splApache-2.0from splunk/security_content
Linux Auditd Shred Overwrite Command
The following analytic detects the execution of the 'shred' command on a Linux machine, which is used to overwrite files to make them unrecoverable. It leverages data from Linux Auditd, focusing on process names and command-line arguments. This activity is significant because the 'shred' command can be used in destructive attacks, such as those seen in the Industroyer2 malware targeting energy facilities. If confirmed malicious, this activity could lead to the permanent destruction of critical files, severely impacting system integrity and data availability.
Quality
27
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/linux_auditd_shred_overwrite_command.yml
`linux_auditd` proctitle IN ("*shred*") AND proctitle IN ("*-n*", "*-z*", "*-u*", "*-s*")
| rename host as dest
| stats count min(_time) as firstTime max(_time) as lastTime
BY proctitle dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_shred_overwrite_command_filter`