Suspicious Package Installed - Linux
Detects installation of suspicious packages using system installation utilities
Sigma rule (View on GitHub)
1title: Suspicious Package Installed - Linux
2id: 700fb7e8-2981-401c-8430-be58e189e741
3status: test
4description: Detects installation of suspicious packages using system installation utilities
5references:
6 - https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023-01-03
9tags:
10 - attack.defense-evasion
11 - attack.t1553.004
12logsource:
13 product: linux
14 category: process_creation
15detection:
16 selection_tool_apt:
17 Image|endswith:
18 - '/apt'
19 - '/apt-get'
20 CommandLine|contains: 'install'
21 selection_tool_yum:
22 Image|endswith: '/yum'
23 CommandLine|contains:
24 - 'localinstall'
25 - 'install'
26 selection_tool_rpm:
27 Image|endswith: '/rpm'
28 CommandLine|contains: '-i'
29 selection_tool_dpkg:
30 Image|endswith: '/dpkg'
31 CommandLine|contains:
32 - '--install'
33 - '-i'
34 selection_keyword:
35 CommandLine|contains:
36 # Add more suspicious packages
37 - 'nmap'
38 - ' nc'
39 - 'netcat'
40 - 'wireshark'
41 - 'tshark'
42 - 'openconnect'
43 - 'proxychains'
44 condition: 1 of selection_tool_* and selection_keyword
45falsepositives:
46 - Legitimate administration activities
47level: medium
References
-
python2 exchange.py mail.budget.gov.mm administrator@budget.gov.mm git clone https://github.com/Udyz/proxyshell-auto.git cd proxyshell-auto/ ls python3 proxyshell.py python3 proxyshell.py -t mail.b...
Read More
Related rules
- Cisco Crypto Commands
- Install Root Certificate
- New Root Certificate Installed Via CertMgr.EXE
- New Root Certificate Installed Via Certutil.EXE
- Root Certificate Installed - PowerShell