file_event

Linux Doas Conf File Creation

Apr 28, 2026 · attack.privilege-escalation attack.t1548 ·

Detects the creation of doas.conf file in linux host platform.

Persistence Via Sudoers.d Files

Apr 28, 2026 · attack.privilege-escalation attack.persistence attack.t1548.003 ·

Detects the creation or modification of files within the "sudoers.d" directory on Linux systems. Such activity may indicate an attempt to establish or maintain privilege escalation by granting specific users elevated permissions. Unauthorized changes to sudoers files are a common technique used by attackers to persist administrative access.

Suspicious Filename with Embedded Base64 Commands

Apr 28, 2026 · attack.execution attack.stealth attack.t1059.004 attack.t1027 ·

Share on:

Detects files with specially crafted filenames that embed Base64-encoded bash payloads designed to execute when processed by shell scripts. These filenames exploit shell interpretation quirks to trigger hidden commands, a technique observed in VShell malware campaigns.

Triple Cross eBPF Rootkit Default LockFile

Apr 28, 2026 · attack.stealth ·

Share on:

Detects the creation of the file "rootlog" which is used by the TripleCross rootkit as a way to check if the backdoor is already running.

Triple Cross eBPF Rootkit Default Persistence

Apr 28, 2026 · attack.privilege-escalation attack.execution attack.persistence attack.t1053.003 ·

Share on:

Detects the creation of "ebpfbackdoor" files in both "cron.d" and "sudoers.d" directories. Which both are related to the TripleCross persistence method

New Cron File Created

Apr 27, 2026 · attack.privilege-escalation attack.execution attack.persistence attack.t1053.003 ·

Share on:

Detects the creation of cron files in Cron directories, which could indicate potential persistence mechanisms being established by an attacker. Note that not all cron file creations are malicious - legitimate system administration activities and software installations may also create cron files. This detection should be investigated in context, considering factors such as the user creating the file, the timing of creation, and the contents of the cron job. Focus investigation on unexpected cron files created by non-administrative users or during suspicious timeframes. Additionally, it is recommended to review the contents of the newly created cron files to assess their intent. Furthermore, it is suggested to baseline normal cron file creation and apply additional filters to reduce false positives based on the specific environment.

Potentially Suspicious Shell Script Creation in Profile Folder

Aug 12, 2024 · attack.persistence ·

Share on:

Detects the creation of shell scripts under the "profile.d" path.

Wget Creating Files in Tmp Directory

Aug 12, 2024 · attack.command-and-control attack.t1105 ·

Share on:

Detects the use of wget to download content in a temporary directory such as "/tmp" or "/var/tmp"