Hiding Information and Covering Tracks
Hiding Information and Covering Tracks (Windows/Mac)
The following out-of-the-box alert rules are assigned to the (Windows/Mac) Category: HIDING INFORMATION AND COVERING TRACKS.
|
ALERT RULE |
Description |
|---|---|
| Clearing browsing history in IE or Firefox |
An alert is triggered upon opening the settings window of Internet Explorer or Firefox to clear the browser history data. This action could indicate that the user has something to hide. |
| Copying Windows event log files |
An alert is triggered upon copying to the clipboard Windows event log files. This action could indicate that the user plans to overwrite event log files to hide his actions that are documented in these log files. |
| Exporting Windows Registry data |
An alert is triggered upon opening Windows Registry and invoking the Export command. This action could indicate that the user plans to manipulate Windows Registry data. |
| Hiding files by moving them into hidden directory |
An alert is triggered when any file is moved into a hidden directory. |
| Importing Windows Registry data |
An alert is triggered upon opening Windows Registry and invoking the Import command. This action could indicate that the user plans to manipulate Windows Registry data. |
| Password protecting a file in UltraEdit text editor |
An alert is triggered when a file in the UltraEdit text editor has been password protected. |
| Running secured or encrypted email client |
An alert is triggered upon running a secured or encrypted email client which could be used to bring in or send out information that cannot be monitored. This action could indicate that the user behind it has something to hide. |
| Running steganography tools |
An alert is triggered upon running one of the predefined steganography tools that are usually used to conceal text information within images, and by that to block data ex-filtration tools to detect this data leak. |
| Zipping file with password |
An alert is triggered upon running a compression solution and setting a password protection for the compressed file. This action could indicate that the user has something to hide. |
Hiding Information and Covering Tracks (Unix/Linux)
The following out-of-the-box alert rules are assigned to the (Unix/Linux) Category: HIDING INFORMATION AND COVERING TRACKS.
|
ALERT RULE |
Description |
|---|---|
| Audit log files tampering using almost any command |
An alert is triggered upon running almost any commands (except for TAIL/CAT/SUDO) on audit log files which might prevent SIEM products from tracing hidden activity on this machine. |
| Audit log files tampering using specific commands |
An alert is triggered upon running specific view/edit/delete/copy commands on audit log files which might prevent SIEM products from tracing hidden activity on this machine. |
| Editing audit log files using SUDO |
An alert is triggered upon accessing audit log files using SUDO not for viewing purposes. An interactive user is allowed to access audit log files only for viewing them and not for editing. |
| Misusing SUDO-authorized text editor to run shell commands |
An alert is triggered upon breaking out of a text editor executed via the SUDO command, by executing external commands. |
| Running the steganography tool CLOAKIFY |
An alert is triggered upon executing CLOAKIFY.PY which is a text-based steganography tool that can be used to hide information from data leak scanning tools using list-based ciphers. |