Linux Recon Indicators
Detects events with patterns found in commands used for reconnaissance on linux systems
Sigma rule (View on GitHub)
1title: Linux Recon Indicators
2id: 0cf7a157-8879-41a2-8f55-388dd23746b7
3status: test
4description: Detects events with patterns found in commands used for reconnaissance on linux systems
5references:
6 - https://github.com/sleventyeleven/linuxprivchecker/blob/0d701080bbf92efd464e97d71a70f97c6f2cd658/linuxprivchecker.py
7author: Florian Roth (Nextron Systems)
8date: 2022/06/20
9tags:
10 - attack.reconnaissance
11 - attack.t1592.004
12 - attack.credential_access
13 - attack.t1552.001
14logsource:
15 category: process_creation
16 product: linux
17detection:
18 selection:
19 CommandLine|contains:
20 - ' -name .htpasswd'
21 - ' -perm -4000 '
22 condition: selection
23falsepositives:
24 - Legitimate administration activities
25level: high
References
-
linuxprivchecker.py -- a Linux Privilege Escalation Check Script - sleventyeleven/linuxprivchecker
Read More
Related rules
- Azure Key Vault Modified or Deleted
- Azure Keyvault Key Modified or Deleted
- Azure Keyvault Secrets Modified or Deleted
- Potential Russian APT Credential Theft Activity
- Credentials In Files - Linux