doas_conf_file_creation.yml +++ b/detections/endpoint/linux_auditd_doas_conf_file_creation.yml @@ -1,7 +1,7 @@ name: Linux Auditd Doas Conf File Creation id: 61059783-574b-40d2-ac2f-69b898afd6b4 -version: 7 -date: '2025-06-10' +version: 8 +date: '2025-11-27' author: Teoderick Contreras, Splunk status: production type: TTP @@ -14,10 +14,22 @@ description: The following analytic detects the creation of the doas.conf file o commands with root privileges, leading to full system compromise. data_source: - Linux Auditd Path -search: '`linux_auditd` type=PATH name ="/etc/doas.conf*" - | rename host as dest - | stats count min(_time) as firstTime max(_time) as lastTime - by name nametype ogid type dest +search: '`linux_auditd` (type=PATH OR type=CWD) + | stats + values(type) as types, + values(name) as names, + values(cwd) as cwd_list, + values(_time) as event_times + by msg, host + | eval current_working_directory = coalesce(mvindex(cwd_list, 0), "N/A") + | eval candidate_paths = mvmap(names, if(match(names, "^/"), names, current_working_directory + "/" + names)) + | eval matched_paths = mvfilter(match(candidate_paths, "/etc/doas.conf.*")) + | eval match_count = mvcount(matched_paths) + | eval reconstructed_path = mvindex(matched_paths, 0) + | eval e_time = mvindex(event_times, 0) + | where match_count > 0 + | rename host as dest + | stats count min(e_time) as firstTime max(e_time) as lastTime by matched_paths reconstructed_path, current_working_directory, match_count, dest, msg | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_auditd_doas_conf_file_creation_filter`' @@ -28,8 +40,8 @@ how_to_implement: To implement this detection, the process begins by ingesting a which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources - and enhance the efficiency of data modeling. This approach enables effective monitoring - and detection of linux endpoints where auditd is deployed + and enhance the efficiency of data modeling and make sure the type=CWD record type is activate in your auditd configuration. + This approach enables effective monitoring and detection of linux endpoints where auditd is deployed. known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. references: @@ -73,6 +85,6 @@ tests: - name: True Positive Test attack_data: - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_audited_doas_conf/linux_path_doas_config.log + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/auditd_path_cwd_doas_conf/path_doas.log source: auditd sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml b/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml index fc2eff4edf..f38e42dcb2 100644 --- a/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml +++ b/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml @@ -1,7 +1,7 @@ name: Linux Auditd Possible Access Or Modification Of Sshd Config File id: acb3ea33-70f7-47aa-b335-643b3aebcb2f -version: 7 -date: '2025-06-10' +version: 8 +date: '2025-11-27' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -15,10 +15,22 @@ description: The following analytic detects suspicious access or modification of access, posing a severe security risk. data_source: - Linux Auditd Path -search: '`linux_auditd` type=PATH name="/etc/ssh/ssh_config*" +search: '`linux_auditd` (type=PATH OR type=CWD) + | stats + values(type) as types, + values(name) as names, + values(cwd) as cwd_list, + values(_time) as event_times + by msg, host + | eval current_working_directory = coalesce(mvindex(cwd_list, 0), "N/A") + | eval candidate_paths = mvmap(names, if(match(names, "^/"), names, current_working_directory + "/" + names)) + | eval matched_paths = mvfilter(match(candidate_paths, "/etc/ssh/ssh_config.*")) + | eval match_count = mvcount(matched_paths) + | eval reconstructed_path = mvindex(matched_paths, 0) + | eval e_time = mvindex(event_times, 0) + | where match_count > 0 | rename host as dest - | stats count min(_time) as firstTime max(_time) as lastTime - by name nametype ogid type dest + | stats count min(e_time) as firstTime max(e_time) as lastTime by matched_paths reconstructed_path, current_working_directory, match_count, dest, msg | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_auditd_possible_access_or_modification_of_sshd_config_file_filter`' @@ -29,8 +41,8 @@ how_to_implement: To implement this detection, the process begins by ingesting a which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources - and enhance the efficiency of data modeling. This approach enables effective monitoring - and detection of linux endpoints where auditd is deployed + and enhance the efficiency of data modeling and make sure the type=CWD record type is activate in your auditd configuration. + This approach enables effective monitoring and detection of linux endpoints where auditd is deployed. known_false_positives: Administrator or network operator can use this commandline for automation purposes. Please update the filter macros to remove false positives. references: @@ -76,6 +88,6 @@ tests: - name: True Positive Test attack_data: - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.004/linux_auditd_nopasswd/linux_path_ssh_config.log + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.004/auditd_path_ssh_config/path_ssh_config.log source: auditd sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml b/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml index f753867dfc..2a7623c499 100644 --- a/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml +++ b/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml @@ -1,7 +1,7 @@ name: Linux Auditd Possible Access To Sudoers File id: 8be88f46-f7e8-4ae6-b15e-cf1b13392834 -version: 10 -date: '2025-06-10' +version: 11 +date: '2025-11-27' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -14,10 +14,22 @@ description: The following analytic detects potential access or modification of targeted host. data_source: - Linux Auditd Path -search: '`linux_auditd` type=PATH name="/etc/sudoers*" - | rename host as dest - | stats count min(_time) as firstTime max(_time) as lastTime - by name nametype ogid type dest +search: '`linux_auditd` (type=PATH OR type=CWD) + | stats + values(type) as types, + values(name) as names, + values(cwd) as cwd_list, + values(_time) as event_times + by msg, host + | eval current_working_directory = coalesce(mvindex(cwd_list, 0), "N/A") + | eval candidate_paths = mvmap(names, if(match(names, "^/"), names, current_working_directory + "/" + names)) + | eval matched_paths = mvfilter(match(candidate_paths, "/etc/sudoers.*")) + | eval match_count = mvcount(matched_paths) + | eval reconstructed_path = mvindex(matched_paths, 0) + | eval e_time = mvindex(event_times, 0) + | where match_count > 0 + | rename host as dest + | stats count min(e_time) as firstTime max(e_time) as lastTime by matched_paths reconstructed_path, current_working_directory, match_count, dest, msg | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_auditd_possible_access_to_sudoers_file_filter`' @@ -28,8 +40,8 @@ how_to_implement: To implement this detection, the process begins by ingesting a which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources - and enhance the efficiency of data modeling. This approach enables effective monitoring - and detection of linux endpoints where auditd is deployed + and enhance the efficiency of data modeling and make sure the type=CWD record type is activate in your auditd configuration. + This approach enables effective monitoring and detection of linux endpoints where auditd is deployed. known_false_positives: administrator or network operator can execute this command. Please update the filter macros to remove false positives. references: @@ -75,6 +87,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_auditd_sudoers_access/linux_path_sudoers.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/auditd_path_sudoers/path_sudoers.log source: auditd sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file.yml b/detections/endpoint/linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file.yml index f5f6262c33..edaacc2236 100644 --- a/detections/endpoint/linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file.yml +++ b/detections/endpoint/linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file.yml @@ -1,7 +1,7 @@ name: Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File id: fea71cf0-fa10-4ef6-9202-9682b2e0c477 -version: 8 -date: '2025-06-10' +version: 9 +date: '2025-11-27' author: Teoderick Contreras, Splunk status: production type: Hunting @@ -14,22 +14,34 @@ description: The following analytic detects potential tampering with cronjob fil and unauthorized data access, thereby impacting business operations and data integrity. data_source: - Linux Auditd Path -search: '`linux_auditd` type=PATH name IN("*/etc/cron*", "*/var/spool/cron/*", "*/etc/anacrontab*") - | rename host as dest - | stats count min(_time) as firstTime max(_time) as lastTime - by name nametype ogid dest +search: '`linux_auditd` (type=PATH OR type=CWD) + | stats + values(type) as types, + values(name) as names, + values(cwd) as cwd_list, + values(_time) as event_times + by msg, host + | eval current_working_directory = coalesce(mvindex(cwd_list, 0), "N/A") + | eval candidate_paths = mvmap(names, if(match(names, "^/"), names, current_working_directory + "/" + names)) + | eval matched_paths = mvfilter(match(candidate_paths, "/etc/cron.*|.*/cron/.*|/etc/anacrontab.*")) + | eval match_count = mvcount(matched_paths) + | eval reconstructed_path = mvindex(matched_paths, 0) + | eval e_time = mvindex(event_times, 0) + | where match_count > 0 + | rename host as dest + | stats count min(e_time) as firstTime max(e_time) as lastTime by matched_paths reconstructed_path, current_working_directory, match_count, dest, msg | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file_filter`' how_to_implement: To implement this detection, the process begins by ingesting auditd - data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures - command-line executions and process details on Unix/Linux systems. These logs should - be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), + data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line + executions and process details on Unix/Linux systems. These logs should be ingested + and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources - and enhance the efficiency of data modeling. This approach enables effective monitoring - and detection of linux endpoints where auditd is deployed + and enhance the efficiency of data modeling and make sure the type=CWD record type is activate in your auditd configuration. + This approach enables effective monitoring and detection of linux endpoints where auditd is deployed. known_false_positives: False positives may arise from legitimate actions by administrators or network operators who may use these commands for automation purposes. Therefore, it's recommended to adjust filter macros to eliminate such false positives. @@ -57,6 +69,6 @@ tests: - name: True Positive Test attack_data: - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/linux_auditd_cron_file_audited/linux_path_cron.log + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/auditd_path_cron/path_cron.log source: auditd sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml b/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml index bfbebd42d6..400293c986 100644 --- a/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml +++ b/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml @@ -1,7 +1,7 @@ name: Linux Auditd Preload Hijack Via Preload File id: c1b7abca-55cb-4a39-bdfb-e28c1c12745f -version: 7 -date: '2025-06-10' +version: 8 +date: '2025-11-27' author: Teoderick Contreras, Splunk status: production type: TTP @@ -15,10 +15,22 @@ description: The following analytic detects suspicious preload hijacking via the and security. data_source: - Linux Auditd Path -search: '`linux_auditd` type=PATH name="/etc/ld.so.preload*" - | rename host as dest - | stats count min(_time) as firstTime max(_time) as lastTime - by name nametype ogid type dest +search: '`linux_auditd` (type=PATH OR type=CWD) + | stats + values(type) as types, + values(name) as names, + values(cwd) as cwd_list, + values(_time) as event_times + by msg, host + | eval current_working_directory = coalesce(mvindex(cwd_list, 0), "N/A") + | eval candidate_paths = mvmap(names, if(match(names, "^/"), names, current_working_directory + "/" + names)) + | eval matched_paths = mvfilter(match(candidate_paths, "/etc/ld.so.preload.*")) + | eval match_count = mvcount(matched_paths) + | eval reconstructed_path = mvindex(matched_paths, 0) + | eval e_time = mvindex(event_times, 0) + | where match_count > 0 + | rename host as dest + | stats count min(e_time) as firstTime max(e_time) as lastTime by matched_paths reconstructed_path, current_working_directory, match_count, dest, msg | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_auditd_preload_hijack_via_preload_file_filter`' @@ -29,8 +41,8 @@ how_to_implement: To implement this detection, the process begins by ingesting a which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources - and enhance the efficiency of data modeling. This approach enables effective monitoring - and detection of linux endpoints where auditd is deployed + and enhance the efficiency of data modeling and make sure the type=CWD record type is activate in your auditd configuration. + This approach enables effective monitoring and detection of linux endpoints where auditd is deployed. known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: @@ -75,6 +87,6 @@ tests: - name: True Positive Test attack_data: - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.006/linux_auditd_preload_file/linux_path_preload.log + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.006/auditd_path_preload_file/path_preload.log source: auditd sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml b/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml index 3213336f0e..a96d0826b8 100644 --- a/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml +++ b/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml @@ -1,7 +1,7 @@ name: Linux Auditd Unix Shell Configuration Modification id: 66f737c6-3f7f-46ed-8e9b-cc0e5bf01f04 -version: 7 -date: '2025-06-10' +version: 8 +date: '2025-11-27' author: Teoderick Contreras, Splunk status: production type: TTP @@ -15,15 +15,22 @@ description: The following analytic detects suspicious modifications to Unix she allowing security teams to respond quickly and mitigate risks. data_source: - Linux Auditd Path -search: '`linux_auditd` type=PATH name IN ("/etc/profile", "/etc/shells", "/etc/profile.d", - "/etc/bash.bashrc", "/etc/bashrc", "/etc/zsh/zprofile", "/etc/zsh/zshrc", "/etc/zsh/zlogin", - "/etc/zsh/zlogout", "/etc/csh.cshrc", "/etc/csh.login", "/root/.bashrc", "/root/.bash_profile", - "root/.profile", "/root/.zshrc", "/root/.zprofile", "/home/*/.bashrc", "/home/*/.zshrc", - "/home/*/.bash_profile", "/home/*/.zprofile", "/home/*/.profile", "/home/*/.bash_login", - "/home/*/.bash_logout", "/home/*/.zlogin", "/home/*/.zlogout") - | rename host as dest - | stats count min(_time) as firstTime max(_time) as lastTime - by name nametype ogid type dest +search: '`linux_auditd` (type=PATH OR type=CWD) + | stats + values(type) as types, + values(name) as names, + values(cwd) as cwd_list, + values(_time) as event_times + by msg, host + | eval current_working_directory = coalesce(mvindex(cwd_list, 0), "N/A") + | eval candidate_paths = mvmap(names, if(match(names, "^/"), names, current_working_directory + "/" + names)) + | eval matched_paths = mvfilter(match(candidate_paths, "/etc/profile|/etc/shells|/etc/profile\\.d|/etc/bash\\.bashrc.*|/etc/bashrc|.*/zsh/zprofile|.*/zsh/zshrc|.*/zsh/zlogin|.*/zsh/zlogout|/etc/csh\\.cshrc.*|/etc/csh\\.login.*|/root/\\.bashrc.*|/root/\\.bash_profile.*|/root/\\.profile.*|/root/\\.zshrc.*|/root/\\.zprofile.*|.*/\\.bashrc.*|.*/\\.zshrc.*|.*/\\.bash_profile.*|.*/\\.zprofile.*|.*/\\.profile.*|.*/\\.bash_login.*|.*/\\.bash_logout.*|.*/\\.zlogin.*|.*/\\.zlogout.*")) + | eval match_count = mvcount(matched_paths) + | eval reconstructed_path = mvindex(matched_paths, 0) + | eval e_time = mvindex(event_times, 0) + | where match_count > 0 + | rename host as dest + | stats count min(e_time) as firstTime max(e_time) as lastTime by matched_paths reconstructed_path, current_working_directory, match_count, dest, msg | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_auditd_unix_shell_configuration_modification_filter`' @@ -34,8 +41,8 @@ how_to_implement: To implement this detection, the process begins by ingesting a which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources - and enhance the efficiency of data modeling. This approach enables effective monitoring - and detection of linux endpoints where auditd is deployed + and enhance the efficiency of data modeling and make sure the type=CWD record type is activate in your auditd configuration. + This approach enables effective monitoring and detection of linux endpoints where auditd is deployed. known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives. references: diff --git a/detections/endpoint/linux_magic_sysrq_key_abuse.yml b/detections/endpoint/linux_magic_sysrq_key_abuse.yml index 0842ad2b7c..6b8e67ee50 100644 --- a/detections/endpoint/linux_magic_sysrq_key_abuse.yml +++ b/detections/endpoint/linux_magic_sysrq_key_abuse.yml @@ -1,7 +1,7 @@ name: Linux Magic SysRq Key Abuse id: 22c03600-f84a-47fa-abaa-ffbe3e72c782 -version: 1 -date: '2025-08-28' +version: 2 +date: '2025-11-27' author: Milad Cheraghi status: production type: TTP @@ -12,9 +12,22 @@ description: | Monitoring SysRq abuse helps detect stealthy post-exploitation activity. data_source: - Linux Auditd Path -search: '`linux_auditd` type=Path name="/proc/sysrq-trigger" OR name="/proc/sys/kernel/sysrq" OR name="/etc/sysctl.conf" +search: '`linux_auditd` (type=PATH OR type=CWD) + | stats + values(type) as types, + values(name) as names, + values(cwd) as cwd_list, + values(_time) as event_times + by msg, host + | eval current_working_directory = coalesce(mvindex(cwd_list, 0), "N/A") + | eval candidate_paths = mvmap(names, if(match(names, "^/"), names, current_working_directory + "/" + names)) + | eval matched_paths = mvfilter(match(candidate_paths, ".*/proc/sysrq-trigger|.*/proc/sys/kernel/sysrq|.*/etc/sysctl.conf")) + | eval match_count = mvcount(matched_paths) + | eval reconstructed_path = mvindex(matched_paths, 0) + | eval e_time = mvindex(event_times, 0) + | where match_count > 0 | rename host as dest - | stats count min(_time) as firstTime max(_time) as lastTime by dest name + | stats count min(e_time) as firstTime max(e_time) as lastTime by matched_paths reconstructed_path, current_working_directory, match_count, dest, msg | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_magic_sysrq_key_abuse_filter`' @@ -23,7 +36,7 @@ how_to_implement: | - /proc/sysrq-trigger - /proc/sys/kernel/sysrq - /etc/sysctl.conf - with write and attribute changes (`-p wa`) and key `sysrq`. + with write and attribute changes (`-p wa`) and key `sysrq`. Make sure the type=CWD record type is activate in your auditd configuration and Use the Splunk Add-on for Unix and Linux for proper ingestion and CIM normalization. This enables effective monitoring of Linux endpoints for SysRq abuse. known_false_positives: Legitimate administrative activity modifying SysRq for debugging or recovery. @@ -73,6 +86,6 @@ tests: - name: True Positive Test attack_data: - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1529/linux_sysrq_abuse/linux_sysrq_abuse.log + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1529/auditd_path_sysrq/path_sysrq.log source: auditd sourcetype: auditd From ab35d310e8faababe96a233a0e99852c5b6392a9 Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Fri, 28 Nov 2025 09:33:10 +0100 Subject: [PATCH 2/5] fix_cwd_path_detections --- .../linux_auditd_unix_shell_configuration_modification.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml b/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml index a96d0826b8..cf8e5a3495 100644 --- a/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml +++ b/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml @@ -24,7 +24,7 @@ search: '`linux_auditd` (type=PATH OR type=CWD) by msg, host | eval current_working_directory = coalesce(mvindex(cwd_list, 0), "N/A") | eval candidate_paths = mvmap(names, if(match(names, "^/"), names, current_working_directory + "/" + names)) - | eval matched_paths = mvfilter(match(candidate_paths, "/etc/profile|/etc/shells|/etc/profile\\.d|/etc/bash\\.bashrc.*|/etc/bashrc|.*/zsh/zprofile|.*/zsh/zshrc|.*/zsh/zlogin|.*/zsh/zlogout|/etc/csh\\.cshrc.*|/etc/csh\\.login.*|/root/\\.bashrc.*|/root/\\.bash_profile.*|/root/\\.profile.*|/root/\\.zshrc.*|/root/\\.zprofile.*|.*/\\.bashrc.*|.*/\\.zshrc.*|.*/\\.bash_profile.*|.*/\\.zprofile.*|.*/\\.profile.*|.*/\\.bash_login.*|.*/\\.bash_logout.*|.*/\\.zlogin.*|.*/\\.zlogout.*")) + | eval matched_paths = mvfilter(match(candidate_paths, "/etc/profile|/etc/shells|/etc/profile\\.d/.*|/etc/bash\\.bashrc.*|/etc/bashrc|.*/zsh/zprofile|.*/zsh/zshrc|.*/zsh/zlogin|.*/zsh/zlogout|/etc/csh\\.cshrc.*|/etc/csh\\.login.*|/root/\\.bashrc.*|/root/\\.bash_profile.*|/root/\\.profile.*|/root/\\.zshrc.*|/root/\\.zprofile.*|/home/.*/\\.bashrc.*|/home/.*/\\.zshrc.*|/home/.*/\\.bash_profile.*|/home/.*/\\.zprofile.*|/home/.*/\\.profile.*|/home/.*/\\.bash_login.*|/home/.*/\\.bash_logout.*|/home/.*/\\.zlogin.*|/home/.*/\\.zlogout.*")) | eval match_count = mvcount(matched_paths) | eval reconstructed_path = mvindex(matched_paths, 0) | eval e_time = mvindex(event_times, 0) From ff4fda6445344d28ff4662789c8013e091cc58af Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Tue, 2 Dec 2025 18:58:56 +0100 Subject: [PATCH 3/5] update indentations and logic --- data_sources/linux_auditd_cwd | 25 ++++ .../linux_auditd_doas_conf_file_creation.yml | 124 ++++++++++------- ...ss_or_modification_of_sshd_config_file.yml | 129 ++++++++++-------- ...auditd_possible_access_to_sudoers_file.yml | 122 +++++++++-------- ...cronjob_entry_on_existing_cronjob_file.yml | 93 +++++++------ ...auditd_preload_hijack_via_preload_file.yml | 117 +++++++++------- ..._unix_shell_configuration_modification.yml | 110 ++++++++------- .../endpoint/linux_magic_sysrq_key_abuse.yml | 37 +++-- 8 files changed, 446 insertions(+), 311 deletions(-) create mode 100644 data_sources/linux_auditd_cwd diff --git a/data_sources/linux_auditd_cwd b/data_sources/linux_auditd_cwd new file mode 100644 index 0000000000..604a46f2a1 --- /dev/null +++ b/data_sources/linux_auditd_cwd @@ -0,0 +1,25 @@ +name: Linux Auditd Cwd +id: a9ef851b-d864-478b-b1b3-76535d7ff7fc +version: 1 +date: '2025-12-02' +author: Nasreddine Bencherchali, Splunk +description: This type is used to record the working directory from which the process that invoked the system call specified in the first record was executed. The purpose of this record is to record the current process's location in case a relative path winds up being captured in the associated PATH record. This way the absolute path can be reconstructed. +source: auditd +sourcetype: auditd +separator: type +separator_value: CWD +configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules +supported_TA: +- name: Splunk Add-on for Unix and Linux + url: https://splunkbase.splunk.com/app/833 + version: 10.2.0 +fields: +- cwd +- date_hour +- date_mday +- date_minute +- date_month +- date_second +- msg +- type +example_log: 'type=CWD msg=audit(11/20/2025 16:57:48.909:110027) : cwd=/etc/ssh' diff --git a/detections/endpoint/linux_auditd_doas_conf_file_creation.yml b/detections/endpoint/linux_auditd_doas_conf_file_creation.yml index c8dbd44a6b..f6f256b02b 100644 --- a/detections/endpoint/linux_auditd_doas_conf_file_creation.yml +++ b/detections/endpoint/linux_auditd_doas_conf_file_creation.yml @@ -2,26 +2,35 @@ name: Linux Auditd Doas Conf File Creation id: 61059783-574b-40d2-ac2f-69b898afd6b4 version: 8 date: '2025-11-27' -author: Teoderick Contreras, Splunk +author: Teoderick Contreras, Nasreddine Bencherchali, Splunk status: production type: TTP -description: The following analytic detects the creation of the doas.conf file on - a Linux host. This file is used by the doas utility to allow standard users to perform - tasks as root, similar to sudo. The detection leverages Linux Auditd data, focusing - on the creation of the doas.conf file. This activity is significant because it can - indicate an attempt to gain elevated privileges, potentially by an adversary. If - confirmed malicious, this could allow an attacker to execute commands with root - commands with root privileges, leading to full system compromise. +description: | + The following analytic detects the creation of the doas.conf file on a Linux host. + This file is used by the doas utility to allow standard users to perform tasks as root, similar to sudo. + The detection leverages Linux Auditd data, focusing on the creation of the doas.conf file. + This activity is significant because it can indicate an attempt to gain elevated privileges, potentially by an adversary. If confirmed malicious, this could allow an attacker to execute commands with root commands with root privileges, leading to full system compromise. data_source: -- Linux Auditd Path -search: '`linux_auditd` (type=PATH OR type=CWD) + - Linux Auditd Path + - Linux Auditd Cwd +search: | + `linux_auditd` + ( + (type=PATH nametype="CREATE") + OR + type=CWD + ) + | rex "msg=audit\([^)]*:(?\d+)\)" + | stats - values(type) as types, - values(name) as names, - values(cwd) as cwd_list, + values(type) as types + values(name) as names + values(nametype) as nametype + values(cwd) as cwd_list values(_time) as event_times - by msg, host - | eval current_working_directory = coalesce(mvindex(cwd_list, 0), "N/A") + by audit_id host + + | eval current_working_directory = coalesce(mvindex(cwd_list, 0), "N/A") | eval candidate_paths = mvmap(names, if(match(names, "^/"), names, current_working_directory + "/" + names)) | eval matched_paths = mvfilter(match(candidate_paths, "/etc/doas.conf.*")) | eval match_count = mvcount(matched_paths) @@ -29,62 +38,73 @@ search: '`linux_auditd` (type=PATH OR type=CWD) | eval e_time = mvindex(event_times, 0) | where match_count > 0 | rename host as dest - | stats count min(e_time) as firstTime max(e_time) as lastTime by matched_paths reconstructed_path, current_working_directory, match_count, dest, msg + + | stats count min(e_time) as firstTime max(e_time) as lastTime + values(nametype) as nametype + by current_working_directory + reconstructed_path + match_count + dest + audit_id + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `linux_auditd_doas_conf_file_creation_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd + | table nametype current_working_directory reconstructed_path dest audit_id match_count firstTime lastTime + | `linux_auditd_doas_conf_file_creation_filter` +how_to_implement: | + To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources - and enhance the efficiency of data modeling and make sure the type=CWD record type is activate in your auditd configuration. + and enhance the efficiency of data modeling and make sure the type=CWD record type is activate in your auditd configuration. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed. -known_false_positives: Administrator or network operator can execute this command. +known_false_positives: | + Administrator or network operator can execute this command. Please update the filter macros to remove false positives. references: -- https://wiki.gentoo.org/wiki/Doas -- https://www.makeuseof.com/how-to-install-and-use-doas/ + - https://wiki.gentoo.org/wiki/Doas + - https://www.makeuseof.com/how-to-install-and-use-doas/ drilldown_searches: -- name: View the detection results for - "$dest$" - search: '%original_detection_search% | search dest = "$dest$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") - starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime - values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) - as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) - as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ + - name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ rba: - message: A [$type$] event occurred on host - [$dest$] to create a doas.conf file. + message: A $reconstructed_path$ file was created on host - [$dest$] risk_objects: - - field: dest - type: system - score: 64 + - field: dest + type: system + score: 64 threat_objects: [] tags: analytic_story: - - Linux Privilege Escalation - - Linux Persistence Techniques - - Compromised Linux Host + - Linux Privilege Escalation + - Linux Persistence Techniques + - Compromised Linux Host asset_type: Endpoint mitre_attack_id: - - T1548.003 + - T1548.003 product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud security_domain: endpoint tests: -- name: True Positive Test - attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/auditd_path_cwd_doas_conf/path_doas.log - source: auditd - sourcetype: auditd + - name: True Positive Test + attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/auditd_path_cwd_doas_conf/path_doas.log + source: auditd + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml b/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml index f38e42dcb2..3645aa984a 100644 --- a/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml +++ b/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml @@ -2,27 +2,35 @@ name: Linux Auditd Possible Access Or Modification Of Sshd Config File id: acb3ea33-70f7-47aa-b335-643b3aebcb2f version: 8 date: '2025-11-27' -author: Teoderick Contreras, Splunk +author: Teoderick Contreras, Nasreddine Bencherchali, Splunk status: production type: Anomaly -description: The following analytic detects suspicious access or modification of the - sshd_config file on Linux systems. It leverages data from Linux Auditd, focusing - on command-line executions involving processes like "cat," "nano," "vim," and "vi" - accessing the sshd_config file. This activity is significant because unauthorized - changes to sshd_config can allow threat actors to redirect port connections or use - unauthorized keys, potentially compromising the system. If confirmed malicious, - this could lead to unauthorized access, privilege escalation, or persistent backdoor - access, posing a severe security risk. +description: | + The following analytic detects suspicious access or modification of the sshd_config file on Linux systems. + It leverages data from Linux Auditd, focusing on command-line executions involving processes like "cat", "nano", "vim", and "vi" accessing the sshd_config file. + This activity is significant because unauthorized changes to sshd_config can allow threat actors to redirect port connections or use unauthorized keys, potentially compromising the system. + If confirmed malicious, this could lead to unauthorized access, privilege escalation, or persistent backdoor access, posing a severe security risk. data_source: -- Linux Auditd Path -search: '`linux_auditd` (type=PATH OR type=CWD) + - Linux Auditd Path + - Linux Auditd Cwd +search: | + `linux_auditd` + ( + (type=PATH nametype IN ("NORMAL", "CREATE", "DELETE")) + OR + type=CWD + ) + | rex "msg=audit\([^)]*:(?\d+)\)" + | stats - values(type) as types, - values(name) as names, - values(cwd) as cwd_list, + values(type) as types + values(name) as names + values(nametype) as nametype + values(cwd) as cwd_list values(_time) as event_times - by msg, host - | eval current_working_directory = coalesce(mvindex(cwd_list, 0), "N/A") + by audit_id, host + + | eval current_working_directory = coalesce(mvindex(cwd_list, 0), "N/A") | eval candidate_paths = mvmap(names, if(match(names, "^/"), names, current_working_directory + "/" + names)) | eval matched_paths = mvfilter(match(candidate_paths, "/etc/ssh/ssh_config.*")) | eval match_count = mvcount(matched_paths) @@ -30,64 +38,73 @@ search: '`linux_auditd` (type=PATH OR type=CWD) | eval e_time = mvindex(event_times, 0) | where match_count > 0 | rename host as dest - | stats count min(e_time) as firstTime max(e_time) as lastTime by matched_paths reconstructed_path, current_working_directory, match_count, dest, msg + + | stats count min(e_time) as firstTime max(e_time) as lastTime + values(nametype) as nametype + by current_working_directory + reconstructed_path + match_count + dest + audit_id + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `linux_auditd_possible_access_or_modification_of_sshd_config_file_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd + | `linux_auditd_possible_access_or_modification_of_sshd_config_file_filter` +how_to_implement: | + To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources - and enhance the efficiency of data modeling and make sure the type=CWD record type is activate in your auditd configuration. + and enhance the efficiency of data modeling and make sure the type=CWD record type is activate in your auditd configuration. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed. -known_false_positives: Administrator or network operator can use this commandline - for automation purposes. Please update the filter macros to remove false positives. +known_false_positives: | + Administrator or network operator can use this commandline for automation purposes. + Please update the filter macros to remove false positives. references: -- https://www.hackingarticles.in/ssh-penetration-testing-port-22/ -- https://attack.mitre.org/techniques/T1098/004/ + - https://www.hackingarticles.in/ssh-penetration-testing-port-22/ + - https://attack.mitre.org/techniques/T1098/004/ drilldown_searches: -- name: View the detection results for - "$dest$" - search: '%original_detection_search% | search dest = "$dest$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") - starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime - values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) - as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) - as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ + - name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ rba: - message: A [$type$] has been accessed/modified on host - [$dest$] to modify the - sshd_config file. + message: $reconstructed_path$ has been accessed with type $nametype$ on host - [$dest$] risk_objects: - - field: dest - type: system - score: 25 + - field: dest + type: system + score: 25 threat_objects: [] tags: analytic_story: - - Linux Living Off The Land - - Linux Privilege Escalation - - Linux Persistence Techniques - - Compromised Linux Host + - Linux Living Off The Land + - Linux Privilege Escalation + - Linux Persistence Techniques + - Compromised Linux Host asset_type: Endpoint mitre_attack_id: - - T1098.004 + - T1098.004 product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud security_domain: endpoint tests: -- name: True Positive Test - attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.004/auditd_path_ssh_config/path_ssh_config.log - source: auditd - sourcetype: auditd + - name: True Positive Test + attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.004/auditd_path_ssh_config/path_ssh_config.log + source: auditd + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml b/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml index 2a7623c499..75e1d07ce2 100644 --- a/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml +++ b/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml @@ -2,26 +2,31 @@ name: Linux Auditd Possible Access To Sudoers File id: 8be88f46-f7e8-4ae6-b15e-cf1b13392834 version: 11 date: '2025-11-27' -author: Teoderick Contreras, Splunk +author: Teoderick Contreras, Nasreddine Bencherchali, Splunk status: production type: Anomaly -description: The following analytic detects potential access or modification of the - /etc/sudoers file on a Linux system. It leverages data from Linux Auditd, focusing - on processes like "cat," "nano," "vim," and "vi" accessing the /etc/sudoers file. - This activity is significant because the sudoers file controls user permissions - for executing commands with elevated privileges. If confirmed malicious, an attacker - could gain persistence or escalate privileges, compromising the security of the - targeted host. +description: | + The following analytic detects potential access or modification of the /etc/sudoers file on a Linux system. + It leverages data from Linux Auditd, focusing on processes like "cat," "nano," "vim," and "vi" accessing the /etc/sudoers file. + This activity is significant because the sudoers file controls user permissions for executing commands with elevated privileges. + If confirmed malicious, an attacker could gain persistence or escalate privileges, compromising the security of the targeted host. data_source: -- Linux Auditd Path -search: '`linux_auditd` (type=PATH OR type=CWD) + - Linux Auditd Path + - Linux Auditd Cwd +search: | + `linux_auditd` + (type=PATH OR type=CWD) + | rex "msg=audit\([^)]*:(?\d+)\)" + | stats - values(type) as types, - values(name) as names, - values(cwd) as cwd_list, + values(type) as types + values(name) as names + values(nametype) as nametype + values(cwd) as cwd_list values(_time) as event_times - by msg, host - | eval current_working_directory = coalesce(mvindex(cwd_list, 0), "N/A") + by audit_id, host + + | eval current_working_directory = coalesce(mvindex(cwd_list, 0), "N/A") | eval candidate_paths = mvmap(names, if(match(names, "^/"), names, current_working_directory + "/" + names)) | eval matched_paths = mvfilter(match(candidate_paths, "/etc/sudoers.*")) | eval match_count = mvcount(matched_paths) @@ -29,64 +34,73 @@ search: '`linux_auditd` (type=PATH OR type=CWD) | eval e_time = mvindex(event_times, 0) | where match_count > 0 | rename host as dest - | stats count min(e_time) as firstTime max(e_time) as lastTime by matched_paths reconstructed_path, current_working_directory, match_count, dest, msg + + | stats count min(e_time) as firstTime max(e_time) as lastTime + values(nametype) as nametype + by current_working_directory + reconstructed_path + match_count + dest + audit_id + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `linux_auditd_possible_access_to_sudoers_file_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd + | `linux_auditd_possible_access_to_sudoers_file_filter` +how_to_implement: | + To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources - and enhance the efficiency of data modeling and make sure the type=CWD record type is activate in your auditd configuration. + and enhance the efficiency of data modeling and make sure the type=CWD record type is activate in your auditd configuration. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed. -known_false_positives: administrator or network operator can execute this command. +known_false_positives: | + Administrator or network operator can execute this command. Please update the filter macros to remove false positives. references: -- https://attack.mitre.org/techniques/T1548/003/ -- https://web.archive.org/web/20210708035426/https://www.cobaltstrike.com/downloads/csmanual43.pdf + - https://attack.mitre.org/techniques/T1548/003/ + - https://web.archive.org/web/20210708035426/https://www.cobaltstrike.com/downloads/csmanual43.pdf drilldown_searches: -- name: View the detection results for - "$dest$" - search: '%original_detection_search% | search dest = "$dest$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") - starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime - values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) - as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) - as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ + - name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ rba: - message: A [$type$] has been accessed/modified on host - [$dest$] to access or modify - the sudoers file. + message: $reconstructed_path$ has been accessed for potential modification or deletion on host - [$dest$] risk_objects: - - field: dest - type: system - score: 25 + - field: dest + type: system + score: 25 threat_objects: [] tags: analytic_story: - - Linux Persistence Techniques - - Compromised Linux Host - - China-Nexus Threat Activity - - Salt Typhoon - - Linux Privilege Escalation + - Linux Persistence Techniques + - Compromised Linux Host + - China-Nexus Threat Activity + - Salt Typhoon + - Linux Privilege Escalation asset_type: Endpoint mitre_attack_id: - - T1548.003 + - T1548.003 product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud security_domain: endpoint tests: -- name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/auditd_path_sudoers/path_sudoers.log - source: auditd - sourcetype: auditd + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/auditd_path_sudoers/path_sudoers.log + source: auditd + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file.yml b/detections/endpoint/linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file.yml index edaacc2236..b257641143 100644 --- a/detections/endpoint/linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file.yml +++ b/detections/endpoint/linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file.yml @@ -5,23 +5,27 @@ date: '2025-11-27' author: Teoderick Contreras, Splunk status: production type: Hunting -description: The following analytic detects potential tampering with cronjob files - on a Linux system by identifying 'echo' commands that append code to existing cronjob - files. It leverages logs from Linux Auditd, focusing on process names, parent processes, - and command-line executions. This activity is significant because adversaries often - use it for persistence or privilege escalation. If confirmed malicious, this could - allow attackers to execute unauthorized code automatically, leading to system compromises - and unauthorized data access, thereby impacting business operations and data integrity. +description: | + The following analytic detects potential tampering with cronjob files on a Linux system by identifying 'echo' commands that append code to existing cronjob files. + It leverages logs from Linux Auditd, focusing on process names, parent processes, and command-line executions. + This activity is significant because adversaries often use it for persistence or privilege escalation. + If confirmed malicious, this could allow attackers to execute unauthorized code automatically, leading to system compromises and unauthorized data access, thereby impacting business operations and data integrity. data_source: -- Linux Auditd Path -search: '`linux_auditd` (type=PATH OR type=CWD) + - Linux Auditd Path + - Linux Auditd Cwd +search: | + `linux_auditd` (type=PATH OR type=CWD) + | rex "msg=audit\([^)]*:(?\d+)\)" + | stats - values(type) as types, - values(name) as names, - values(cwd) as cwd_list, + values(type) as types + values(name) as names + values(nametype) as nametype + values(cwd) as cwd_list values(_time) as event_times - by msg, host - | eval current_working_directory = coalesce(mvindex(cwd_list, 0), "N/A") + by audit_id, host + + | eval current_working_directory = coalesce(mvindex(cwd_list, 0), "N/A") | eval candidate_paths = mvmap(names, if(match(names, "^/"), names, current_working_directory + "/" + names)) | eval matched_paths = mvfilter(match(candidate_paths, "/etc/cron.*|.*/cron/.*|/etc/anacrontab.*")) | eval match_count = mvcount(matched_paths) @@ -29,46 +33,55 @@ search: '`linux_auditd` (type=PATH OR type=CWD) | eval e_time = mvindex(event_times, 0) | where match_count > 0 | rename host as dest - | stats count min(e_time) as firstTime max(e_time) as lastTime by matched_paths reconstructed_path, current_working_directory, match_count, dest, msg + + | stats count min(e_time) as firstTime max(e_time) as lastTime + values(nametype) as nametype + by current_working_directory + reconstructed_path + match_count + dest + audit_id + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd + | `linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file_filter` +how_to_implement: | + To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources - and enhance the efficiency of data modeling and make sure the type=CWD record type is activate in your auditd configuration. + and enhance the efficiency of data modeling and make sure the type=CWD record type is activate in your auditd configuration. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed. -known_false_positives: False positives may arise from legitimate actions by administrators - or network operators who may use these commands for automation purposes. Therefore, - it's recommended to adjust filter macros to eliminate such false positives. +known_false_positives: | + False positives may arise from legitimate actions by administrators or network operators who may use these commands for automation purposes. + Therefore, it's recommended to adjust filter macros to eliminate such false positives. references: -- https://attack.mitre.org/techniques/T1053/003/ -- https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability -- https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/ + - https://attack.mitre.org/techniques/T1053/003/ + - https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability + - https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/ tags: analytic_story: - - XorDDos - - Linux Living Off The Land - - Compromised Linux Host - - Linux Privilege Escalation - - Scheduled Tasks - - Linux Persistence Techniques + - XorDDos + - Linux Living Off The Land + - Compromised Linux Host + - Linux Privilege Escalation + - Scheduled Tasks + - Linux Persistence Techniques asset_type: Endpoint mitre_attack_id: - - T1053.003 + - T1053.003 product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud security_domain: endpoint tests: -- name: True Positive Test - attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/auditd_path_cron/path_cron.log - source: auditd - sourcetype: auditd + - name: True Positive Test + attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/auditd_path_cron/path_cron.log + source: auditd + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml b/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml index 400293c986..0c96541573 100644 --- a/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml +++ b/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml @@ -5,24 +5,27 @@ date: '2025-11-27' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects suspicious preload hijacking via the `preload` - file, which may indicate an attacker's attempt to intercept or manipulate library - loading processes. The `preload` file can be used to force the loading of specific - libraries before others, potentially allowing malicious code to execute or alter - application behavior. By monitoring for unusual or unauthorized modifications to - the `preload` file, this analytic helps identify attempts to hijack preload mechanisms, - enabling security teams to investigate and address potential threats to system integrity - and security. +description: | + The following analytic detects suspicious preload hijacking via the `preload` file, which may indicate an attacker's attempt to intercept or manipulate library loading processes. + The `preload` file can be used to force the loading of specific libraries before others, potentially allowing malicious code to execute or alter application behavior. + By monitoring for unusual or unauthorized modifications to the `preload` file, this analytic helps identify attempts to hijack preload mechanisms, enabling security teams to investigate and address potential threats to system integrity and security. data_source: -- Linux Auditd Path -search: '`linux_auditd` (type=PATH OR type=CWD) + - Linux Auditd Path + - Linux Auditd Cwd +search: | + `linux_auditd` + (type=PATH OR type=CWD) + | rex "msg=audit\([^)]*:(?\d+)\)" + | stats - values(type) as types, - values(name) as names, - values(cwd) as cwd_list, + values(type) as types + values(name) as names + values(nametype) as nametype + values(cwd) as cwd_list values(_time) as event_times - by msg, host - | eval current_working_directory = coalesce(mvindex(cwd_list, 0), "N/A") + by audit_id, host + + | eval current_working_directory = coalesce(mvindex(cwd_list, 0), "N/A") | eval candidate_paths = mvmap(names, if(match(names, "^/"), names, current_working_directory + "/" + names)) | eval matched_paths = mvfilter(match(candidate_paths, "/etc/ld.so.preload.*")) | eval match_count = mvcount(matched_paths) @@ -30,63 +33,73 @@ search: '`linux_auditd` (type=PATH OR type=CWD) | eval e_time = mvindex(event_times, 0) | where match_count > 0 | rename host as dest - | stats count min(e_time) as firstTime max(e_time) as lastTime by matched_paths reconstructed_path, current_working_directory, match_count, dest, msg + + | stats count min(e_time) as firstTime max(e_time) as lastTime + values(nametype) as nametype + by current_working_directory + reconstructed_path + match_count + dest + audit_id + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `linux_auditd_preload_hijack_via_preload_file_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd + | `linux_auditd_preload_hijack_via_preload_file_filter` +how_to_implement: | + To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources - and enhance the efficiency of data modeling and make sure the type=CWD record type is activate in your auditd configuration. + and enhance the efficiency of data modeling and make sure the type=CWD record type is activate in your auditd configuration. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed. -known_false_positives: Administrator or network operator can use this application - for automation purposes. Please update the filter macros to remove false positives. +known_false_positives: | + Administrator or network operator can use this application for automation purposes. + Please update the filter macros to remove false positives. references: -- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html + - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html drilldown_searches: -- name: View the detection results for - "$dest$" - search: '%original_detection_search% | search dest = "$dest$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") - starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime - values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) - as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) - as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ + - name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ rba: message: A [$type$] event has occurred on host - [$dest$] to modify the preload file. risk_objects: - - field: dest - type: system - score: 81 + - field: dest + type: system + score: 81 threat_objects: [] tags: analytic_story: - - Linux Living Off The Land - - Linux Privilege Escalation - - Linux Persistence Techniques - - Compromised Linux Host + - Linux Living Off The Land + - Linux Privilege Escalation + - Linux Persistence Techniques + - Compromised Linux Host asset_type: Endpoint mitre_attack_id: - - T1574.006 + - T1574.006 product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud security_domain: endpoint tests: -- name: True Positive Test - attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.006/auditd_path_preload_file/path_preload.log - source: auditd - sourcetype: auditd + - name: True Positive Test + attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.006/auditd_path_preload_file/path_preload.log + source: auditd + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml b/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml index cf8e5a3495..eb9a004841 100644 --- a/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml +++ b/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml @@ -5,7 +5,8 @@ date: '2025-11-27' author: Teoderick Contreras, Splunk status: production type: TTP -description: The following analytic detects suspicious modifications to Unix shell +description: | + The following analytic detects suspicious modifications to Unix shell configuration files, which may indicate an attempt to alter system behavior or gain unauthorized access. Unix shell configuration files, such as `.bashrc` or `.profile`, control user environment settings and command execution. Unauthorized changes to @@ -14,15 +15,22 @@ description: The following analytic detects suspicious modifications to Unix she shell configuration files, this analytic helps identify potential security threats, allowing security teams to respond quickly and mitigate risks. data_source: -- Linux Auditd Path -search: '`linux_auditd` (type=PATH OR type=CWD) + - Linux Auditd Path + - Linux Auditd Cwd +search: | + `linux_auditd` + (type=PATH OR type=CWD) + | rex "msg=audit\([^)]*:(?\d+)\)" + | stats - values(type) as types, - values(name) as names, - values(cwd) as cwd_list, + values(type) as types + values(name) as names + values(nametype) as nametype + values(cwd) as cwd_list values(_time) as event_times - by msg, host - | eval current_working_directory = coalesce(mvindex(cwd_list, 0), "N/A") + by audit_id, host + + | eval current_working_directory = coalesce(mvindex(cwd_list, 0), "N/A") | eval candidate_paths = mvmap(names, if(match(names, "^/"), names, current_working_directory + "/" + names)) | eval matched_paths = mvfilter(match(candidate_paths, "/etc/profile|/etc/shells|/etc/profile\\.d/.*|/etc/bash\\.bashrc.*|/etc/bashrc|.*/zsh/zprofile|.*/zsh/zshrc|.*/zsh/zlogin|.*/zsh/zlogout|/etc/csh\\.cshrc.*|/etc/csh\\.login.*|/root/\\.bashrc.*|/root/\\.bash_profile.*|/root/\\.profile.*|/root/\\.zshrc.*|/root/\\.zprofile.*|/home/.*/\\.bashrc.*|/home/.*/\\.zshrc.*|/home/.*/\\.bash_profile.*|/home/.*/\\.zprofile.*|/home/.*/\\.profile.*|/home/.*/\\.bash_login.*|/home/.*/\\.bash_logout.*|/home/.*/\\.zlogin.*|/home/.*/\\.zlogout.*")) | eval match_count = mvcount(matched_paths) @@ -30,64 +38,74 @@ search: '`linux_auditd` (type=PATH OR type=CWD) | eval e_time = mvindex(event_times, 0) | where match_count > 0 | rename host as dest - | stats count min(e_time) as firstTime max(e_time) as lastTime by matched_paths reconstructed_path, current_working_directory, match_count, dest, msg + + | stats count min(e_time) as firstTime max(e_time) as lastTime + values(nametype) as nametype + by current_working_directory + reconstructed_path + match_count + dest + audit_id + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `linux_auditd_unix_shell_configuration_modification_filter`' -how_to_implement: To implement this detection, the process begins by ingesting auditd + | `linux_auditd_unix_shell_configuration_modification_filter` +how_to_implement: | + To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources - and enhance the efficiency of data modeling and make sure the type=CWD record type is activate in your auditd configuration. + and enhance the efficiency of data modeling and make sure the type=CWD record type is activate in your auditd configuration. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed. -known_false_positives: Administrator or network operator can use this application - for automation purposes. Please update the filter macros to remove false positives. +known_false_positives: | + Administrator or network operator can use this application for automation purposes. + Please update the filter macros to remove false positives. references: -- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html -- https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS + - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html + - https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS drilldown_searches: -- name: View the detection results for - "$dest$" - search: '%original_detection_search% | search dest = "$dest$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") - starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime - values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) - as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) - as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ + - name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ rba: message: A [$type$] event occurred on host - [$dest$] to modify the unix shell configuration file. risk_objects: - - field: dest - type: system - score: 64 + - field: dest + type: system + score: 64 threat_objects: [] tags: analytic_story: - - Linux Living Off The Land - - Linux Privilege Escalation - - Linux Persistence Techniques - - Compromised Linux Host + - Linux Living Off The Land + - Linux Privilege Escalation + - Linux Persistence Techniques + - Compromised Linux Host asset_type: Endpoint mitre_attack_id: - - T1546.004 + - T1546.004 product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud security_domain: endpoint tests: -- name: True Positive Test - attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.004/linux_auditd_unix_shell_mod_config//linux_path_profile_d.log - source: auditd - sourcetype: auditd + - name: True Positive Test + attack_data: + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.004/linux_auditd_unix_shell_mod_config//linux_path_profile_d.log + source: auditd + sourcetype: auditd diff --git a/detections/endpoint/linux_magic_sysrq_key_abuse.yml b/detections/endpoint/linux_magic_sysrq_key_abuse.yml index 6b8e67ee50..c6ef8a4cc5 100644 --- a/detections/endpoint/linux_magic_sysrq_key_abuse.yml +++ b/detections/endpoint/linux_magic_sysrq_key_abuse.yml @@ -6,20 +6,26 @@ author: Milad Cheraghi status: production type: TTP description: | - Detects potential abuse of the Linux Magic SysRq (System Request) key by adversaries - with root or sufficient privileges to manipulate or destabilize a system. + Detects potential abuse of the Linux Magic SysRq (System Request) key by adversaries with root or sufficient privileges to manipulate or destabilize a system. Writing to /proc/sysrq-trigger can crash the system, kill processes, or bypass standard logging. Monitoring SysRq abuse helps detect stealthy post-exploitation activity. data_source: - Linux Auditd Path -search: '`linux_auditd` (type=PATH OR type=CWD) + - Linux Auditd Cwd +search: | + `linux_auditd` + (type=PATH OR type=CWD) + | rex "msg=audit\([^)]*:(?\d+)\)" + | stats - values(type) as types, - values(name) as names, - values(cwd) as cwd_list, + values(type) as types + values(name) as names + values(nametype) as nametype + values(cwd) as cwd_list values(_time) as event_times - by msg, host - | eval current_working_directory = coalesce(mvindex(cwd_list, 0), "N/A") + by audit_id, host + + | eval current_working_directory = coalesce(mvindex(cwd_list, 0), "N/A") | eval candidate_paths = mvmap(names, if(match(names, "^/"), names, current_working_directory + "/" + names)) | eval matched_paths = mvfilter(match(candidate_paths, ".*/proc/sysrq-trigger|.*/proc/sys/kernel/sysrq|.*/etc/sysctl.conf")) | eval match_count = mvcount(matched_paths) @@ -27,10 +33,18 @@ search: '`linux_auditd` (type=PATH OR type=CWD) | eval e_time = mvindex(event_times, 0) | where match_count > 0 | rename host as dest - | stats count min(e_time) as firstTime max(e_time) as lastTime by matched_paths reconstructed_path, current_working_directory, match_count, dest, msg + + | stats count min(e_time) as firstTime max(e_time) as lastTime + values(nametype) as nametype + by current_working_directory + reconstructed_path + match_count + dest + audit_id + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `linux_magic_sysrq_key_abuse_filter`' + | `linux_magic_sysrq_key_abuse_filter` how_to_implement: | To implement this detection, ensure auditd is configured to watch: - /proc/sysrq-trigger @@ -39,7 +53,8 @@ how_to_implement: | with write and attribute changes (`-p wa`) and key `sysrq`. Make sure the type=CWD record type is activate in your auditd configuration and Use the Splunk Add-on for Unix and Linux for proper ingestion and CIM normalization. This enables effective monitoring of Linux endpoints for SysRq abuse. -known_false_positives: Legitimate administrative activity modifying SysRq for debugging or recovery. +known_false_positives: | + Legitimate administrative activity modifying SysRq for debugging or recovery. Please update the filter macros to remove false positives. references: - https://www.kernel.org/doc/html/v4.10/_sources/admin-guide/sysrq.txt From 572a93567fb4ee959e19cbabdd12969cb565bd36 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Tue, 2 Dec 2025 18:59:42 +0100 Subject: [PATCH 4/5] add missing extension --- data_sources/{linux_auditd_cwd => linux_auditd_cwd.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename data_sources/{linux_auditd_cwd => linux_auditd_cwd.yml} (100%) diff --git a/data_sources/linux_auditd_cwd b/data_sources/linux_auditd_cwd.yml similarity index 100% rename from data_sources/linux_auditd_cwd rename to data_sources/linux_auditd_cwd.yml From 8cff5c05ebab0bf588c49a3afc5f331a20178884 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Wed, 3 Dec 2025 00:23:36 +0100 Subject: [PATCH 5/5] update descriptions --- ...e_access_or_modification_of_sshd_config_file.yml | 7 ++++--- ...linux_auditd_possible_access_to_sudoers_file.yml | 5 +++-- ...ppend_cronjob_entry_on_existing_cronjob_file.yml | 7 ++++--- ...linux_auditd_preload_hijack_via_preload_file.yml | 1 + ...auditd_unix_shell_configuration_modification.yml | 13 +++++-------- detections/endpoint/linux_magic_sysrq_key_abuse.yml | 1 + 6 files changed, 18 insertions(+), 16 deletions(-) diff --git a/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml b/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml index 3645aa984a..48ae6aad34 100644 --- a/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml +++ b/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml @@ -6,9 +6,10 @@ author: Teoderick Contreras, Nasreddine Bencherchali, Splunk status: production type: Anomaly description: | - The following analytic detects suspicious access or modification of the sshd_config file on Linux systems. - It leverages data from Linux Auditd, focusing on command-line executions involving processes like "cat", "nano", "vim", and "vi" accessing the sshd_config file. - This activity is significant because unauthorized changes to sshd_config can allow threat actors to redirect port connections or use unauthorized keys, potentially compromising the system. + The following analytic detects access, deletion or modification of the ssh_config file on Linux systems. + It leverages data from Linux Auditd, focusing on events of type PATH with a nametype of ("NORMAL", "CREATE", "DELETE"). + This activity could be significant because unauthorized changes to ssh_config can allow threat actors to redirect port connections or use unauthorized keys, potentially compromising the system. + Correlate this with related EXECVE or PROCTITLE events to identify the process or user responsible for the access or modification. If confirmed malicious, this could lead to unauthorized access, privilege escalation, or persistent backdoor access, posing a severe security risk. data_source: - Linux Auditd Path diff --git a/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml b/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml index 75e1d07ce2..aca9724538 100644 --- a/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml +++ b/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml @@ -7,8 +7,9 @@ status: production type: Anomaly description: | The following analytic detects potential access or modification of the /etc/sudoers file on a Linux system. - It leverages data from Linux Auditd, focusing on processes like "cat," "nano," "vim," and "vi" accessing the /etc/sudoers file. - This activity is significant because the sudoers file controls user permissions for executing commands with elevated privileges. + It leverages data from Linux Auditd, focusing on events of type PATH or CWD. + This activity could be significant because the sudoers file controls user permissions for executing commands with elevated privileges. + Correlate this with related EXECVE or PROCTITLE events to identify the process or user responsible for the access or modification. If confirmed malicious, an attacker could gain persistence or escalate privileges, compromising the security of the targeted host. data_source: - Linux Auditd Path diff --git a/detections/endpoint/linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file.yml b/detections/endpoint/linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file.yml index b257641143..60267c4b16 100644 --- a/detections/endpoint/linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file.yml +++ b/detections/endpoint/linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file.yml @@ -6,9 +6,10 @@ author: Teoderick Contreras, Splunk status: production type: Hunting description: | - The following analytic detects potential tampering with cronjob files on a Linux system by identifying 'echo' commands that append code to existing cronjob files. - It leverages logs from Linux Auditd, focusing on process names, parent processes, and command-line executions. - This activity is significant because adversaries often use it for persistence or privilege escalation. + The following analytic detects potential tampering with cronjob files on a Linux system. + It leverages logs from Linux Auditd, focusing on events of type PATH or CWD. + This activity could be significant because adversaries often use it for persistence or privilege escalation. + Correlate this with related EXECVE or PROCTITLE events to identify the process or user responsible for the access or modification. If confirmed malicious, this could allow attackers to execute unauthorized code automatically, leading to system compromises and unauthorized data access, thereby impacting business operations and data integrity. data_source: - Linux Auditd Path diff --git a/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml b/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml index 0c96541573..23cc96364f 100644 --- a/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml +++ b/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml @@ -9,6 +9,7 @@ description: | The following analytic detects suspicious preload hijacking via the `preload` file, which may indicate an attacker's attempt to intercept or manipulate library loading processes. The `preload` file can be used to force the loading of specific libraries before others, potentially allowing malicious code to execute or alter application behavior. By monitoring for unusual or unauthorized modifications to the `preload` file, this analytic helps identify attempts to hijack preload mechanisms, enabling security teams to investigate and address potential threats to system integrity and security. + Correlate this with related EXECVE or PROCTITLE events to identify the process or user responsible for the access or modification. data_source: - Linux Auditd Path - Linux Auditd Cwd diff --git a/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml b/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml index eb9a004841..6427fb3447 100644 --- a/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml +++ b/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml @@ -6,14 +6,11 @@ author: Teoderick Contreras, Splunk status: production type: TTP description: | - The following analytic detects suspicious modifications to Unix shell - configuration files, which may indicate an attempt to alter system behavior or gain - unauthorized access. Unix shell configuration files, such as `.bashrc` or `.profile`, - control user environment settings and command execution. Unauthorized changes to - these files can be used to execute malicious commands, escalate privileges, or hide - malicious activities. By monitoring for unusual or unauthorized modifications to - shell configuration files, this analytic helps identify potential security threats, - allowing security teams to respond quickly and mitigate risks. + The following analytic detects suspicious access or modifications to Unix shell configuration files, which may indicate an attempt to alter system behavior or gain unauthorized access. + Unix shell configuration files, such as `.bashrc` or `.profile`, control user environment settings and command execution. + Unauthorized changes to these files can be used to execute malicious commands, escalate privileges, or hide malicious activities. + By monitoring for unusual or unauthorized modifications to shell configuration files, this analytic helps identify potential security threats, allowing security teams to respond quickly and mitigate risks. + Correlate this with related EXECVE or PROCTITLE events to identify the process or user responsible for the access or modification. data_source: - Linux Auditd Path - Linux Auditd Cwd diff --git a/detections/endpoint/linux_magic_sysrq_key_abuse.yml b/detections/endpoint/linux_magic_sysrq_key_abuse.yml index c6ef8a4cc5..9a38db6094 100644 --- a/detections/endpoint/linux_magic_sysrq_key_abuse.yml +++ b/detections/endpoint/linux_magic_sysrq_key_abuse.yml @@ -9,6 +9,7 @@ description: | Detects potential abuse of the Linux Magic SysRq (System Request) key by adversaries with root or sufficient privileges to manipulate or destabilize a system. Writing to /proc/sysrq-trigger can crash the system, kill processes, or bypass standard logging. Monitoring SysRq abuse helps detect stealthy post-exploitation activity. + Correlate with related EXECVE or PROCTITLE events to identify the process or user responsible for the access or modification. data_source: - Linux Auditd Path - Linux Auditd Cwd