Detects the removal of system firewall rules. Adversaries may only delete or modify a specific system firewall rule to bypass controls limiting network usage or access. Detection rules that match only on the disabling of firewalls will miss this.

Detects System Information Discovery commands

Detect unix shell configuration modification. Adversaries may establish persistence through executing malicious commands triggered when a new shell is opened.

Detects command line parameter very often used with coin miners

Detects program executions in suspicious non-program folders related to malware or hacking activity

Detects suspicious activities as declared by Florian Roth in its 'Best Practice Auditd Configuration'. This includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap. These commands match a few techniques from the tactics "Command and Control", including not exhaustively the following; Application Layer Protocol (T1071), Non-Application Layer Protocol (T1095), Data Encoding (T1132)

Detects relevant commands often related to malware or hacking activity

Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network.

Detects a creation of systemd services which could be used by adversaries to execute malicious code.

Detects attempts to post the file with the usage of wget utility. The adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow.

Detects attempts to record audio with arecord utility

Detects attempts to collect image data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.

Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.

Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character

Detect attempt to enable auditing of TTY input

Detects loading of kernel modules with insmod command. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. Adversaries may use LKMs to obtain persistence within the system or elevate the privileges.

Detects password policy discovery commands

Detects adversary creating screen capture of a desktop with Import Tool. Highly recommended using rule on servers, due to high usage of screenshot utilities on user workstations. ImageMagick must be installed.

Detects adversary creating screen capture of a full with xwd. Highly recommended using rule on servers, due high usage of screenshot utilities on user workstations

Detects extraction of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.

Detects embeding of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.

Detects appending of zip file to image

Detects extracting of zip file from image file

Detects a reload or a start of a service.

Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.

Detecting attempts to extract passwords with grep

Detects calls to hidden files or files located in hidden directories in NIX systems.

Detects attempts to discover the files with setuid/setgid capability on them. That would allow adversary to escalate their privileges.

Detects possible command execution by web application/web shell

Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.

Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

Detect file time attribute change to hide new or changes to existing files.

Detection use of the command "split" to split files into parts and possible transfer.

Detects commandline operations on shell history files

Detects enumeration of local or remote network services.

Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.

Detects removing immutable file attribute.

Detects system information discovery commands

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.

Detect changes in auditd configuration files

detects BPFDoor .lock and .pid files access in temporary file storage facility

All TCP traffic on particular port from attacker is routed to different port. ex. '/sbin/iptables -t nat -D PREROUTING -p tcp -s 192.168.1.1 --dport 22 -j REDIRECT --to-ports 42392' The traffic looks like encrypted SSH communications going to TCP port 22, but in reality is being directed to the shell port once it hits the iptables rule for the attacker host only.

An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.

Detects file and folder permission changes.

Detect changes of syslog daemons configuration files

Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.

Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.

Detects overwriting (effectively wiping/deleting) of a file.

Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.