fix auditd PATH type detections (#3810)

---------

Co-authored-by: Nasreddine Bencherchali <[email protected]>

Author: nasbench

data_sources/linux_auditd_cwd.yml

@@ -0,0 +1,25 @@
+name: Linux Auditd Cwd
+id: a9ef851b-d864-478b-b1b3-76535d7ff7fc
+version: 1
+date: '2025-12-02'
+author: Nasreddine Bencherchali, Splunk
+description: This type is used to record the working directory from which the process that invoked the system call specified in the first record was executed. The purpose of this record is to record the current process's location in case a relative path winds up being captured in the associated PATH record. This way the absolute path can be reconstructed.
+source: auditd
+sourcetype: auditd
+separator: type
+separator_value: CWD
+configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules
+supported_TA:
+- name: Splunk Add-on for Unix and Linux
+  url: https://splunkbase.splunk.com/app/833
+  version: 10.2.0
+fields:
+- cwd
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- msg
+- type
+example_log: 'type=CWD msg=audit(11/20/2025 16:57:48.909:110027) : cwd=/etc/ssh'

detections/endpoint/linux_auditd_doas_conf_file_creation.yml

@@ -1,78 +1,110 @@
 name: Linux Auditd Doas Conf File Creation
 id: 61059783-574b-40d2-ac2f-69b898afd6b4
-version: 7
-date: '2025-06-10'
-author: Teoderick Contreras, Splunk
+version: 8
+date: '2025-11-27'
+author: Teoderick Contreras, Nasreddine Bencherchali, Splunk
 status: production
 type: TTP
-description: The following analytic detects the creation of the doas.conf file on
-  a Linux host. This file is used by the doas utility to allow standard users to perform
-  tasks as root, similar to sudo. The detection leverages Linux Auditd data, focusing
-  on the creation of the doas.conf file. This activity is significant because it can
-  indicate an attempt to gain elevated privileges, potentially by an adversary. If
-  confirmed malicious, this could allow an attacker to execute commands with root
-  commands with root privileges, leading to full system compromise.
+description: |
+  The following analytic detects the creation of the doas.conf file on a Linux host.
+  This file is used by the doas utility to allow standard users to perform tasks as root, similar to sudo.
+  The detection leverages Linux Auditd data, focusing on the creation of the doas.conf file.
+  This activity is significant because it can indicate an attempt to gain elevated privileges, potentially by an adversary. If confirmed malicious, this could allow an attacker to execute commands with root commands with root privileges, leading to full system compromise.
 data_source:
-- Linux Auditd Path
-search: '`linux_auditd` type=PATH name ="/etc/doas.conf*" 
-  | rename host as dest 
-  | stats count min(_time) as firstTime max(_time) as lastTime 
-  by name nametype ogid type dest 
+  - Linux Auditd Path
+  - Linux Auditd Cwd
+search: |
+  `linux_auditd`
+  (
+    (type=PATH nametype="CREATE")
+    OR
+    type=CWD
+  )
+  | rex "msg=audit\([^)]*:(?<audit_id>\d+)\)"
+
+  | stats
+    values(type) as types
+    values(name) as names
+    values(nametype) as nametype
+    values(cwd) as cwd_list
+    values(_time) as event_times
+    by audit_id host
+
+  | eval current_working_directory = coalesce(mvindex(cwd_list, 0), "N/A")
+  | eval candidate_paths = mvmap(names, if(match(names, "^/"), names, current_working_directory + "/" + names))
+  | eval matched_paths = mvfilter(match(candidate_paths, "/etc/doas.conf.*"))
+  | eval match_count = mvcount(matched_paths)
+  | eval reconstructed_path = mvindex(matched_paths, 0)
+  | eval e_time = mvindex(event_times, 0)
+  | where match_count > 0
+  | rename host as dest
+
+  | stats count min(e_time) as firstTime max(e_time) as lastTime
+    values(nametype) as nametype
+    by current_working_directory
+       reconstructed_path
+       match_count
+       dest
+       audit_id
+
   | `security_content_ctime(firstTime)`
   | `security_content_ctime(lastTime)`
-  | `linux_auditd_doas_conf_file_creation_filter`'
-how_to_implement: To implement this detection, the process begins by ingesting auditd
+  | table nametype current_working_directory reconstructed_path dest audit_id match_count firstTime lastTime
+  | `linux_auditd_doas_conf_file_creation_filter`
+how_to_implement: |
+  To implement this detection, the process begins by ingesting auditd
   data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line
   executions and process details on Unix/Linux systems. These logs should be ingested
   and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833),
   which is essential for correctly parsing and categorizing the data. The next step
   involves normalizing the field names  to match the field names set by the Splunk
   Common Information Model (CIM) to ensure consistency across different data sources
-  and enhance the efficiency of data modeling. This approach enables effective monitoring
-  and detection of linux endpoints where auditd is deployed
-known_false_positives: Administrator or network operator can execute this command.
+  and enhance the efficiency of data modeling and make sure the type=CWD record type is activate in your auditd configuration.
+  This approach enables effective monitoring and detection of linux endpoints where auditd is deployed.
+known_false_positives: |
+  Administrator or network operator can execute this command.
   Please update the filter macros to remove false positives.
 references:
-- https://wiki.gentoo.org/wiki/Doas
-- https://www.makeuseof.com/how-to-install-and-use-doas/
+  - https://wiki.gentoo.org/wiki/Doas
+  - https://www.makeuseof.com/how-to-install-and-use-doas/
 drilldown_searches:
-- name: View the detection results for - "$dest$"
-  search: '%original_detection_search% | search  dest = "$dest$"'
-  earliest_offset: $info_min_time$
-  latest_offset: $info_max_time$
-- name: View risk events for the last 7 days for - "$dest$"
-  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
-    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
-    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
-    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
-    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
-    | `security_content_ctime(lastTime)`'
-  earliest_offset: $info_min_time$
-  latest_offset: $info_max_time$
+  - name: View the detection results for - "$dest$"
+    search: '%original_detection_search% | search  dest = "$dest$"'
+    earliest_offset: $info_min_time$
+    latest_offset: $info_max_time$
+  - name: View risk events for the last 7 days for - "$dest$"
+    search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
+      starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+      values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+      as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+      as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+      | `security_content_ctime(lastTime)`'
+    earliest_offset: $info_min_time$
+    latest_offset: $info_max_time$
 rba:
-  message: A [$type$] event occurred on host - [$dest$] to create a doas.conf file.
+  message: A $reconstructed_path$ file was created on host - [$dest$]
   risk_objects:
-  - field: dest
-    type: system
-    score: 64
+    - field: dest
+      type: system
+      score: 64
   threat_objects: []
 tags:
   analytic_story:
-  - Linux Privilege Escalation
-  - Linux Persistence Techniques
-  - Compromised Linux Host
+    - Linux Privilege Escalation
+    - Linux Persistence Techniques
+    - Compromised Linux Host
   asset_type: Endpoint
   mitre_attack_id:
-  - T1548.003
+    - T1548.003
   product:
-  - Splunk Enterprise
-  - Splunk Enterprise Security
-  - Splunk Cloud
+    - Splunk Enterprise
+    - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
-- name: True Positive Test
-  attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_audited_doas_conf/linux_path_doas_config.log
-    source: auditd
-    sourcetype: auditd
+  - name: True Positive Test
+    attack_data:
+    - data:
+        https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/auditd_path_cwd_doas_conf/path_doas.log
+      source: auditd
+      sourcetype: auditd

detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml

@@ -1,81 +1,111 @@
 name: Linux Auditd Possible Access Or Modification Of Sshd Config File
 id: acb3ea33-70f7-47aa-b335-643b3aebcb2f
-version: 7
-date: '2025-06-10'
-author: Teoderick Contreras, Splunk
+version: 8
+date: '2025-11-27'
+author: Teoderick Contreras, Nasreddine Bencherchali, Splunk
 status: production
 type: Anomaly
-description: The following analytic detects suspicious access or modification of the
-  sshd_config file on Linux systems. It leverages data from Linux Auditd, focusing
-  on command-line executions involving processes like "cat," "nano," "vim," and "vi"
-  accessing the sshd_config file. This activity is significant because unauthorized
-  changes to sshd_config can allow threat actors to redirect port connections or use
-  unauthorized keys, potentially compromising the system. If confirmed malicious,
-  this could lead to unauthorized access, privilege escalation, or persistent backdoor
-  access, posing a severe security risk.
+description: |
+  The following analytic detects access, deletion or modification of the ssh_config file on Linux systems.
+  It leverages data from Linux Auditd, focusing on events of type PATH with a nametype of ("NORMAL", "CREATE", "DELETE").
+  This activity could be significant because unauthorized changes to ssh_config can allow threat actors to redirect port connections or use unauthorized keys, potentially compromising the system.
+  Correlate this with related EXECVE or PROCTITLE events to identify the process or user responsible for the access or modification.
+  If confirmed malicious, this could lead to unauthorized access, privilege escalation, or persistent backdoor access, posing a severe security risk.
 data_source:
-- Linux Auditd Path
-search: '`linux_auditd` type=PATH name="/etc/ssh/ssh_config*" 
+  - Linux Auditd Path
+  - Linux Auditd Cwd
+search: |
+  `linux_auditd`
+  (
+    (type=PATH nametype IN ("NORMAL", "CREATE", "DELETE"))
+    OR
+    type=CWD
+  )
+  | rex "msg=audit\([^)]*:(?<audit_id>\d+)\)"
+
+  | stats
+    values(type) as types
+    values(name) as names
+    values(nametype) as nametype
+    values(cwd) as cwd_list
+    values(_time) as event_times
+    by audit_id, host
+
+  | eval current_working_directory = coalesce(mvindex(cwd_list, 0), "N/A")
+  | eval candidate_paths = mvmap(names, if(match(names, "^/"), names, current_working_directory + "/" + names))
+  | eval matched_paths = mvfilter(match(candidate_paths, "/etc/ssh/ssh_config.*"))
+  | eval match_count = mvcount(matched_paths)
+  | eval reconstructed_path = mvindex(matched_paths, 0)
+  | eval e_time = mvindex(event_times, 0)
+  | where match_count > 0
   | rename host as dest
-  | stats count min(_time) as firstTime max(_time) as lastTime 
-  by name nametype ogid type dest 
+
+  | stats count min(e_time) as firstTime max(e_time) as lastTime
+    values(nametype) as nametype
+    by current_working_directory
+       reconstructed_path
+       match_count
+       dest
+       audit_id
+
   | `security_content_ctime(firstTime)`
   | `security_content_ctime(lastTime)`
-  |  `linux_auditd_possible_access_or_modification_of_sshd_config_file_filter`'
-how_to_implement: To implement this detection, the process begins by ingesting auditd
+  |  `linux_auditd_possible_access_or_modification_of_sshd_config_file_filter`
+how_to_implement: |
+  To implement this detection, the process begins by ingesting auditd
   data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line
   executions and process details on Unix/Linux systems. These logs should be ingested
   and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833),
   which is essential for correctly parsing and categorizing the data. The next step
   involves normalizing the field names  to match the field names set by the Splunk
   Common Information Model (CIM) to ensure consistency across different data sources
-  and enhance the efficiency of data modeling. This approach enables effective monitoring
-  and detection of linux endpoints where auditd is deployed
-known_false_positives: Administrator or network operator can use this commandline
-  for automation purposes. Please update the filter macros to remove false positives.
+  and enhance the efficiency of data modeling and make sure the type=CWD record type is activate in your auditd configuration.
+  This approach enables effective monitoring and detection of linux endpoints where auditd is deployed.
+known_false_positives: |
+  Administrator or network operator can use this commandline for automation purposes.
+  Please update the filter macros to remove false positives.
 references:
-- https://www.hackingarticles.in/ssh-penetration-testing-port-22/
-- https://attack.mitre.org/techniques/T1098/004/
+  - https://www.hackingarticles.in/ssh-penetration-testing-port-22/
+  - https://attack.mitre.org/techniques/T1098/004/
 drilldown_searches:
-- name: View the detection results for - "$dest$"
-  search: '%original_detection_search% | search  dest = "$dest$"'
-  earliest_offset: $info_min_time$
-  latest_offset: $info_max_time$
-- name: View risk events for the last 7 days for - "$dest$"
-  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
-    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
-    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
-    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
-    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
-    | `security_content_ctime(lastTime)`'
-  earliest_offset: $info_min_time$
-  latest_offset: $info_max_time$
+  - name: View the detection results for - "$dest$"
+    search: '%original_detection_search% | search  dest = "$dest$"'
+    earliest_offset: $info_min_time$
+    latest_offset: $info_max_time$
+  - name: View risk events for the last 7 days for - "$dest$"
+    search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
+      starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+      values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+      as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+      as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+      | `security_content_ctime(lastTime)`'
+    earliest_offset: $info_min_time$
+    latest_offset: $info_max_time$
 rba:
-  message: A [$type$] has been accessed/modified on host - [$dest$] to modify the
-    sshd_config file.
+  message: $reconstructed_path$ has been accessed with type $nametype$ on host - [$dest$]
   risk_objects:
-  - field: dest
-    type: system
-    score: 25
+    - field: dest
+      type: system
+      score: 25
   threat_objects: []
 tags:
   analytic_story:
-  - Linux Living Off The Land
-  - Linux Privilege Escalation
-  - Linux Persistence Techniques
-  - Compromised Linux Host
+    - Linux Living Off The Land
+    - Linux Privilege Escalation
+    - Linux Persistence Techniques
+    - Compromised Linux Host
   asset_type: Endpoint
   mitre_attack_id:
-  - T1098.004
+    - T1098.004
   product:
-  - Splunk Enterprise
-  - Splunk Enterprise Security
-  - Splunk Cloud
+    - Splunk Enterprise
+    - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
-- name: True Positive Test
-  attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.004/linux_auditd_nopasswd/linux_path_ssh_config.log
-    source: auditd
-    sourcetype: auditd
+  - name: True Positive Test
+    attack_data:
+    - data:
+        https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.004/auditd_path_ssh_config/path_ssh_config.log
+      source: auditd
+      sourcetype: auditd