auditd

Use Of Hidden Paths Or Files

Nov 2, 2023 · attack.defense_evasion attack.t1574.001 ·

Detects calls to hidden files or files located in hidden directories in NIX systems.

Steganography Hide Files with Steghide

Oct 28, 2023 · attack.defense_evasion attack.t1027.003 ·

Detects embedding of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.

Modify System Firewall

Oct 18, 2023 · attack.t1562.004 attack.defense_evasion ·

Share on:

Detects the removal of system firewall rules. Adversaries may only delete or modify a specific system firewall rule to bypass controls limiting network usage or access. Detection rules that match only on the disabling of firewalls will miss this.

Suspicious C2 Activities

Oct 18, 2023 · attack.command_and_control ·

Share on:

Detects suspicious activities as declared by Florian Roth in its 'Best Practice Auditd Configuration'. This includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap. These commands match a few techniques from the tactics "Command and Control", including not exhaustively the following; Application Layer Protocol (T1071), Non-Application Layer Protocol (T1095), Data Encoding (T1132)

BPFDoor Abnormal Process ID or Lock File Accessed

Oct 17, 2023 · attack.execution attack.t1106 attack.t1059 ·

Share on:

detects BPFDoor .lock and .pid files access in temporary file storage facility

Bpfdoor TCP Ports Redirect

Oct 17, 2023 · attack.defense_evasion attack.t1562.004 ·

Share on:

All TCP traffic on particular port from attacker is routed to different port. ex. '/sbin/iptables -t nat -D PREROUTING -p tcp -s 192.168.1.1 --dport 22 -j REDIRECT --to-ports 42392' The traffic looks like encrypted SSH communications going to TCP port 22, but in reality is being directed to the shell port once it hits the iptables rule for the attacker host only.

OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd

Oct 17, 2023 · attack.privilege_escalation attack.initial_access attack.execution attack.t1068 attack.t1190 attack.t1203 ·

Share on:

Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.

Linux Network Service Scanning - Auditd

Sep 27, 2023 · attack.discovery attack.t1046 ·

Share on:

Detects enumeration of local or remote network services.

Masquerading as Linux Crond Process

Aug 22, 2023 · attack.defense_evasion attack.t1036.003 ·

Share on:

Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.

Data Compressed

Jul 28, 2023 · attack.exfiltration attack.t1560.001 ·

Share on:

An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.

Binary Padding - Linux

May 2, 2023 · attack.defense_evasion attack.t1027.001 ·

Share on:

Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.

Credentials In Files - Linux

Apr 30, 2023 · attack.credential_access attack.t1552.001 ·

Share on:

Detecting attempts to extract passwords with grep

System Information Discovery - Auditd

Mar 27, 2023 · attack.discovery attack.t1082 ·

Share on:

Detects System Information Discovery commands

Unix Shell Configuration Modification

Mar 27, 2023 · attack.persistence attack.t1546.004 ·

Share on:

Detect unix shell configuration modification. Adversaries may establish persistence through executing malicious commands triggered when a new shell is opened.

Possible Coin Miner CPU Priority Param

Feb 1, 2023 · attack.privilege_escalation attack.t1068 ·

Share on:

Detects command line parameter very often used with coin miners

Program Executions in Suspicious Folders

Feb 1, 2023 · attack.t1587 attack.t1584 attack.resource_development ·

Share on:

Detects program executions in suspicious non-program folders related to malware or hacking activity

Suspicious Commands Linux

Feb 1, 2023 · attack.execution attack.t1059.004 ·

Share on:

Detects relevant commands often related to malware or hacking activity

Disable System Firewall

Jan 27, 2023 · attack.t1562.004 attack.defense_evasion ·

Share on:

Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network.

Systemd Service Creation

Jan 27, 2023 · attack.persistence attack.t1543.002 ·

Share on:

Detects a creation of systemd services which could be used by adversaries to execute malicious code.

Data Exfiltration with Wget

Jan 10, 2023 · attack.exfiltration attack.t1048.003 ·

Share on:

Detects attempts to post the file with the usage of wget utility. The adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow.

Audio Capture

Jan 10, 2023 · attack.collection attack.t1123 ·

Share on:

Detects attempts to record audio with arecord utility

Clipboard Collection of Image Data with Xclip Tool

Jan 10, 2023 · attack.collection attack.t1115 ·

Share on:

Detects attempts to collect image data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.

Clipboard Collection with Xclip Tool - Auditd

Jan 10, 2023 · attack.collection attack.t1115 ·

Share on:

Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.

Hidden Files and Directories

Jan 10, 2023 · attack.defense_evasion attack.t1564.001 ·

Share on:

Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character

Linux Keylogging with Pam.d

Jan 10, 2023 · attack.credential_access attack.t1003 attack.t1056.001 ·

Share on:

Detect attempt to enable auditing of TTY input

Loading of Kernel Module via Insmod

Jan 10, 2023 · attack.persistence attack.privilege_escalation attack.t1547.006 ·

Share on:

Detects loading of kernel modules with insmod command. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. Adversaries may use LKMs to obtain persistence within the system or elevate the privileges.

Password Policy Discovery

Jan 10, 2023 · attack.discovery attack.t1201 ·

Share on:

Detects password policy discovery commands

Screen Capture with Import Tool

Jan 10, 2023 · attack.collection attack.t1113 ·

Share on:

Detects adversary creating screen capture of a desktop with Import Tool. Highly recommended using rule on servers, due to high usage of screenshot utilities on user workstations. ImageMagick must be installed.

Screen Capture with Xwd

Jan 10, 2023 · attack.collection attack.t1113 ·

Share on:

Detects adversary creating screen capture of a full with xwd. Highly recommended using rule on servers, due high usage of screenshot utilities on user workstations

Steganography Extract Files with Steghide

Jan 10, 2023 · attack.defense_evasion attack.t1027.003 ·

Share on:

Detects extraction of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.

Steganography Hide Zip Information in Picture File

Jan 10, 2023 · attack.defense_evasion attack.t1027.003 ·

Share on:

Detects appending of zip file to image

Steganography Unzip Hidden Information From Picture File

Jan 10, 2023 · attack.defense_evasion attack.t1027.003 ·

Share on:

Detects extracting of zip file from image file

Systemd Service Reload or Start

Jan 10, 2023 · attack.persistence attack.t1543.002 ·

Share on:

Detects a reload or a start of a service.

Linux Capabilities Discovery

Dec 27, 2022 · attack.collection attack.privilege_escalation attack.t1123 attack.t1548 ·

Share on:

Detects attempts to discover the files with setuid/setgid capability on them. That would allow adversary to escalate their privileges.

Webshell Remote Command Execution

Dec 27, 2022 · attack.persistence attack.t1505.003 ·

Share on:

Detects possible command execution by web application/web shell

Creation Of An User Account

Dec 20, 2022 · attack.t1136.001 attack.persistence ·

Share on:

Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.

Network Sniffing - Linux

Dec 18, 2022 · attack.credential_access attack.discovery attack.t1040 ·

Share on:

Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

File Time Attribute Change - Linux

Nov 29, 2022 · attack.defense_evasion attack.t1070.006 ·

Share on:

Detect file time attribute change to hide new or changes to existing files.

Split A File Into Pieces - Linux

Nov 29, 2022 · attack.exfiltration attack.t1030 ·

Share on:

Detection use of the command "split" to split files into parts and possible transfer.

Suspicious History File Operations - Linux

Nov 29, 2022 · attack.credential_access attack.t1552.003 ·

Share on:

Detects commandline operations on shell history files

Remove Immutable File Attribute - Auditd

Nov 27, 2022 · attack.defense_evasion attack.t1222.002 ·

Share on:

Detects removing immutable file attribute.

System and Hardware Information Discovery

Nov 27, 2022 · attack.discovery attack.t1082 ·

Share on:

Detects system information discovery commands

System Shutdown/Reboot - Linux

Nov 27, 2022 · attack.impact attack.t1529 ·

Share on:

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.

Auditing Configuration Changes on Linux Host

Oct 25, 2022 · attack.defense_evasion attack.t1562.006 ·

Share on:

Detect changes in auditd configuration files

File or Folder Permissions Change

Oct 25, 2022 · attack.defense_evasion attack.t1222.002 ·

Share on:

Detects file and folder permission changes.

Logging Configuration Changes on Linux Host

Oct 25, 2022 · attack.defense_evasion attack.t1562.006 ·

Share on:

Detect changes of syslog daemons configuration files

Modification of ld.so.preload

Oct 25, 2022 · attack.defense_evasion attack.t1574.006 ·

Share on:

Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.

Overwriting the File with Dev Zero or Null

Oct 25, 2022 · attack.impact attack.t1485 ·

Share on:

Detects overwriting (effectively wiping/deleting) of a file.

System Owner or User Discovery

Oct 25, 2022 · attack.discovery attack.t1033 ·

Share on:

Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.