Linux HackTool Execution
Detects known hacktool execution based on image name.
Sigma rule (View on GitHub)
1title: Linux HackTool Execution
2id: a015e032-146d-4717-8944-7a1884122111
3status: experimental
4description: Detects known hacktool execution based on image name.
5references:
6 - https://github.com/Gui774ume/ebpfkit
7 - https://github.com/pathtofile/bad-bpf
8 - https://github.com/carlospolop/PEASS-ng
9 - https://github.com/t3l3machus/hoaxshell
10 - https://github.com/t3l3machus/Villain
11 - https://github.com/HavocFramework/Havoc
12 - https://github.com/1N3/Sn1per
13 - https://github.com/Ne0nd0g/merlin
14 - https://github.com/Pennyw0rth/NetExec/
15author: Nasreddine Bencherchali (Nextron Systems), Georg Lauenstein (sure[secure])
16date: 2023/01/03
17modified: 2023/10/25
18tags:
19 - attack.execution
20 - attack.resource_development
21 - attack.t1587
22logsource:
23 product: linux
24 category: process_creation
25detection:
26 selection_c2_frameworks:
27 Image|endswith:
28 - '/crackmapexec'
29 - '/havoc'
30 - '/merlin-agent'
31 - '/merlinServer-Linux-x64'
32 - '/msfconsole'
33 - '/msfvenom'
34 - '/ps-empire server'
35 - '/ps-empire'
36 - '/sliver-client'
37 - '/sliver-server'
38 - '/Villain.py'
39 selection_c2_framework_cobaltstrike:
40 Image|contains:
41 - '/cobaltstrike'
42 - '/teamserver'
43 selection_scanners:
44 Image|endswith:
45 - '/autorecon'
46 - '/httpx'
47 - '/legion'
48 - '/naabu'
49 - '/netdiscover'
50 - '/nmap'
51 - '/nuclei'
52 - '/recon-ng'
53 - '/zenmap'
54 selection_scanners_sniper:
55 Image|contains: '/sniper'
56 selection_web_enum:
57 Image|endswith:
58 - '/dirb'
59 - '/dirbuster'
60 - '/eyewitness'
61 - '/feroxbuster'
62 - '/ffuf'
63 - '/gobuster'
64 - '/wfuzz'
65 - '/whatweb'
66 selection_web_vuln:
67 Image|endswith:
68 - '/joomscan'
69 - '/nikto'
70 - '/wpscan'
71 selection_exploit_tools:
72 Image|endswith:
73 - '/aircrack-ng'
74 - '/bloodhound-python'
75 - '/bpfdos'
76 - '/ebpfki'
77 - '/evil-winrm'
78 - '/hashcat'
79 - '/hoaxshell.py'
80 - '/hydra'
81 - '/john'
82 - '/ncrack'
83 # default binary: https://github.com/Pennyw0rth/NetExec/releases/download/v1.0.0/nxc-ubuntu-latest
84 - '/nxc-ubuntu-latest'
85 - '/pidhide'
86 - '/pspy32'
87 - '/pspy32s'
88 - '/pspy64'
89 - '/pspy64s'
90 - '/setoolkit'
91 - '/sqlmap'
92 - '/writeblocker'
93 selection_linpeas:
94 # covers: all linux versions listed here: https://github.com/carlospolop/PEASS-ng/releases
95 Image|contains: '/linpeas'
96 condition: 1 of selection_*
97falsepositives:
98 - Unlikely
99level: high
References
Related rules
- CVE-2021-1675 Print Spooler Exploitation Filename Pattern
- Suspicious Word Cab File Write CVE-2021-40444
- FoggyWeb Backdoor DLL Loading
- PUA - CsExec Execution
- HackTool - PurpleSharp Execution