update descriptions

nasbench · nasbench · commit 8cff5c05ebab · 2025-12-03T00:23:36.000+01:00
diff --git a/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml b/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml
@@ -6,9 +6,10 @@ author: Teoderick Contreras, Nasreddine Bencherchali, Splunk
 status: production
 type: Anomaly
 description: |
-  The following analytic detects suspicious access or modification of the sshd_config file on Linux systems.
-  It leverages data from Linux Auditd, focusing on command-line executions involving processes like "cat", "nano", "vim", and "vi" accessing the sshd_config file.
-  This activity is significant because unauthorized changes to sshd_config can allow threat actors to redirect port connections or use unauthorized keys, potentially compromising the system.
+  The following analytic detects access, deletion or modification of the ssh_config file on Linux systems.
+  It leverages data from Linux Auditd, focusing on events of type PATH with a nametype of ("NORMAL", "CREATE", "DELETE").
+  This activity could be significant because unauthorized changes to ssh_config can allow threat actors to redirect port connections or use unauthorized keys, potentially compromising the system.
+  Correlate this with related EXECVE or PROCTITLE events to identify the process or user responsible for the access or modification.
   If confirmed malicious, this could lead to unauthorized access, privilege escalation, or persistent backdoor access, posing a severe security risk.
 data_source:
   - Linux Auditd Path
diff --git a/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml b/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml
@@ -7,8 +7,9 @@ status: production
 type: Anomaly
 description: |
   The following analytic detects potential access or modification of the /etc/sudoers file on a Linux system.
-  It leverages data from Linux Auditd, focusing on processes like "cat," "nano," "vim," and "vi" accessing the /etc/sudoers file.
-  This activity is significant because the sudoers file controls user permissions for executing commands with elevated privileges.
+  It leverages data from Linux Auditd, focusing on events of type PATH or CWD.
+  This activity could be significant because the sudoers file controls user permissions for executing commands with elevated privileges.
+  Correlate this with related EXECVE or PROCTITLE events to identify the process or user responsible for the access or modification.
   If confirmed malicious, an attacker could gain persistence or escalate privileges, compromising the security of the targeted host.
 data_source:
   - Linux Auditd Path
diff --git a/detections/endpoint/linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file.yml b/detections/endpoint/linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file.yml
@@ -6,9 +6,10 @@ author: Teoderick Contreras, Splunk
 status: production
 type: Hunting
 description: |
-  The following analytic detects potential tampering with cronjob files on a Linux system by identifying 'echo' commands that append code to existing cronjob files.
-  It leverages logs from Linux Auditd, focusing on process names, parent processes, and command-line executions.
-  This activity is significant because adversaries often use it for persistence or privilege escalation.
+  The following analytic detects potential tampering with cronjob files on a Linux system.
+  It leverages logs from Linux Auditd, focusing on events of type PATH or CWD.
+  This activity could be significant because adversaries often use it for persistence or privilege escalation.
+  Correlate this with related EXECVE or PROCTITLE events to identify the process or user responsible for the access or modification.
   If confirmed malicious, this could allow attackers to execute unauthorized code automatically, leading to system compromises and unauthorized data access, thereby impacting business operations and data integrity.
 data_source:
   - Linux Auditd Path
diff --git a/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml b/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml
@@ -9,6 +9,7 @@ description: |
   The following analytic detects suspicious preload hijacking via the `preload` file, which may indicate an attacker's attempt to intercept or manipulate library loading processes.
   The `preload` file can be used to force the loading of specific libraries before others, potentially allowing malicious code to execute or alter application behavior.
   By monitoring for unusual or unauthorized modifications to the `preload` file, this analytic helps identify attempts to hijack preload mechanisms, enabling security teams to investigate and address potential threats to system integrity and security.
+  Correlate this with related EXECVE or PROCTITLE events to identify the process or user responsible for the access or modification.
 data_source:
   - Linux Auditd Path
   - Linux Auditd Cwd
diff --git a/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml b/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml
@@ -6,14 +6,11 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 description: |
-  The following analytic detects suspicious modifications to Unix shell
-  configuration files, which may indicate an attempt to alter system behavior or gain
-  unauthorized access. Unix shell configuration files, such as `.bashrc` or `.profile`,
-  control user environment settings and command execution. Unauthorized changes to
-  these files can be used to execute malicious commands, escalate privileges, or hide
-  malicious activities. By monitoring for unusual or unauthorized modifications to
-  shell configuration files, this analytic helps identify potential security threats,
-  allowing security teams to respond quickly and mitigate risks.
+  The following analytic detects suspicious access or modifications to Unix shell configuration files, which may indicate an attempt to alter system behavior or gain unauthorized access.
+  Unix shell configuration files, such as `.bashrc` or `.profile`, control user environment settings and command execution.
+  Unauthorized changes to these files can be used to execute malicious commands, escalate privileges, or hide malicious activities.
+  By monitoring for unusual or unauthorized modifications to shell configuration files, this analytic helps identify potential security threats, allowing security teams to respond quickly and mitigate risks.
+  Correlate this with related EXECVE or PROCTITLE events to identify the process or user responsible for the access or modification.
 data_source:
   - Linux Auditd Path
   - Linux Auditd Cwd
diff --git a/detections/endpoint/linux_magic_sysrq_key_abuse.yml b/detections/endpoint/linux_magic_sysrq_key_abuse.yml
@@ -9,6 +9,7 @@ description: |
   Detects potential abuse of the Linux Magic SysRq (System Request) key by adversaries with root or sufficient privileges to manipulate or destabilize a system.
   Writing to /proc/sysrq-trigger can crash the system, kill processes, or bypass standard logging.
   Monitoring SysRq abuse helps detect stealthy post-exploitation activity.
+  Correlate with related EXECVE or PROCTITLE events to identify the process or user responsible for the access or modification.
 data_source:
   - Linux Auditd Path
   - Linux Auditd Cwd
