System Information Discovery - Auditd

Mar 27, 2023 · attack.discovery attack.t1082 ·

Detects System Information Discovery commands

Sigma rule (View on GitHub)

 1title: System Information Discovery - Auditd
 2id: f34047d9-20d3-4e8b-8672-0a35cc50dc71
 3status: test
 4description: Detects System Information Discovery commands
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1082/T1082.md
 7author: Pawel Mazur
 8date: 2021/09/03
 9modified: 2023/03/06
10tags:
11    - attack.discovery
12    - attack.t1082
13logsource:
14    product: linux
15    service: auditd
16detection:
17    selection_1:
18        type: PATH
19        name:
20            - /etc/lsb-release
21            - /etc/redhat-release
22            - /etc/issue
23    selection_2:
24        type: EXECVE
25        a0:
26            - uname
27            - uptime
28            - lsmod
29            - hostname
30            - env
31    selection_3:
32        type: EXECVE
33        a0: grep
34        a1|contains:
35            - vbox
36            - vm
37            - xen
38            - virtio
39            - hv
40    selection_4:
41        type: EXECVE
42        a0: kmod
43        a1: list
44    condition: 1 of selection_*
45falsepositives:
46    - Likely
47level: low

References

atomic-red-team/atomics/T1082/T1082.md at f296668303c29d3f4c07e42bdd2b28d8dd6625f9 · redcanaryco/atomic-red-team

Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

Read More

System Information Discovery - Auditd

Sigma rule (View on GitHub)

References

atomic-red-team/atomics/T1082/T1082.md at f296668303c29d3f4c07e42bdd2b28d8dd6625f9 · redcanaryco/atomic-red-team

Related rules