splApache-2.0from splunk/security_content
Linux Auditd Virtual Disk File And Directory Discovery
The following analytic detects suspicious discovery of virtual disk files and directories, which may indicate an attacker's attempt to locate and access virtualized storage environments. Virtual disks can contain sensitive data or critical system configurations, and unauthorized discovery attempts could signify preparatory actions for data exfiltration or further compromise. By monitoring for unusual or unauthorized searches for virtual disk files and directories, this analytic helps identify potential reconnaissance activities, enabling security teams to respond promptly and safeguard against unauthorized access and data breaches.
Quality
27
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/linux_auditd_virtual_disk_file_and_directory_discovery.yml
`linux_auditd` execve_command IN ("*find*", "*grep*") AND execve_command IN ("*.vhd*", "*.vhdx*", "*.vmdk*")
| rename host as dest
| rename comm as process_name
| rename exe as process
| stats count min(_time) as firstTime max(_time) as lastTime
BY argc execve_command dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_virtual_disk_file_and_directory_discovery_filter`