splApache-2.0from splunk/security_content
Linux Auditd File Permissions Modification Via Chattr
The following analytic detects suspicious file permissions modifications using the chattr command, which may indicate an attacker attempting to manipulate file attributes to evade detection or prevent alteration. The chattr command can be used to make files immutable or restrict deletion, which can be leveraged to protect malicious files or disrupt system operations. By monitoring for unusual or unauthorized chattr usage, this analytic helps identify potential tampering with critical files, enabling security teams to quickly respond to and mitigate threats associated with unauthorized file attribute changes.
Quality
51
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/linux_auditd_file_permissions_modification_via_chattr.yml
`linux_auditd` proctitle = "*chattr *" AND proctitle = "* -i*"
| rename host as dest
| stats count min(_time) as firstTime max(_time) as lastTime
BY proctitle dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_file_permissions_modification_via_chattr_filter`