← Library
splApache-2.0from splunk/security_content

Linux Auditd Change File Owner To Root

The following analytic detects the use of the 'chown' command to change a file owner to 'root' on a Linux system. It leverages Linux Auditd telemetry, specifically monitoring command-line executions and process details. This activity is significant as it may indicate an attempt to escalate privileges by adversaries, malware, or red teamers. If confirmed malicious, this action could allow an attacker to gain root-level access, leading to full control over the compromised host and potential persistence within the environment.

Quality
51
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/linux_auditd_change_file_owner_to_root.yml
`linux_auditd` proctitle = "*chown *root*"
  | rename host as dest
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY proctitle dest
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `linux_auditd_change_file_owner_to_root_filter`