Adversaries may modify sensitive or critical files to alter system behavior or exfiltrate data, leveraging T1565.001 to persist or execute malicious code. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise of critical assets and prevent further lateral movement or data theft.
Detection Rule
title: Potential Suspicious Change To Sensitive/Critical Files
id: 86157017-c2b1-4d4a-8c33-93b8e67e4af4
status: test
description: Detects changes of sensitive and critical files. Monitors files that you don't expect to change without planning on Linux system.
references:
- https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor
author: '@d4ns4n_ (Wuerth-Phoenix)'
date: 2023-05-30
tags:
- attack.impact
- attack.t1565.001
logsource:
category: process_creation
product: linux
detection:
selection_img_1:
Image|endswith:
- '/cat'
- '/echo'
- '/grep'
- '/head'
- '/more'
- '/tail'
CommandLine|contains: '>'
selection_img_2:
Image|endswith:
- '/emacs'
- '/nano'
- '/sed'
- '/vi'
- '/vim'
selection_paths:
CommandLine|contains:
- '/bin/login'
- '/bin/passwd'
- '/boot/'
- '/etc/*.conf'
- '/etc/cron.' # Covers different cron config files "daily", "hourly", etc.
- '/etc/crontab'
- '/etc/hosts'
- '/etc/init.d'
- '/etc/sudoers'
- '/opt/bin/'
- '/sbin' # Covers: '/opt/sbin', '/usr/local/sbin/', '/usr/sbin/'
- '/usr/bin/'
- '/usr/local/bin/'
condition: 1 of selection_img_* and selection_paths
falsepositives:
- Some false positives are to be expected on user or administrator machines. Apply additional filters as needed.
level: medium
imProcessCreate
| where (((TargetProcessName endswith "/cat" or TargetProcessName endswith "/echo" or TargetProcessName endswith "/grep" or TargetProcessName endswith "/head" or TargetProcessName endswith "/more" or TargetProcessName endswith "/tail") and TargetProcessCommandLine contains ">") or (TargetProcessName endswith "/emacs" or TargetProcessName endswith "/nano" or TargetProcessName endswith "/sed" or TargetProcessName endswith "/vi" or TargetProcessName endswith "/vim")) and (TargetProcessCommandLine contains "/bin/login" or TargetProcessCommandLine contains "/bin/passwd" or TargetProcessCommandLine contains "/boot/" or (TargetProcessCommandLine contains "/etc/" and TargetProcessCommandLine contains ".conf") or TargetProcessCommandLine contains "/etc/cron." or TargetProcessCommandLine contains "/etc/crontab" or TargetProcessCommandLine contains "/etc/hosts" or TargetProcessCommandLine contains "/etc/init.d" or TargetProcessCommandLine contains "/etc/sudoers" or TargetProcessCommandLine contains "/opt/bin/" or TargetProcessCommandLine contains "/sbin" or TargetProcessCommandLine contains "/usr/bin/" or TargetProcessCommandLine contains "/usr/local/bin/")Scenario: Scheduled backup job updates a critical configuration file
Example: A backup tool like rsnapshot or Bacula updates a configuration file during a scheduled backup.
Filter/Exclusion: Exclude files that are known to be part of backup processes or use a file path pattern like /etc/backup/ or /var/backups/.
Scenario: System update via package manager modifies a sensitive file
Example: A package manager like apt or yum updates a system configuration file (e.g., /etc/ssh/sshd_config) during an OS update.
Filter/Exclusion: Exclude files that are part of standard system updates or use a file path pattern like /etc/apt/ or /usr/lib/.
Scenario: Admin manually edits a critical file using a text editor
Example: An admin uses vim or nano to modify a file like /etc/hosts or /etc/ssh/sshd_config.
Filter/Exclusion: Exclude files that are known to be manually edited by admins, or use a file path pattern like /etc/ with a note in the rule about admin activity.
Scenario: Log rotation tool modifies log files
Example: A log rotation tool like logrotate modifies log files such as /var/log/syslog or /var/log/auth.log.
Filter/Exclusion: Exclude files that are part of log rotation processes or use a file path pattern like /var/log/ or /etc/logrotate.d/.
Scenario: Configuration management tool (e.g., Ansible, Puppet) applies changes
Example: Ansible or Puppet applies configuration changes to files like /etc/nginx/nginx.conf or /etc/apache2/apache2.conf.
Filter/Exclusion: Exclude files