The hypothesis is that an adversary is attempting to modify or delete critical files by removing their immutable attribute, which could enable persistence or data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential tampering or lateral movement activities early.
Detection Rule
title: Remove Immutable File Attribute
id: 34979410-e4b5-4e5d-8cfb-389fdff05c12
related:
- id: a5b977d6-8a81-4475-91b9-49dbfcd941f7
type: derived
status: test
description: Detects usage of the 'chattr' utility to remove immutable file attribute.
references:
- https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-15
tags:
- attack.defense-evasion
- attack.t1222.002
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/chattr'
CommandLine|contains: ' -i '
condition: selection
falsepositives:
- Administrator interacting with immutable files (e.g. for instance backups).
level: medium
imProcessCreate
| where TargetProcessName endswith "/chattr" and TargetProcessCommandLine contains " -i "Scenario: System Update via Package Manager
Description: A package manager (e.g., yum, apt, dnf) may attempt to modify files during an update, which could trigger the rule if the file was previously marked as immutable.
Filter/Exclusion: Exclude files located in standard package directories like /usr, /opt, or /var using a filter such as:
file.path != "/usr/*" AND file.path != "/var/*" AND file.path != "/opt/*"Scenario: Scheduled Job for Log Rotation
Description: A log rotation tool like logrotate may attempt to modify or replace log files, which could temporarily remove the immutable attribute.
Filter/Exclusion: Exclude files in log directories such as /var/log/ using:
file.path contains "/var/log/"Scenario: Admin Task to Modify Configuration Files
Description: An administrator may use chattr to remove the immutable attribute from a configuration file to apply a necessary change.
Filter/Exclusion: Exclude files in /etc/ that are known to be modified during routine maintenance, e.g., using:
file.path contains "/etc/" AND file.name != "immutable_config_file"Scenario: File System Check (fsck) During Boot
Description: During system boot, fsck may attempt to repair or modify files, which could temporarily remove the immutable attribute.
Filter/Exclusion: Exclude files in /etc/ or /boot/ using:
(file.path contains "/etc/" OR file.path contains "/boot/") AND file.name != "systemd.conf"Scenario: Backup Tool Modifying Files