detection.wiki

Detection rules › Sigma

Remove Immutable File Attribute - Auditd

Status
test
Severity
medium
Log source
product linux, service auditd
Author
Jakob Weinzettl, oscd.community
Source
github.com/SigmaHQ/sigma

Detects removing immutable file attribute.

MITRE ATT&CK coverage

TacticTechniques
Defense ImpairmentT1222.002 File and Directory Permissions Modification: Linux and Mac Permissions

Event coverage

ProviderEvent
Linux-AuditdEvent ID 1309

Rule body yaml

title: Remove Immutable File Attribute - Auditd
id: a5b977d6-8a81-4475-91b9-49dbfcd941f7
status: test
description: Detects removing immutable file attribute.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md
author: Jakob Weinzettl, oscd.community
date: 2019-09-23
modified: 2022-11-26
tags:
    - attack.defense-impairment
    - attack.t1222.002
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: 'EXECVE'
        a0|contains: 'chattr'
        a1|contains: '-i'
    condition: selection
falsepositives:
    - Administrator interacting with immutable files (e.g. for instance backups).
level: medium
simulation:
    - type: atomic-red-team
      name: Remove immutable file attribute
      technique: T1222.002
      atomic_guid: e7469fe2-ad41-4382-8965-99b94dd3c13f

Stages and Predicates

Stage 0: condition

selection

Stage 1: selection

selection:
    type: 'EXECVE'
    a0|contains: 'chattr'
    a1|contains: '-i'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
a0match
  • chattr
a1match
  • -i
typeeq
  • EXECVE