heroui logo

Boot File Copy

Elastic Detection Rules

View Source
Summary
The Boot File Copy rule is designed to detect unauthorized file operations in the `/boot` directory of Linux systems, an area critical for the boot process. Attackers often target this directory to manipulate essential files, including kernel and initramfs images, to maintain persistence and control over a compromised system. This rule utilizes the EQL (Event Query Language) to monitor process activities, specifically looking for the execution of `cp` and `mv` commands with arguments targeting the `/boot` directory while excluding known legitimate processes. The rule is integrated with various data sources, including Elastic Defend and Crowdstrike, and requires configuration through the Elastic Agent with Fleet. With a relatively low risk score of 21, this detection aims at providing visibility into potential threats while minimizing false positives by filtering out legitimate activities associated with system maintenance tasks.
Categories
  • Linux
  • Endpoint
Data Sources
  • Process
  • File
  • Application Log
  • Kernel
  • Network Traffic
ATT&CK Techniques
  • T1542
  • T1543
  • T1574
  • T1059
  • T1059.004
Created: 2025-01-16