splApache-2.0from splunk/security_content
Linux High Frequency Of File Deletion In Boot Folder
The following analytic detects a high frequency of file deletions in the /boot/ folder on Linux systems. It leverages filesystem event logs to identify when 200 or more files are deleted within an hour by the same process. This behavior is significant as it may indicate the presence of wiper malware, such as Industroyer2, which targets critical system directories. If confirmed malicious, this activity could lead to system instability or failure, hindering the boot process and potentially causing a complete system compromise.
Quality
67
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/linux_high_frequency_of_file_deletion_in_boot_folder.yml
| tstats `security_content_summariesonly` values(Filesystem.file_access_time) as file_access_time values(Filesystem.file_create_time) as file_create_time values(Filesystem.file_hash) as file_hash values(Filesystem.file_modify_time) as file_modify_time values(Filesystem.file_name) as file_name values(Filesystem.file_path) as file_path values(Filesystem.file_acl) as file_acl values(Filesystem.file_size) as file_size values(Filesystem.process_id) as process_id values(Filesystem.user) as user values(Filesystem.vendor_product) as vendor_product dc(Filesystem.file_path) as numOfDelFilePath count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem
WHERE Filesystem.action=deleted Filesystem.file_path = "/boot/*"
BY _time span=1h Filesystem.dest
Filesystem.process_guid Filesystem.action
| `drop_dm_object_name(Filesystem)`
| where numOfDelFilePath >= 200
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_high_frequency_of_file_deletion_in_boot_folder_filter`