detections
- ID: DT037
- Created: 01st June 2024
- Updated: 07th September 2024
- Platform: Linux
- Contributor: The ITM Team
auditd File Access
Audit Daemon (auditd) is a powerful tool in Linux for tracking and logging system events, including file access. It’s part of the Linux Auditing System, which provides detailed and customizable logging of various types of system activity.
Below is an example auditd rule to detect file access:
sudo nano /etc/audit/rules.d/audit.rules
Opens the auditd rules file with the Nano editor. Add the following line:
-w /path/to/directory -p war -k file_access
-w specifies the file or directory to monitor
-p specifies the permissions to monitor (write, attribute change, read)
-k specifies the key to help identify the rule
To review audit logs related to this rule, we can use ausearch (ausearch -k file_access) or read and retrieve lines from the raw audit logs with grep (sudo grep file_access /var/log/audit/audit.log).
Sections
| ID | Name | Description |
|---|---|---|
| AF015 | File Deletion | A subject deletes a file or files to prevent them from being available for later analysis or to disrupt the availability of a system. This could include log files, files downloaded by the subject, files created by the subject, or system files. |
| AF003 | Timestomping | A subject modifies the modified, accessed, created (MAC) file time attributes to hide new files or obscure changes made to existing files to hinder an investigation by removing a file or files from a timeframe scope.
nTimestomp is part of the nTimetools repository, and it provides tools for working with timestamps on files on the Windows operating system. This tool allows for a user to provide arguments for each timestamp, as well as the option to set all timestamps to the same value.
Linux has the built-in command
The argument |
| PR041 | Credential Collection | A subject collects, copies, retrieves, exports, records, or stages credentials, secrets, keys, certificates, tokens, or other authentication material in preparation for later access or misuse. This behavior may involve credentials assigned to the subject, credentials assigned to another individual, shared credentials, service account credentials, or authentication material discovered in exposed locations such as tickets, repositories, documentation, configuration files, scripts, password managers, or secrets vaults.
Credential collection becomes a preparatory concern when the subject’s handling of authentication material exceeds their legitimate operational need or indicates future use outside approved access processes. The behavior may include saving credentials to local files, screenshots, notes, spreadsheets, personal password managers, clipboard history, removable media, or other locations where they can be reused later.
This preparation may precede unauthorized access, internal credential sharing, privilege misuse, data collection, sabotage, or anti-forensic measures to mislead attribution. |
| PR003.007 | Installing Messenger Applications | A subject installs an unapproved messenger application with the ability to transmit data and/or files across the Internet. |
| IF014.006 | Deletion of Other IT Resources | The subject deletes IT resources resulting in harm to the organization. Examples include virtual machines, virtual disk images, user accounts, and DNS records. |