Potential Discovery Activity Using Find - Linux
Detects usage of "find" binary in a suspicious manner to perform discovery
Sigma rule (View on GitHub)
1title: Potential Discovery Activity Using Find - Linux
2id: 8344c0e5-5783-47cc-9cf9-a0f7fd03e6cf
3related:
4 - id: 85de3a19-b675-4a51-bfc6-b11a5186c971
5 type: similar
6status: test
7description: Detects usage of "find" binary in a suspicious manner to perform discovery
8references:
9 - https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2022-12-28
12tags:
13 - attack.discovery
14 - attack.t1083
15logsource:
16 category: process_creation
17 product: linux
18detection:
19 selection:
20 Image|endswith: '/find'
21 CommandLine|contains:
22 - '-perm -4000'
23 - '-perm -2000'
24 - '-perm 0777'
25 - '-perm -222'
26 - '-perm -o w'
27 - '-perm -o x'
28 - '-perm -u=s'
29 - '-perm -g=s'
30 condition: selection
31falsepositives:
32 - Unknown
33level: medium
References
Related rules
- Capabilities Discovery - Linux
- Cisco Discovery
- DirLister Execution
- File and Directory Discovery - MacOS
- PUA - Seatbelt Execution