Detects changes to the ESXi syslog configuration via "esxcli"

Read More

Detects user account creation on ESXi system via esxcli

Read More

Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account.

Read More

Detects execution of the "esxcli" command with the "network" flag in order to retrieve information about the network configuration.

Read More

Detects execution of the "esxcli" command with the "storage" flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and LockBit.

Read More

Detects execution of the "esxcli" command with the "system" flag in order to retrieve information about the different component of the system. Such as accounts, modules, NTP, etc.

Read More

Detects execution of the "esxcli" command with the "vm" and "kill" flag in order to kill/shutdown a specific VM.

Read More

Detects execution of the "esxcli" command with the "vm" flag in order to retrieve information about the installed VMs.

Read More

Detects execution of the "esxcli" command with the "vsan" flag in order to retrieve information about virtual storage. Seen used by malware such as DarkSide.

Read More

Detects suspicious interactive bash as a parent to rather uncommon child processes

Read More

Detects command line parameters or strings often used by crypto miners

Read More

Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments

Read More

Detects a potentially suspicious execution of a process located in the '/tmp/' folder

Read More

Detects potential container discovery via listing of certain kernel features in the "/proc" virtual filesystem

Read More

Detects listing or file reading of ".dockerenv" which can be a sing of potential container discovery

Read More

Detects listing of the inodes of the "/" directory to determin if the we are running inside of a container.

Read More

Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research reoport.

Read More

Detects the creation of a new named pipe using the "mkfifo" utility in a potentially suspicious location

Read More

Detects suspicious process command line that uses base64 encoded input for execution with a shell

Read More

Detects the creation of a new named pipe using the "mkfifo" utility

Read More

Detects python spawning a pretty tty which could be indicative of potential reverse shell activity

Read More

Detects usage of crontab to list the tasks of the user

Read More

Detects the use of wget to download content to a suspicious directory

Read More

Detects executions of scripts located in potentially suspicious locations such as "/tmp" via a shell such as "bash", "sh", etc.

Read More

Detects the use of grep to identify information about the operating system architecture. Often combined beforehand with the execution of "uname" or "cat /proc/cpuinfo"

Read More

Detects the use of grep to discover specific files created by the GobRAT malware

Read More

Detects execution of shells from a parent process located in a temporary (/tmp) directory

Read More

Detects execution of binaries located in potentially suspicious locations via "nohup"

Read More

Detects changes of sensitive and critical files. Monitors files that you don't expect to change without planning on Linux system.

Read More

Detects a suspicious curl process start the adds a file to a web request

Read More

Detects execution of the bash shell with the interactive flag "-i".

Read More

Detects execution of netcat with the "-e" flag followed by common shells. This could be a sign of a potential reverse shell setup.

Read More

Detects execution of the perl binary with the "-e" flag and common strings related to potential reverse shell activity

Read More

Detects usage of the PHP CLI with the "-r" flag which allows it to run inline PHP code. The rule looks for calls to the "fsockopen" function which allows the creation of sockets. Attackers often leverage this in combination with functions such as "exec" or "fopen" to initiate a reverse shell connection.

Read More

Detects executing python with keywords related to network activity that could indicate a potential reverse shell

Read More

Detects execution of ruby with the "-e" flag and calls to "socket" related functions. This could be an indication of a potential attempt to setup a reverse shell

Read More

Detects usage of "xterm" as a potential reverse shell tunnel

Read More

Detects enumeration of local network configuration

Read More

Detects usage of command line tools such as "kill", "pkill" or "killall" to terminate or signal a running process.

Read More

Detects linux package removal using builtin tools such as "yum", "apt", "apt-get" or "dpkg".

Read More

Detects enumeration of local or remote network services.

Read More

Detects usage of "vim" and it's siblings as a GTFOBin to execute and proxy command and binary execution

Read More

Detects attempts to exploit an apache spark server via CVE-2014-6287 from a commandline perspective

Read More

Detects usage of "apt" and "apt-get" as a GTFOBin to execute and proxy command and binary execution

Read More

Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134

Read More

Detects usage of "getcap" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other.

Read More

Detects the execution of a cat /etc/sudoers to list all users that have sudo rights

Read More

Detects specific commands commonly used to remove or empty the syslog. Which is often used by attacker as a method to hide their tracks

Read More

Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server

Read More

Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services

Read More

Detects common command used to enable bpf kprobes tracing

Read More

Detects events in which a history file gets deleted, e.g. the ~/bash_history to remove traces of malicious activity

Read More

Detects the presence of a base64 version of the shebang in the commandline, which could indicate a malicious payload about to be decoded

Read More

Detects known hacktool execution based on image name

Read More

Detects events with patterns found in commands used for reconnaissance on linux systems

Read More

Detects suspicious process command line that starts with a shell that executes something and finally gets piped into another shell

Read More

Detects suspicious sub processes of web server processes

Read More

Detects usage of "find" binary in a suspicious manner to perform discovery

Read More

Detects events in which someone prints the contents of history files to the commandline or redirects it to a file for reconnaissance

Read More

Detects usage of the 'chattr' utility to remove immutable file attribute.

Read More

Detects usage of the 'crontab' utility to remove the current crontab. This is a common occurrence where cryptocurrency miners compete against each other by removing traces of other miners to hijack the maximum amount of resources possible

Read More

Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287

Read More

Detects a suspicious curl process start on linux with set useragent options

Read More

Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious

Read More

Detects java process spawning suspicious children

Read More

Detects installation of suspicious packages using system installation utilities

Read More

Detects execution of a the file "execve_hijack" which is used by the Triple Cross rootkit as a way to elevate privileges

Read More

Detects default install commands of the Triple Cross eBPF rootkit based on the "deployer.sh" script

Read More

Detects when the file "passwd" or "shadow" is copied from tmp path

Read More

Detects execution of the "mount" command with "hidepid" parameter to make invisible processes to other users from the system

Read More

Detects usage of the "touch" process in service file.

Read More

Detect use of iptables to flush all firewall rules, tables and chains and allow all network traffic

Read More

Detects attempts to force stop the ufw using ufw-init

Read More

Detects the usage of the unsafe bpftrace option

Read More

Detects usage of system utilities to discover system network connections

Read More

Detects suspicious change of file privileges with chown and chmod commands

Read More

Detects usage of base64 utility to decode arbitrary base64-encoded text

Read More

Detects execution of the "groupdel" binary. Which is used to delete a group. This is sometimes abused by threat actors in order to cover their tracks

Read More

Detects execution of the "userdel" binary. Which is used to delete a user account and related files. This is sometimes abused by threat actors in order to cover their tracks

Read More

Detects usage of the "usermod" binary to add users add users to the root or suoders groups

Read More

Detects enumeration of local system groups. Adversaries may attempt to find local system groups and permission settings

Read More

Detects enumeration of local systeam accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.

Read More

Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.

Read More

Detects usage of system utilities (only grep and egrep for now) to discover security software discovery

Read More

Detects usage of system utilities to discover files and directories

Read More

Detects chmod targeting files in abnormal directory paths.

Read More

Detects attempts to clear logs on the system. Adversaries may clear system logs to hide evidence of an intrusion

Read More

Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.

Read More

Detects setting proxy configuration

Read More

Detects potential overwriting and deletion of a file using DD.

Read More

Detects file deletion using "rm", "shred" or "unlink" commands which are used often by adversaries to delete files left behind by the actions of their intrusion activity

Read More

Detects installation of new certificate on the system which attackers may use to avoid warnings when connecting to controlled web servers or C2s

Read More

Detects the enumeration of other remote systems.

Read More

Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* prefix. Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.

Read More

Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.

Read More

Detects process discovery commands. Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network

Read More

Detects the use of at/atd which are utilities that are used to schedule tasks. They are often abused by adversaries to maintain persistence or to perform task scheduling for initial or recurring execution of malicious code

Read More

Detects system information discovery commands

Read More

Detects disabling security tools

Read More

Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does.

Read More