
Summary
This rule detects suspicious creation of GRUB configuration files on Linux systems, which is significant as these files are critical for booting and managing the operating system. Attackers may create or modify these files to execute malicious code or escalate privileges, potentially gaining persistence on the compromised system. The rule utilizes EQL to identify creation events associated with specified GRUB configurations, applying exclusions to legitimate processes that might trigger false positives, such as package managers and configuration management tools. The investigation guide elaborates on potential response actions for incidents triggering this rule, recommending isolation of affected systems, thorough investigation of unauthorized changes, and enhancement of monitoring to prevent future attacks.
Categories
- Linux
- Endpoint
Data Sources
- File
- Logon Session
- Process
ATT&CK Techniques
- T1542
- T1543
- T1574
Created: 2025-01-16