Security Software Discovery - Linux
Detects usage of system utilities (only grep and egrep for now) to discover security software discovery
Sigma rule (View on GitHub)
1title: Security Software Discovery - Linux
2id: c9d8b7fd-78e4-44fe-88f6-599135d46d60
3status: test
4description: Detects usage of system utilities (only grep and egrep for now) to discover security software discovery
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md
7author: Daniil Yugoslavskiy, oscd.community
8date: 2020-10-19
9modified: 2022-11-27
10tags:
11 - attack.discovery
12 - attack.t1518.001
13logsource:
14 category: process_creation
15 product: linux
16detection:
17 selection:
18 Image|endswith:
19 # You can add more grep variations such as fgrep, rgrep...etc
20 - '/grep'
21 - '/egrep'
22 CommandLine|contains:
23 - 'nessusd' # nessus vulnerability scanner
24 - 'td-agent' # fluentd log shipper
25 - 'packetbeat' # elastic network logger/shipper
26 - 'filebeat' # elastic log file shipper
27 - 'auditbeat' # elastic auditing agent/log shipper
28 - 'osqueryd' # facebook osquery
29 - 'cbagentd' # carbon black
30 - 'falcond' # crowdstrike falcon
31 condition: selection
32falsepositives:
33 - Legitimate activities
34level: low
References
Related rules
- Security Software Discovery - MacOs
- Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE
- System Integrity Protection (SIP) Disabled
- System Integrity Protection (SIP) Enumeration
- AADInternals PowerShell Cmdlets Execution - ProccessCreation