Suspicious Git Clone - Linux

Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious

Sigma rule (View on GitHub)

 1title: Suspicious Git Clone - Linux
 2id: cfec9d29-64ec-4a0f-9ffe-0fdb856d5446
 3status: test
 4description: Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious
 5references:
 6    - https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023/01/03
 9modified: 2023/01/05
10tags:
11    - attack.reconnaissance
12    - attack.t1593.003
13logsource:
14    category: process_creation
15    product: linux
16detection:
17    selection_img:
18        Image|endswith: '/git'
19        CommandLine|contains: ' clone '
20    selection_keyword:
21        CommandLine|contains:
22            # Add more suspicious keywords
23            - 'exploit'
24            - 'Vulns'
25            - 'vulnerability'
26            - 'RCE'
27            - 'RemoteCodeExecution'
28            - 'Invoke-'
29            - 'CVE-'
30            - 'poc-'
31            - 'ProofOfConcept'
32            # Add more vuln names
33            - 'proxyshell'
34            - 'log4shell'
35            - 'eternalblue'
36            - 'eternal-blue'
37            - 'MS17-'
38    condition: all of selection_*
39falsepositives:
40    - Unknown
41level: medium

References

Related rules

to-top