Linux High Frequency Of File Deletion In Boot Folder
Description
This analytic is to detect a high frequency of file deletion relative to process name and process id /boot/ folder. These events was seen in industroyer2 wiper malware where it tries to delete all files in a critical directory in linux directory. This detection already contains some filter that might cause false positive during our testing.
- Type: TTP
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint
- Last Updated: 2023-04-27
- Author: Teoderick Contreras, Splunk
- ID: e27fbc5d-0445-4c4a-bc39-87f060d5c602
Annotations
ATT&CK
Kill Chain Phase
- Actions On Objectives
- Exploitation
NIST
- DE.CM
CIS20
- CIS 10
CVE
Search
1
2
3
4
5
6
7
| tstats `security_content_summariesonly` values(Filesystem.file_name) as deletedFileNames values(Filesystem.file_path) as deletedFilePath dc(Filesystem.file_path) as numOfDelFilePath count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path = "/boot/*" by _time span=1h Filesystem.dest Filesystem.process_guid Filesystem.action
| `drop_dm_object_name(Filesystem)`
| where numOfDelFilePath >= 200
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_high_frequency_of_file_deletion_in_boot_folder_filter`
Macros
The SPL above uses the following Macros:
linux_high_frequency_of_file_deletion_in_boot_folder_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required fields
List of fields required to use this analytic.
- _time
- Filesystem.dest
- Filesystem.file_create_time
- Filesystem.file_name
- Filesystem.process_guid
- Filesystem.file_path
- Filesystem.action
How To Implement
To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.
Known False Positives
linux package installer/uninstaller may cause this event. Please update you filter macro to remove false positives.
Associated Analytic Story
RBA
Risk Score | Impact | Confidence | Message |
---|---|---|---|
80.0 | 100 | 80 | Multiple files detection in /boot/ folder on $dest$ by process GUID - $process_guid$ |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
Reference
- https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/
- https://cert.gov.ua/article/39518
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 2