Detects a file being made immutable using the chattr binary. Making a file immutable means it cannot be deleted or renamed, no link can be created to this file, most of the file’s metadata can not be modified, and the file can not be opened in write mode. Threat actors will commonly utilize this to prevent tampering or modification of their malicious files or any system files they have modified for purposes of persistence (e.g .ssh, /etc/passwd, etc.).
Rule type: eql
Risk score: 47
Runs every: 5 minutes
Maximum alerts per execution: 33
- Threat Detection
- Defense Evasion
Version: 100 (version history)
Added (Elastic Stack release): 8.4.0
Last modified (Elastic Stack release): 8.5.0
Rule authors: Elastic
Rule license: Elastic License v2
process where event.type == "start" and user.name == "root" and process.executable : "/usr/bin/chattr" and process.args : ("-*i*", "+*i*") and not process.parent.executable: "/lib/systemd/systemd"
Framework: MITRE ATT&CKTM
- Version 100 (8.5.0 release)
- Formatting only