Detects suspicious log entries in Linux log files
Detects exploitation of Nimbuspwn privilege escalation vulnerability (CVE-2022-29799 and CVE-2022-29800)
Detects the presence of "bpf_probe_write_user" BPF helper-generated warning messages. Which could be a sign of suspicious eBPF activity on the system.
Detects suspicious command with /dev/tcp
Detects the addition of a new user to a privileged group such as "root" or "sudo"
Clear command history in linux which is used for defense evasion.
Detects suspicious shell commands used in various exploit codes (see references)
Detects buffer overflow attempts in Unix system log files
Detects the ld.so preload persistence file. See man ld.so for more information.
Detects specific commands commonly used to remove or empty the syslog
Detects suspicious shell commands used in various Equation Group scripts and tools
Detects suspicious command sequence that JexBoss
Detects shellshock expressions in log files
Detects suspicious shell commands or program code that may be executed or used in command line to establish a reverse shell
Detects suspicious command lines that look as if they would create symbolic links to /etc/passwd
Detects the use of tools that copy files from or to remote systems
Detects space after filename