Detects password policy discovery commands

Read More

Detects the execution of host or user discovery utilities such as "whoami", "hostname", "id", etc. Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Read More

Detects attempts to record audio with arecord utility

Read More

Detect changes in auditd configuration files

Read More

Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.

Read More

detects BPFDoor .lock and .pid files access in temporary file storage facility

Read More

All TCP traffic on particular port from attacker is routed to different port. ex. '/sbin/iptables -t nat -D PREROUTING -p tcp -s 192.168.1.1 --dport 22 -j REDIRECT --to-ports 42392' The traffic looks like encrypted SSH communications going to TCP port 22, but in reality is being directed to the shell port once it hits the iptables rule for the attacker host only.

Read More

Detects attempts to collect image data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.

Read More

Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.

Read More

Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.

Read More

Detecting attempts to extract passwords with grep

Read More

An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.

Read More

Detects attempts to post the file with the usage of wget utility. The adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow.

Read More

Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network.

Read More

Detects file and folder permission changes.

Read More

Detect file time attribute change to hide new or changes to existing files.

Read More

Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character

Read More

Detects attempts to discover the files with setuid/setgid capability on them. That would allow adversary to escalate their privileges.

Read More

Detect attempt to enable auditing of TTY input

Read More

Detects enumeration of local or remote network services.

Read More

Detects loading of kernel modules with insmod command. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. Adversaries may use LKMs to obtain persistence within the system or elevate the privileges.

Read More

Detect changes of syslog daemons configuration files

Read More

Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.

Read More

Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.

Read More

Detects the removal of system firewall rules. Adversaries may only delete or modify a specific system firewall rule to bypass controls limiting network usage or access. Detection rules that match only on the disabling of firewalls will miss this.

Read More

Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

Read More

Detects overwriting (effectively wiping/deleting) of a file.

Read More

Detects command line parameter very often used with coin miners

Read More

Detects program executions in suspicious non-program folders related to malware or hacking activity

Read More

Detects removing immutable file attribute.

Read More

Detects adversary creating screen capture of a desktop with Import Tool. Highly recommended using rule on servers, due to high usage of screenshot utilities on user workstations. ImageMagick must be installed.

Read More

Detects adversary creating screen capture of a full with xwd. Highly recommended using rule on servers, due high usage of screenshot utilities on user workstations

Read More

Detection use of the command "split" to split files into parts and possible transfer.

Read More

Detects extraction of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.

Read More

Detects embedding of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.

Read More

Detects appending of zip file to image

Read More

Detects extracting of zip file from image file

Read More

Detects suspicious activities as declared by Florian Roth in its 'Best Practice Auditd Configuration'. This includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap. These commands match a few techniques from the tactics "Command and Control", including not exhaustively the following; Application Layer Protocol (T1071), Non-Application Layer Protocol (T1095), Data Encoding (T1132)

Read More

Detects relevant commands often related to malware or hacking activity

Read More

Detects commandline operations on shell history files

Read More

Detects system information discovery commands

Read More

Detects System Information Discovery commands

Read More

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.

Read More

Detects a creation of systemd services which could be used by adversaries to execute malicious code.

Read More

Detects a reload or a start of a service.

Read More

Detect unix shell configuration modification. Adversaries may establish persistence through executing malicious commands triggered when a new shell is opened.

Read More

Detects calls to hidden files or files located in hidden directories in NIX systems.

Read More

Detects possible command execution by web application/web shell

Read More