Critical system binary modified

Tactic:

TA0005-defense-evasion

Technique:

T1036-masquerading

Framework:

pci

Control:

11.5

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect modifications of critical system binaries.

Strategy

PCI-DSS is the payment-card industry’s compliance framework. Any systems that handle credit card data and transactions from the major credit card companies must be PCI-DSS compliance. Control 11.5 of the PCI-DSS framework states that organizations must “alert personnel to unauthorized modifications (including changes, additions, and deletions) of critical system files, configuration files, or content files”. On Linux, critical system binaries are typically stored in /bin/, /sbin/, or /usr/sbin/. This rule tracks any modifications to those directories.

Triage and response

  1. Identify which user or process changed the critical system binaries.
  2. If these changes were not authorized, and you cannot confirm the safety of the changes, roll back the host or container in question to an acceptable configuration.

Requires Agent version 7.27 or greater