Detect Immutable files in EXT4

Adds artifact Linux.Forensics.ImmutableFiles for detecting immutable files.
Velocidex · Jan 18, 2025 · cedbab9 · cedbab9
1 parent 0f93a9c
commit cedbab9
Show file tree

Hide file tree

Showing 6 changed files with 120 additions and 245 deletions.
diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
@@ -23,6 +23,10 @@ jobs:
       with:
         go-version: '^1.23'
 
+        # Caching seems to really slow down the build due to the time
+        # taken to save the cache.
+        cache: false
+
     - run: go version
 
     - name: Get dependencies

diff --git a/accessors/ext4/ext4_accessor.go b/accessors/ext4/ext4_accessor.go
@@ -26,7 +26,17 @@ func (self *Ext4FileInfo) IsDir() bool {
 }
 
 func (self *Ext4FileInfo) Data() *ordereddict.Dict {
-	return self.Dict()
+	data := ordereddict.NewDict().
+		Set("Inode", self.Inode()).
+		Set("Uid", self.Uid()).
+		Set("Gid", self.Gid())
+
+	flags := self.Flags()
+	if len(flags) > 0 {
+		data.Set("Flags", flags)
+	}
+
+	return data
 }
 
 func (self *Ext4FileInfo) UniqueName() string {
@@ -130,8 +140,10 @@ func (self *Ext4FileSystemAccessor) ReadDirWithOSPath(
 
 	// List the directory.
 	for _, info := range dir {
+		name := info.Name()
+
 		// Skip these useless directories.
-		if info.Name() == "." || info.Name() == ".." {
+		if name == "" || name == "." || name == ".." {
 			continue
 		}
 

diff --git a/artifacts/definitions/Linux/Forensics/ImmutableFiles.yaml b/artifacts/definitions/Linux/Forensics/ImmutableFiles.yaml
@@ -0,0 +1,50 @@
+name: Linux.Forensics.ImmutableFiles
+description: |
+  Attackers sometimes enable immutable files in Linux.
+
+  This prevents files from being modified. However this is sometimes a
+  strong signal.
+
+  This artifact searches the filesystem for such files.
+
+  NOTE: We use the ext4 accessor to parse the low level filessystem.
+
+precondition: |
+  SELECT * FROM info() where OS = 'linux'
+
+parameters:
+  - name: SearchFilesGlob
+    default: /home/*
+    description: Use a glob to define the files that will be searched.
+  - name: OneFilesystem
+    default: N
+    type: bool
+    description: When set we do not follow a link to go on to a different filesystem.
+
+  - name: DoNotFollowSymlinks
+    type: bool
+    default: N
+    description: If specified we are allowed to follow symlinks while globbing
+
+column_types:
+  - name: ATime
+    type: timestamp
+  - name: MTime
+    type: timestamp
+  - name: CTime
+    type: timestamp
+
+
+sources:
+- query: |
+    SELECT OSPath,
+           Sys.mft as Inode,
+           Mode.String AS Mode, Size,
+           Mtime AS MTime,
+           Atime AS ATime,
+           Ctime AS CTime,
+           IsDir, Mode, Data
+    FROM glob(globs=SearchFilesGlob,
+              one_filesystem=OneFilesystem,
+              accessor="ext4", nosymlink=DoNotFollowSymlinks)
+    WHERE Data.Flags =~ "IMMUTABLE"