Update linux_auditd_base64_decode_files.yml

splunk · Jan 23, 2025 · 3228a5a · 3228a5a
1 parent aa1c8fa
commit 3228a5a
Showing 1 changed file with 27 additions and 27 deletions.
diff --git a/detections/endpoint/linux_auditd_base64_decode_files.yml b/detections/endpoint/linux_auditd_base64_decode_files.yml
@@ -1,24 +1,25 @@
-name: Linux Auditd Change File Owner To Root
-id: 7b87c556-0ca4-47e0-b84c-6cd62a0a3e90
-version: 4
+name: Linux Auditd Base64 Decode Files
+id: 5890ba10-4e48-4dc0-8a40-3e1ebe75e737
+version: 3
 date: '2024-11-13'
 author: Teoderick Contreras, Splunk
 status: production
-type: TTP
-description: The following analytic detects the use of the 'chown' command to change
-  a file owner to 'root' on a Linux system. It leverages Linux Auditd telemetry, specifically
-  monitoring command-line executions and process details. This activity is significant
-  as it may indicate an attempt to escalate privileges by adversaries, malware, or
-  red teamers. If confirmed malicious, this action could allow an attacker to gain
-  root-level access, leading to full control over the compromised host and potential
-  persistence within the environment.
+type: Anomaly
+description: The following analytic detects suspicious Base64 decode operations that
+  may indicate malicious activity, such as data exfiltration or execution of encoded
+  commands. Base64 is commonly used to encode data for safe transmission, but attackers
+  may abuse it to conceal malicious payloads. This detection focuses on identifying
+  unusual or unexpected Base64 decoding processes, particularly when associated with
+  critical files or directories. By monitoring these activities, the analytic helps
+  uncover potential threats, enabling security teams to respond promptly and mitigate
+  risks associated with encoded malware or unauthorized data access.
 data_source:
-- Linux Auditd Proctitle
-search: '`linux_auditd` `linux_auditd_normalized_proctitle_process`| rename host as
-  dest | where LIKE (process_exec, "%chown %root%") | stats count min(_time) as firstTime
-  max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter
-  dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|
-  `linux_auditd_change_file_owner_to_root_filter`'
+- Linux Auditd Execve
+search: '`linux_auditd` `linux_auditd_normalized_execve_process` | rename host as
+  dest | where LIKE(process_exec, "%base64%") AND (LIKE(process_exec, "%-d %") OR
+  LIKE(process_exec, "% --d%")) | stats count min(_time) as firstTime max(_time) as
+  lastTime by argc process_exec dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`|
+  `linux_auditd_base64_decode_files_filter`'
 how_to_implement: To implement this detection, the process begins by ingesting auditd
   data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line
   executions and process details on Unix/Linux systems. These logs should be ingested
@@ -28,11 +29,11 @@ how_to_implement: To implement this detection, the process begins by ingesting a
   Common Information Model (CIM) to ensure consistency across different data sources
   and enhance the efficiency of data modeling. This approach enables effective monitoring
   and detection of linux endpoints where auditd is deployed
-known_false_positives: Administrator or network operator can execute this command.
-  Please update the filter macros to remove false positives.
+known_false_positives: Administrator or network operator can use this application
+  for automation purposes. Please update the filter macros to remove false positives.
 references:
-- https://unix.stackexchange.com/questions/101073/how-to-change-permissions-from-root-user-to-all-users
-- https://askubuntu.com/questions/617850/changing-from-user-to-superuser
+- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html
+- https://gtfobins.github.io/gtfobins/dd/
 drilldown_searches:
 - name: View the detection results for - "$dest$"
   search: '%original_detection_search% | search  dest = "$dest$"'
@@ -48,12 +49,12 @@ drilldown_searches:
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 rba:
-  message: A [$process_exec$] event occurred on host - [$dest$] to change a file owner
-    to root.
+  message: A [$process_exec$] event occurred on host - [$dest$] to decode a file using
+    base64.
   risk_objects:
   - field: dest
     type: system
-    score: 64
+    score: 25
   threat_objects: []
 tags:
   analytic_story:
@@ -63,8 +64,7 @@ tags:
   - Compromised Linux Host
   asset_type: Endpoint
   mitre_attack_id:
-  - T1222.002
-  - T1222
+  - T1140
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
@@ -74,6 +74,6 @@ tests:
 - name: True Positive Test
   attack_data:
   - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/linux_auditd_chown_root/linux_auditd_chown_root.log
+      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1140/linux_auditd_base64/linux_auditd_base64.log
     source: /var/log/audit/audit.log
     sourcetype: linux:audit