File Creation in World-Writable Directory by Unusual Process

This detection rule identifies the creation of files in world-writable directories (e.g., /tmp, /var/tmp, /run, /dev/shm) on Linux systems by processes that are not typically associated with such actions. Attackers frequently leverage these world-writable directories to conceal their activities and facilitate lateral movement within a compromised network. This tactic involves staging malicious payloads or scripts in shared, easily accessible locations, making it harder to trace back to the initial point of intrusion. This rule helps defenders identify anomalous behavior that could indicate a system compromise or an active attacker attempting to establish a foothold. The rule leverages data from Elastic Defend and SentinelOne Cloud Funnel.

Attack Chain

1. The attacker gains initial access to the Linux system, possibly through exploiting a vulnerability or using stolen credentials.
2. The attacker navigates to a world-writable directory such as /tmp, /var/tmp, /run, or /dev/shm.
3. The attacker uses a process like curl, wget, or a scripting language to download or create a malicious payload (e.g., a backdoor or an exploit script) in the world-writable directory.
4. The attacker modifies the file permissions using chmod to make the payload executable, if necessary.
5. The attacker executes the malicious payload, potentially escalating privileges or establishing persistence.
6. The executed payload may establish a reverse shell, allowing the attacker to maintain remote access to the compromised system.
7. The attacker uses the compromised system as a pivot point to move laterally within the network, accessing other systems and resources.
8. The attacker attempts to further compromise systems to achieve their final objective, such as data exfiltration or system disruption.

Impact

A successful attack using this technique can lead to a complete compromise of the affected Linux system. The attacker could gain unauthorized access to sensitive data, escalate privileges, and use the system as a launchpad for further attacks within the network. The use of world-writable directories to hide malicious files makes detection more difficult, potentially allowing the attacker to remain undetected for an extended period. This can result in significant data breaches, financial losses, and reputational damage.

Recommendation

• Deploy the Sigma rule Detect File Creation in World-Writable Directory by Unusual Process to your SIEM and tune for your environment.
• Investigate any alerts generated by the Sigma rule, focusing on the process lineage, file type, and network activity associated with the file creation event.
• Configure Elastic Defend integration for Linux endpoints as described in the setup instructions to ensure proper data collection for this detection rule.
• Review and restrict permissions on world-writable directories to limit their use for legitimate purposes and reduce the attack surface.
• Monitor process execution events for processes running from unusual locations, especially those within world-writable directories.