file_event

Persistence Via Sudoers Files

Nov 2, 2023 · attack.persistence attack.t1053.003 ·

Detects creation of sudoers file or files in "sudoers.d" directory which can be used a potential method to persiste privileges for a specific user.

Triple Cross eBPF Rootkit Default LockFile

Nov 2, 2023 · attack.defense_evasion ·

Share on:

Detects the creation of the file "rootlog" which is used by the TripleCross rootkit as a way to check if the backdoor is already running.

Triple Cross eBPF Rootkit Default Persistence

Nov 2, 2023 · attack.persistence attack.defense_evasion attack.t1053.003 ·

Share on:

Detects the creation of "ebpfbackdoor" files in both "cron.d" and "sudoers.d" directories. Which both are related to the TripleCross persistence method

Potentially Suspicious Shell Script Creation in Profile Folder

Jun 2, 2023 · attack.persistence ·

Share on:

Detects the creation of shell scripts under the "profile.d" path.

Wget Creating Files in Tmp Directory

Jun 2, 2023 · attack.command_and_control attack.t1105 ·

Share on:

Detects the use of wget to download content in a temporary directory such as "/tmp" or "/var/tmp"

Linux Doas Conf File Creation

Dec 31, 2022 · attack.privilege_escalation attack.t1548 ·

Share on:

Detects the creation of doas.conf file in linux host platform.

Persistence Via Cron Files

Dec 31, 2022 · attack.persistence attack.t1053.003 ·

Share on:

Detects creation of cron file or files in Cron directories which could indicates potential persistence.