Immutable File Attack Persistence on Linux

Date: January 09, 2025

Author: The Sandfly Security Team

Linux can allow administrators to set files as immutable. This feature prevents the files from being modified or deleted by anyone (even root). However, it can also be used by intruders to maintain persistence. In this video we discuss what an immutable file is, and how they are used by malware and hackers to remain on a host. We also discuss using the command line to identify immutable files and Sandfly's agentless Linux EDR to automatically locate the threat.

In this video we cover:

- Dormant vs. active attacks
- Why you need to hunt for dormant attacks.
- Immutable files as a persistence mechanism.
- Why an immutable SSH authorized_keys set means a compromised key is in play you may want to hunt for across hosts.

Sandfly is able to find this and many other types of Linux attacks without deploying any endpoint agents. Get your free license today or contact us for more information.

Transcript available on the YouTube video above.

Let Sandfly keep your Linux systems secure.

Learn More

Immutable File Attack Persistence on Linux

Share this:

Let Sandfly keep your Linux systems secure.