Suspicious Commands Linux

Aug 12, 2024 · attack.execution attack.t1059.004 ·

Detects relevant commands often related to malware or hacking activity

Sigma rule (View on GitHub)

 1title: Suspicious Commands Linux
 2id: 1543ae20-cbdf-4ec1-8d12-7664d667a825
 3status: test
 4description: Detects relevant commands often related to malware or hacking activity
 5references:
 6    - Internal Research - mostly derived from exploit code including code in MSF
 7author: Florian Roth (Nextron Systems)
 8date: 2017-12-12
 9modified: 2022-10-05
10tags:
11    - attack.execution
12    - attack.t1059.004
13logsource:
14    product: linux
15    service: auditd
16detection:
17    cmd1:
18        type: 'EXECVE'
19        a0: 'chmod'
20        a1: 777
21    cmd2:
22        type: 'EXECVE'
23        a0: 'chmod'
24        a1: 'u+s'
25    cmd3:
26        type: 'EXECVE'
27        a0: 'cp'
28        a1: '/bin/ksh'
29    cmd4:
30        type: 'EXECVE'
31        a0: 'cp'
32        a1: '/bin/sh'
33    condition: 1 of cmd*
34falsepositives:
35    - Admin activity
36level: medium

References

Internal Research - mostly derived from exploit code including code in MSF

Read More

Suspicious Commands Linux

Sigma rule (View on GitHub)

References

Internal Research - mostly derived from exploit code including code in MSF

Related rules