Linux Deletion Of Services

Try in Splunk Security Cloud

Description

This analytic is to detect a deletion of services in a linux machine. attacker may delete or modify services to impair some security features or act as defense evasion in a compromised linux machine. This TTP can be also a good indicator of a malware trying to wipe or delete several files in a compromised host as part of its destructive payload like what acidrain malware does in linux or router machines. This detection can be a good pivot to check what process and user tries to delete this type of files which is not so common and need further investigation.

• Type: TTP
• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• Last Updated: 2023-04-27
• Author: Teoderick Contreras, Splunk
• ID: b509bbd3-0331-4aaa-8e4a-d2affe100af6

Annotations

ATT&CK

ATT&CK

ID	Technique	Tactic
T1485	Data Destruction	Impact

T1070.004

File Deletion

Defense Evasion

T1070

Indicator Removal

Defense Evasion

Kill Chain Phase

• Actions On Objectives
• Exploitation

NIST

• DE.CM

CIS20

• CIS 10

CVE

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path IN ( "/etc/systemd/*", "*/lib/systemd/*", "*/run/systemd/*") Filesystem.file_path = "*.service" by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action 
| `drop_dm_object_name(Filesystem)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
| `linux_deletion_of_services_filter`

Macros

The SPL above uses the following Macros:

• security_content_ctime
• security_content_summariesonly

linux_deletion_of_services_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

• _time
• Filesystem.dest
• Filesystem.file_create_time
• Filesystem.file_name
• Filesystem.process_guid
• Filesystem.file_path
• Filesystem.action

How To Implement

To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.

Known False Positives

Administrator or network operator can execute this command. Please update the filter macros to remove false positives.

Associated Analytic Story

• AwfulShred
• AcidRain
• Data Destruction

RBA

Risk Score	Impact	Confidence	Message
64.0	80	80	A services file $file_name$ deteted on host $dest$ by process GUID - $process_guid$

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

• https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/
• https://unix.stackexchange.com/questions/224992/where-do-i-put-my-systemd-unit-file
• https://cert.gov.ua/article/3718487

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 2