Suspicious Modification of Sensitive Linux Files
This threat brief covers the detection of suspicious processes modifying sensitive files on Linux systems, potentially indicating malicious attempts to persist, escalate privileges, or disrupt system operations.
Attackers often target sensitive and critical files on Linux systems to maintain persistence, escalate privileges, or disrupt system operations. These files include system configuration files, authentication files, and critical application files. Monitoring changes to these files is crucial for detecting malicious activity. This brief focuses on identifying suspicious process executions that could indicate unauthorized modification of sensitive files. The detection strategy covers processes…
Detection coverage 3
Potential Suspicious Change To Sensitive/Critical Files via Redirection
mediumDetects changes to sensitive and critical files using command-line utilities with output redirection.
Potential Suspicious Change To Sensitive/Critical Files via Text Editors
mediumDetects changes to sensitive and critical files using text editors like vi, vim, nano, or emacs.
Suspicious Sed Usage on mdadm.conf
lowDetects suspicious usage of sed to modify mdadm.conf, excluding legitimate mdadm updates.
Detection queries are kept inside the platform. Get full rules →