Try in Splunk Security Cloud
Description
Monitor for activities and techniques associated with Compromised Linux Host attacks. These include unauthorized access attempts, unusual network traffic patterns, and the presence of unknown or suspicious processes. Look for unexpected changes in system files, modifications to configuration files, and the installation of unrecognized software. Pay attention to abnormal resource usage, such as high CPU or memory consumption. Regularly review logs for signs of privilege escalation or lateral movement, and ensure integrity checks are in place to detect tampering with critical system components.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:
- Last Updated: 2024-06-25
- Author: Teoderick Contreras, Splunk
- ID: d7ea2fc0-3710-4257-b64f-f3c2a6abebd3
Narrative
In a tale of digital intrusion, Imagine a system administrator noticing unexpected spikes in network traffic and CPU usage. Delving deeper, they find unknown processes running and unfamiliar software installed. System files and configurations show unauthorized modifications, hinting at privilege escalation. Log reviews reveal attempts at lateral movement across the network. The administrator’s vigilance, combined with regular integrity checks, helps uncover and mitigate the threat. This narrative underscores the importance of monitoring and swift action in maintaining a secure Linux environment.
Detections
| Name |
Technique |
Type |
| Linux Auditd Add User Account |
Local Account, Create Account |
Anomaly |
| Linux Auditd Add User Account Type |
Create Account, Local Account |
Anomaly |
| Linux Auditd At Application Execution |
At, Scheduled Task/Job |
Anomaly |
| Linux Auditd Auditd Service Stop |
Service Stop |
Anomaly |
| Linux Auditd Base64 Decode Files |
Deobfuscate/Decode Files or Information |
Anomaly |
| Linux Auditd Change File Owner To Root |
Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification |
TTP |
| Linux Auditd Clipboard Data Copy |
Clipboard Data |
Anomaly |
| Linux Auditd Data Destruction Command |
Data Destruction |
TTP |
| Linux Auditd Data Transfer Size Limits Via Split |
Data Transfer Size Limits |
Anomaly |
| Linux Auditd Data Transfer Size Limits Via Split Syscall |
Data Transfer Size Limits |
Anomaly |
| Linux Auditd Database File And Directory Discovery |
File and Directory Discovery |
Anomaly |
| Linux Auditd Dd File Overwrite |
Data Destruction |
TTP |
| Linux Auditd Disable Or Modify System Firewall |
Disable or Modify System Firewall, Impair Defenses |
Anomaly |
| Linux Auditd Doas Conf File Creation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
TTP |
| Linux Auditd Doas Tool Execution |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
| Linux Auditd Edit Cron Table Parameter |
Cron, Scheduled Task/Job |
TTP |
| Linux Auditd File And Directory Discovery |
File and Directory Discovery |
Anomaly |
| Linux Auditd File Permission Modification Via Chmod |
Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification |
Anomaly |
| Linux Auditd File Permissions Modification Via Chattr |
Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification |
TTP |
| Linux Auditd Find Credentials From Password Managers |
Password Managers, Credentials from Password Stores |
TTP |
| Linux Auditd Find Credentials From Password Stores |
Password Managers, Credentials from Password Stores |
TTP |
| Linux Auditd Find Private Keys |
Private Keys, Unsecured Credentials |
TTP |
| Linux Auditd Find Ssh Private Keys |
Private Keys, Unsecured Credentials |
Anomaly |
| Linux Auditd Hardware Addition Swapoff |
Hardware Additions |
Anomaly |
| Linux Auditd Hidden Files And Directories Creation |
File and Directory Discovery |
TTP |
| Linux Auditd Insert Kernel Module Using Insmod Utility |
Kernel Modules and Extensions, Boot or Logon Autostart Execution |
Anomaly |
| Linux Auditd Install Kernel Module Using Modprobe Utility |
Kernel Modules and Extensions, Boot or Logon Autostart Execution |
Anomaly |
| Linux Auditd Kernel Module Enumeration |
System Information Discovery, Rootkit |
Anomaly |
| Linux Auditd Kernel Module Using Rmmod Utility |
Kernel Modules and Extensions, Boot or Logon Autostart Execution |
TTP |
| Linux Auditd Nopasswd Entry In Sudoers File |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
| Linux Auditd Osquery Service Stop |
Service Stop |
TTP |
| Linux Auditd Possible Access Or Modification Of Sshd Config File |
SSH Authorized Keys, Account Manipulation |
Anomaly |
| Linux Auditd Possible Access To Credential Files |
/etc/passwd and /etc/shadow, OS Credential Dumping |
Anomaly |
| Linux Auditd Possible Access To Sudoers File |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
| Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File |
Cron, Scheduled Task/Job |
Hunting |
| Linux Auditd Preload Hijack Library Calls |
Dynamic Linker Hijacking, Hijack Execution Flow |
TTP |
| Linux Auditd Preload Hijack Via Preload File |
Dynamic Linker Hijacking, Hijack Execution Flow |
TTP |
| Linux Auditd Service Restarted |
Systemd Timers, Scheduled Task/Job |
Anomaly |
| Linux Auditd Service Started |
Service Execution, System Services |
TTP |
| Linux Auditd Setuid Using Chmod Utility |
Setuid and Setgid, Abuse Elevation Control Mechanism |
Anomaly |
| Linux Auditd Setuid Using Setcap Utility |
Setuid and Setgid, Abuse Elevation Control Mechanism |
TTP |
| Linux Auditd Shred Overwrite Command |
Data Destruction |
TTP |
| Linux Auditd Stop Services |
Service Stop |
TTP |
| Linux Auditd Sudo Or Su Execution |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
| Linux Auditd Sysmon Service Stop |
Service Stop |
TTP |
| Linux Auditd System Network Configuration Discovery |
System Network Configuration Discovery |
Anomaly |
| Linux Auditd Unix Shell Configuration Modification |
Unix Shell Configuration Modification, Event Triggered Execution |
TTP |
| Linux Auditd Unload Module Via Modprobe |
Kernel Modules and Extensions, Boot or Logon Autostart Execution |
TTP |
| Linux Auditd Virtual Disk File And Directory Discovery |
File and Directory Discovery |
Anomaly |
| Linux Auditd Whoami User Discovery |
System Owner/User Discovery |
Anomaly |
Reference
source | version: 1