Try in Splunk Security Cloud
Description
Monitor for activities and techniques associated with maintaining persistence on a Linux system–a sign that an adversary may have compromised your environment.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint, Risk
- Last Updated: 2021-12-17
- Author: Teoderick Contreras, Splunk
- ID: e40d13e5-d38b-457e-af2a-e8e6a2f2b516
Narrative
Maintaining persistence is one of the first steps taken by attackers after the initial compromise. Attackers leverage various custom and built-in tools to ensure survivability and persistent access within a compromised enterprise. This Analytic Story provides searches to help you identify various behaviors used by attackers to maintain persistent access to a Linux environment.
Detections
Name |
Technique |
Type |
Linux Add Files In Known Crontab Directories |
Cron, Scheduled Task/Job |
Anomaly |
Linux Add User Account |
Local Account, Create Account |
Hunting |
Linux Adding Crontab Using List Parameter |
Cron, Scheduled Task/Job |
Hunting |
Linux At Allow Config File Creation |
Cron, Scheduled Task/Job |
Anomaly |
Linux At Application Execution |
At, Scheduled Task/Job |
Anomaly |
Linux Change File Owner To Root |
Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification |
Anomaly |
Linux Common Process For Elevation Control |
Setuid and Setgid, Abuse Elevation Control Mechanism |
Hunting |
Linux Doas Conf File Creation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux Doas Tool Execution |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux Edit Cron Table Parameter |
Cron, Scheduled Task/Job |
Hunting |
Linux File Created In Kernel Driver Directory |
Kernel Modules and Extensions, Boot or Logon Autostart Execution |
Anomaly |
Linux File Creation In Init Boot Directory |
RC Scripts, Boot or Logon Initialization Scripts |
Anomaly |
Linux File Creation In Profile Directory |
Unix Shell Configuration Modification, Event Triggered Execution |
Anomaly |
Linux Insert Kernel Module Using Insmod Utility |
Kernel Modules and Extensions, Boot or Logon Autostart Execution |
Anomaly |
Linux Install Kernel Module Using Modprobe Utility |
Kernel Modules and Extensions, Boot or Logon Autostart Execution |
Anomaly |
Linux NOPASSWD Entry In Sudoers File |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux Persistence and Privilege Escalation Risk Behavior |
Abuse Elevation Control Mechanism |
Correlation |
Linux Possible Access Or Modification Of sshd Config File |
SSH Authorized Keys, Account Manipulation |
Anomaly |
Linux Possible Access To Credential Files |
/etc/passwd and /etc/shadow, OS Credential Dumping |
Anomaly |
Linux Possible Access To Sudoers File |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux Possible Append Command To At Allow Config File |
At, Scheduled Task/Job |
Anomaly |
Linux Possible Append Command To Profile Config File |
Unix Shell Configuration Modification, Event Triggered Execution |
Anomaly |
Linux Possible Append Cronjob Entry on Existing Cronjob File |
Cron, Scheduled Task/Job |
Hunting |
Linux Possible Cronjob Modification With Editor |
Cron, Scheduled Task/Job |
Hunting |
Linux Possible Ssh Key File Creation |
SSH Authorized Keys, Account Manipulation |
Anomaly |
Linux Preload Hijack Library Calls |
Dynamic Linker Hijacking, Hijack Execution Flow |
TTP |
Linux Service File Created In Systemd Directory |
Systemd Timers, Scheduled Task/Job |
Anomaly |
Linux Service Restarted |
Systemd Timers, Scheduled Task/Job |
Anomaly |
Linux Service Started Or Enabled |
Systemd Timers, Scheduled Task/Job |
Anomaly |
Linux Setuid Using Chmod Utility |
Setuid and Setgid, Abuse Elevation Control Mechanism |
Anomaly |
Linux Setuid Using Setcap Utility |
Setuid and Setgid, Abuse Elevation Control Mechanism |
Anomaly |
Linux Shred Overwrite Command |
Data Destruction |
TTP |
Linux Sudo OR Su Execution |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Hunting |
Linux Sudoers Tmp File Creation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux Visudo Utility Execution |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Reference
source | version: 1