Critical system binary modified

Tactic:

TA0005-defense-evasion

Technique:

T1036-masquerading

Framework:

pci

Control:

11.5

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect modifications of critical system binaries.

Strategy

PCI-DSS is the payment-card industry’s compliance framework. Any systems that handle credit card data and transactions from the major credit card companies must be PCI-DSS compliance. Control 11.5 of the PCI-DSS framework states that organizations must “alert personnel to unauthorized modifications (including changes, additions, and deletions) of critical system files, configuration files, or content files”. On Linux, critical system binaries are typically stored in /bin/, /sbin/, or /usr/sbin/. This rule tracks any modifications to those directories.

Triage and response

  1. Identify which user or process changed the critical system binaries.
  2. If these changes were not authorized, and you cannot confirm the safety of the changes, roll back the host or container in question to an acceptable configuration.

Requires Agent version 7.27 or greater