Sigma rules for CVE-2010-2729
200 rules · scoped to cve · back to CVE-2010-2729
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Too Many Global Admins
id: 7bbc309f-e2b1-4eb1-8369-131a367d67d3
status: test
description: Identifies an event where there are there are too many accounts assigned the Global Administrator role.
references:
- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#there-are-too-many-global-administrators
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-14
tags:
- attack.initial-access
- attack.stealth
- attack.t1078
- attack.persistence
- attack.privilege-escalation
logsource:
product: azure
service: pim
detection:
selection:
riskEventType: 'tooManyGlobalAdminsAssignedToTenantAlertIncident'
condition: selection
falsepositives:
- Investigate if threshold setting in PIM is too low.
level: high
title: Stale Accounts In A Privileged Role
id: e402c26a-267a-45bd-9615-bd9ceda6da85
status: test
description: Identifies when an account hasn't signed in during the past n number of days.
references:
- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#potential-stale-accounts-in-a-privileged-role
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-14
tags:
- attack.initial-access
- attack.stealth
- attack.t1078
- attack.persistence
- attack.privilege-escalation
logsource:
product: azure
service: pim
detection:
selection:
riskEventType: 'staleSignInAlertIncident'
condition: selection
falsepositives:
- Investigate if potential generic account that cannot be removed.
level: high
title: Roles Are Not Being Used
id: 8c6ec464-4ae4-43ac-936a-291da66ed13d
status: test
description: Identifies when a user has been assigned a privilege role and are not using that role.
references:
- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#administrators-arent-using-their-privileged-roles
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-14
tags:
- attack.initial-access
- attack.stealth
- attack.t1078
- attack.persistence
- attack.privilege-escalation
logsource:
product: azure
service: pim
detection:
selection:
riskEventType: 'redundantAssignmentAlertIncident'
condition: selection
falsepositives:
- Investigate if potential generic account that cannot be removed.
level: high
title: Invalid PIM License
id: 58af08eb-f9e1-43c8-9805-3ad9b0482bd8
status: test
description: Identifies when an organization doesn't have the proper license for PIM and is out of compliance.
references:
- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#the-organization-doesnt-have-microsoft-entra-premium-p2-or-microsoft-entra-id-governance
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-14
tags:
- attack.initial-access
- attack.stealth
- attack.t1078
- attack.persistence
- attack.privilege-escalation
logsource:
product: azure
service: pim
detection:
selection:
riskEventType: 'invalidLicenseAlertIncident'
condition: selection
falsepositives:
- Investigate if licenses have expired.
level: high
title: Bulk Deletion Changes To Privileged Account Permissions
id: 102e11e3-2db5-4c9e-bc26-357d42585d21
status: test
description: Detects when a user is removed from a privileged role. Bulk changes should be investigated.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
date: 2022-08-05
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1098
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message:
- Remove eligible member (permanent)
- Remove eligible member (eligible)
condition: selection
falsepositives:
- Legtimate administrator actions of removing members from a role
level: high
title: PIM Alert Setting Changes To Disabled
id: aeaef14c-e5bf-4690-a9c8-835caad458bd
status: test
description: Detects when PIM alerts are set to disabled.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
date: 2022-08-09
tags:
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
- attack.stealth
- attack.t1078
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message: Disable PIM Alert
condition: selection
falsepositives:
- Administrator disabling PIM alerts as an active choice.
level: high
title: Azure Subscription Permission Elevation Via AuditLogs
id: ca9bf243-465e-494a-9e54-bf9fc239057d
status: test
description: |
Detects when a user has been elevated to manage all Azure Subscriptions.
This change should be investigated immediately if it isn't planned.
This setting could allow an attacker access to Azure subscriptions in your environment.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#assignment-and-elevation
author: Austin Songer @austinsonger
date: 2021-11-26
modified: 2022-12-25
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.stealth
- attack.t1078
logsource:
product: azure
service: auditlogs
detection:
selection:
Category: 'Administrative'
OperationName: 'Assigns the caller to user access admin'
condition: selection
falsepositives:
- If this was approved by System Administrator.
level: high
title: Application AppID Uri Configuration Changes
id: 1b45b0d1-773f-4f23-aedc-814b759563b1
status: test
description: Detects when a configuration change is made to an applications AppID URI.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#appid-uri-added-modified-or-removed
author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
date: 2022-06-02
tags:
- attack.initial-access
- attack.persistence
- attack.credential-access
- attack.privilege-escalation
- attack.stealth
- attack.t1552
- attack.t1078.004
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message:
- Update Application
- Update Service principal
condition: selection
falsepositives:
- When and administrator is making legitimate AppID URI configuration changes to an application. This should be a planned event.
level: high
title: Account Created And Deleted Within A Close Time Frame
id: 6f583da0-3a90-4566-a4ed-83c09fe18bbf
status: test
description: Detects when an account was created and deleted in a short period of time.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#short-lived-accounts
author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1', Tim Shelton
date: 2022-08-11
modified: 2022-08-18
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.stealth
- attack.t1078
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message:
- Add user
- Delete user
Status: Success
condition: selection
falsepositives:
- Legit administrative action
level: high
title: Azure Login Bypassing Conditional Access Policies
id: 13f2d3f5-6497-44a7-bf5f-dc13ffafe5dc
status: experimental
description: |
Detects a successful login to the Microsoft Intune Company Portal which could allow bypassing Conditional Access Policies and InTune device trust using a tool like TokenSmith.
author: Josh Nickels, Marius Rothenbücher
references:
- https://labs.jumpsec.com/tokensmith-bypassing-intune-compliant-device-conditional-access/
- https://github.com/JumpsecLabs/TokenSmith
date: 2025-01-08
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.stealth
- attack.t1078
logsource:
service: audit
product: m365
detection:
selection:
Operation: 'UserLoggedIn'
ApplicationId: '9ba1a5c7-f17a-4de9-a1f1-6178c8d51223'
ResultStatus: 'Success'
RequestType: 'Cmsi:Cmsi'
filter_main_bjectid:
ObjectId: '0000000a-0000-0000-c000-000000000000' # Microsoft Intune seen when mobile devices are enrolled
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
title: Antivirus Relevant File Paths Alerts
id: c9a88268-0047-4824-ba6e-4d81ce0b907c
status: test
description: |
Detects an Antivirus alert in a highly relevant file path or with a relevant file name.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
- https://www.nextron-systems.com/?s=antivirus
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2018-09-09
modified: 2024-11-02
tags:
- attack.resource-development
- attack.t1588
logsource:
category: antivirus
detection:
selection_path:
Filename|contains:
- ':\PerfLogs\'
- ':\Temp\'
- ':\Users\Default\'
- ':\Users\Public\'
- ':\Windows\'
- '/www/'
# - '\Client\'
- '\inetpub\'
- '\tsclient\'
- 'apache'
- 'nginx'
- 'tomcat'
- 'weblogic'
selection_ext:
Filename|endswith:
- '.asax'
- '.ashx'
- '.asmx'
- '.asp'
- '.aspx'
- '.bat'
- '.cfm'
- '.cgi'
- '.chm'
- '.cmd'
- '.dat'
- '.ear'
- '.gif'
- '.hta'
- '.jpeg'
- '.jpg'
- '.jsp'
- '.jspx'
- '.lnk'
- '.msc'
- '.php'
- '.pl'
- '.png'
- '.ps1'
- '.psm1'
- '.py'
- '.pyc'
- '.rb'
- '.scf'
- '.sct'
- '.sh'
- '.svg'
- '.txt'
- '.vbe'
- '.vbs'
- '.war'
- '.wll'
- '.wsf'
- '.wsh'
- '.xll'
- '.xml'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
title: Antivirus Hacktool Detection
id: fa0c05b6-8ad3-468d-8231-c1cbccb64fba
status: stable
description: |
Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
- https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/
- https://www.nextron-systems.com/?s=antivirus
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2021-08-16
modified: 2024-11-02
tags:
- attack.execution
- attack.t1204
logsource:
category: antivirus
detection:
selection:
- Signature|startswith:
- 'ATK/' # Sophos
- 'Exploit.Script.CVE'
- 'HKTL'
- 'HTOOL'
- 'PWS.'
- 'PWSX'
- 'SecurityTool'
# - 'FRP.'
- Signature|contains:
- 'Adfind'
- 'Brutel'
- 'BruteR'
- 'Cobalt'
- 'COBEACON'
- 'Cometer'
- 'DumpCreds'
- 'FastReverseProxy'
- 'Hacktool'
- 'Havoc'
- 'Impacket'
- 'Keylogger'
- 'Koadic'
- 'Mimikatz'
- 'Nighthawk'
- 'PentestPowerShell'
- 'Potato'
- 'PowerSploit'
- 'PowerSSH'
- 'PshlSpy'
- 'PSWTool'
- 'PWCrack'
- 'PWDump'
- 'Rozena'
- 'Rusthound'
- 'Sbelt'
- 'Seatbelt'
- 'SecurityTool'
- 'SharpDump'
- 'SharpHound'
- 'Shellcode'
- 'Sliver'
- 'Snaffler'
- 'SOAPHound'
- 'Splinter'
- 'Swrort'
- 'TurtleLoader'
condition: selection
falsepositives:
- Unlikely
level: high
title: Communication To LocaltoNet Tunneling Service Initiated - Linux
id: c4568f5d-131f-4e78-83d4-45b2da0ec4f1
status: test
description: |
Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains.
LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet.
Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.
references:
- https://localtonet.com/documents/supported-tunnels
- https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications
author: Andreas Braathen (mnemonic.io)
date: 2024-06-17
tags:
- attack.command-and-control
- attack.t1572
- attack.t1090
- attack.t1102
logsource:
category: network_connection
product: linux
detection:
selection:
DestinationHostname|endswith:
- '.localto.net'
- '.localtonet.com'
Initiated: 'true'
condition: selection
falsepositives:
- Legitimate use of the LocaltoNet service.
level: high
title: Communication To Ngrok Tunneling Service - Linux
id: 19bf6fdb-7721-4f3d-867f-53467f6a5db6
status: test
description: Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors
references:
- https://twitter.com/hakluke/status/1587733971814977537/photo/1
- https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent
author: Florian Roth (Nextron Systems)
date: 2022-11-03
tags:
- attack.exfiltration
- attack.command-and-control
- attack.t1567
- attack.t1568.002
- attack.t1572
- attack.t1090
- attack.t1102
- attack.s0508
logsource:
product: linux
category: network_connection
detection:
selection:
DestinationHostname|contains:
- 'tunnel.us.ngrok.com'
- 'tunnel.eu.ngrok.com'
- 'tunnel.ap.ngrok.com'
- 'tunnel.au.ngrok.com'
- 'tunnel.sa.ngrok.com'
- 'tunnel.jp.ngrok.com'
- 'tunnel.in.ngrok.com'
condition: selection
falsepositives:
- Legitimate use of ngrok
level: high
title: Shell Execution GCC - Linux
id: 9b5de532-a757-4d70-946c-1f3e44f48b4d
status: test
description: |
Detects the use of the "gcc" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
- https://gtfobins.github.io/gtfobins/gcc/#shell
- https://gtfobins.github.io/gtfobins/c89/#shell
- https://gtfobins.github.io/gtfobins/c99/#shell
- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith:
- '/c89'
- '/c99'
- '/gcc'
CommandLine|contains: '-wrapper'
selection_cli:
CommandLine|contains:
- '/bin/bash,-s'
- '/bin/dash,-s'
- '/bin/fish,-s'
- '/bin/sh,-s'
- '/bin/zsh,-s'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Shell Execution via Rsync - Linux
id: e2326866-609f-4015-aea9-7ec634e8aa04
status: experimental
description: |
Detects the use of the "rsync" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
- https://gtfobins.github.io/gtfobins/rsync/#shell
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.), Florian Roth
date: 2024-09-02
modified: 2025-01-18
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith:
- '/rsync'
- '/rsyncd'
CommandLine|contains: ' -e '
selection_cli:
CommandLine|contains:
- '/ash '
- '/bash '
- '/dash '
- '/csh '
- '/sh '
- '/zsh '
- '/tcsh '
- '/ksh '
- "'ash "
- "'bash "
- "'dash "
- "'csh "
- "'sh "
- "'zsh "
- "'tcsh "
- "'ksh "
condition: all of selection_*
falsepositives:
- Legitimate cases in which "rsync" is used to execute a shell
level: high
title: Shell Execution via Git - Linux
id: 47b3bbd4-1bf7-48cc-84ab-995362aaa75a
status: test
description: |
Detects the use of the "git" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
- https://gtfobins.github.io/gtfobins/git/#shell
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: linux
detection:
selection:
ParentImage|endswith: '/git'
ParentCommandLine|contains|all:
- ' -p '
- 'help'
CommandLine|contains:
- 'bash 0<&1'
- 'dash 0<&1'
- 'sh 0<&1'
condition: selection
falsepositives:
- Unknown
level: high
title: Suspicious Invocation of Shell via Rsync
id: 297241f3-8108-4b3a-8c15-2dda9f844594
status: experimental
description: |
Detects the execution of a shell as sub process of "rsync" without the expected command line flag "-e" being used, which could be an indication of exploitation as described in CVE-2024-12084. This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.
references:
- https://sysdig.com/blog/detecting-and-mitigating-cve-2024-12084-rsync-remote-code-execution/
- https://gist.github.com/Neo23x0/a20436375a1e26524931dd8ea1a3af10
author: Florian Roth
date: 2025-01-18
tags:
- attack.execution
- attack.t1059
- attack.t1203
logsource:
category: process_creation
product: linux
detection:
selection:
ParentImage|endswith:
- '/rsync'
- '/rsyncd'
Image|endswith:
- '/ash'
- '/bash'
- '/csh'
- '/dash'
- '/ksh'
- '/sh'
- '/tcsh'
- '/zsh'
filter_main_expected:
CommandLine|contains: ' -e '
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
title: ESXi Admin Permission Assigned To Account Via ESXCLI
id: 9691f58d-92c1-4416-8bf3-2edd753ec9cf
status: test
description: Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account.
references:
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-04
tags:
- attack.persistence
- attack.execution
- attack.privilege-escalation
- attack.t1059.012
- attack.t1098
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/esxcli'
CommandLine|contains: 'system'
CommandLine|contains|all:
- ' permission '
- ' set'
- 'Admin'
condition: selection
falsepositives:
- Legitimate administration activities
level: high
title: Capsh Shell Invocation - Linux
id: db1ac3be-f606-4e3a-89e0-9607cbe6b98a
status: test
description: |
Detects the use of the "capsh" utility to invoke a shell.
references:
- https://gtfobins.github.io/gtfobins/capsh/#shell
- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/capsh'
CommandLine|endswith: ' --'
condition: selection
falsepositives:
- Unknown
level: high
title: Inline Python Execution - Spawn Shell Via OS System Library
id: 2d2f44ff-4611-4778-a8fc-323a0e9850cc
status: test
description: |
Detects execution of inline Python code via the "-c" in order to call the "system" function from the "os" library, and spawn a shell.
references:
- https://gtfobins.github.io/gtfobins/python/#shell
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: linux
detection:
selection_img:
- Image|endswith:
- '/python'
- '/python2'
- '/python3'
- Image|contains:
- '/python2.' # python image is always of the form ../python3.10; ../python is just a symlink
- '/python3.'
selection_cli:
CommandLine|contains|all:
- ' -c '
- 'os.system('
CommandLine|contains:
- '/bin/bash'
- '/bin/dash'
- '/bin/fish'
- '/bin/sh'
- '/bin/zsh'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Potential Netcat Reverse Shell Execution
id: 7f734ed0-4f47-46c0-837f-6ee62505abd9
status: test
description: Detects execution of netcat with the "-e" flag followed by common shells. This could be a sign of a potential reverse shell setup.
references:
- https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
- https://www.revshells.com/
- https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/
- https://www.infosecademy.com/netcat-reverse-shells/
- https://man7.org/linux/man-pages/man1/ncat.1.html
author: '@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)'
date: 2023-04-07
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: linux
detection:
selection_nc:
Image|endswith:
- '/nc'
- '/ncat'
selection_flags:
CommandLine|contains:
- ' -c '
- ' -e '
selection_shell:
CommandLine|contains:
- ' ash'
- ' bash'
- ' bsh'
- ' csh'
- ' ksh'
- ' pdksh'
- ' sh'
- ' tcsh'
- '/bin/ash'
- '/bin/bash'
- '/bin/bsh'
- '/bin/csh'
- '/bin/ksh'
- '/bin/pdksh'
- '/bin/sh'
- '/bin/tcsh'
- '/bin/zsh'
- '$IFSash'
- '$IFSbash'
- '$IFSbsh'
- '$IFScsh'
- '$IFSksh'
- '$IFSpdksh'
- '$IFSsh'
- '$IFStcsh'
- '$IFSzsh'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
title: Shell Execution via Find - Linux
id: 6adfbf8f-52be-4444-9bac-81b539624146
status: test
description: |
Detects the use of the find command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or exploitation attempt.
references:
- https://gtfobins.github.io/gtfobins/find/#shell
- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/find'
CommandLine|contains|all:
- ' . '
- '-exec'
selection_cli:
CommandLine|contains:
- '/bin/bash'
- '/bin/dash'
- '/bin/fish'
- '/bin/sh'
- '/bin/zsh'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: History File Deletion
id: 1182f3b3-e716-4efa-99ab-d2685d04360f
status: test
description: Detects events in which a history file gets deleted, e.g. the ~/bash_history to remove traces of malicious activity
references:
- https://github.com/sleventyeleven/linuxprivchecker/
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md
author: Florian Roth (Nextron Systems)
date: 2022-06-20
modified: 2022-09-15
tags:
- attack.impact
- attack.t1565.001
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith:
- '/rm'
- '/unlink'
- '/shred'
selection_history:
- CommandLine|contains:
- '/.bash_history'
- '/.zsh_history'
- CommandLine|endswith:
- '_history'
- '.history'
- 'zhistory'
condition: all of selection*
falsepositives:
- Legitimate administration activities
level: high
title: Copy Passwd Or Shadow From TMP Path
id: fa4aaed5-4fe0-498d-bbc0-08e3346387ba
status: test
description: Detects when the file "passwd" or "shadow" is copied from tmp path
references:
- https://blogs.blackberry.com/
- https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-01-31
tags:
- attack.credential-access
- attack.t1552.001
logsource:
product: linux
category: process_creation
detection:
selection_img:
Image|endswith: '/cp'
selection_path:
CommandLine|contains: '/tmp/'
selection_file:
CommandLine|contains:
- 'passwd'
- 'shadow'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Potential GobRAT File Discovery Via Grep
id: e34cfa0c-0a50-4210-9cb3-5632d08eb041
status: test
description: Detects the use of grep to discover specific files created by the GobRAT malware
references:
- https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
- https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
- https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
tags:
- attack.discovery
- attack.t1082
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/grep'
CommandLine|contains:
- 'apached'
- 'frpc'
- 'sshd.sh'
- 'zone.arm'
condition: selection
falsepositives:
- Unknown
level: high
title: Triple Cross eBPF Rootkit Install Commands
id: 22236d75-d5a0-4287-bf06-c93b1770860f
status: test
description: Detects default install commands of the Triple Cross eBPF rootkit based on the "deployer.sh" script
references:
- https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-05
tags:
- attack.stealth
- attack.t1014
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/sudo'
CommandLine|contains|all:
- ' tc '
- ' enp0s3 '
CommandLine|contains:
- ' qdisc '
- ' filter '
condition: selection
falsepositives:
- Unlikely
level: high
title: OMIGOD SCX RunAsProvider ExecuteShellCommand
id: 21541900-27a9-4454-9c4c-3f0a4240344a
status: test
description: |
Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell.
SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including
Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.
references:
- https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure
- https://github.com/Azure/Azure-Sentinel/pull/3059
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021-10-15
modified: 2022-10-05
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.execution
- attack.t1068
- attack.t1190
- attack.t1203
logsource:
product: linux
category: process_creation
detection:
selection:
User: root
LogonId: 0
CurrentDirectory: '/var/opt/microsoft/scx/tmp'
CommandLine|contains: '/bin/sh'
condition: selection
falsepositives:
- Legitimate use of SCX RunAsProvider Invoke_ExecuteShellCommand.
level: high
title: Suspicious Download and Execute Pattern via Curl/Wget
id: a2d9e2f3-0f43-4c7a-bcd9-9acfc0d723aa
status: experimental
description: |
Detects suspicious use of command-line tools such as curl or wget to download remote
content - particularly scripts - into temporary directories (e.g., /dev/shm, /tmp), followed by
immediate execution, indicating potential malicious activity. This pattern is commonly used
by malicious scripts, stagers, or downloaders in fileless or multi-stage Linux attacks.
references:
- https://gtfobins.github.io/gtfobins/wget/
- https://gtfobins.github.io/gtfobins/curl/
author: Aayush Gupta
date: 2025-06-17
tags:
- attack.execution
- attack.t1059.004
- attack.t1203
logsource:
category: process_creation
product: linux
detection:
selection_downloader:
CommandLine|contains:
- '/curl'
- '/wget'
selection_tmp:
CommandLine|contains:
- '/tmp/'
- '/dev/shm/'
selection_executor:
CommandLine|contains: 'sh -c'
condition: all of selection_*
falsepositives:
- System update scripts using temporary files
- Installer scripts or automated provisioning tools
level: high
title: Shell Execution via Flock - Linux
id: 4b09c71e-4269-4111-9cdd-107d8867f0cc
status: test
description: |
Detects the use of the "flock" command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
- https://gtfobins.github.io/gtfobins/flock/#shell
- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/flock'
CommandLine|contains: ' -u '
selection_cli:
CommandLine|contains:
- '/bin/bash'
- '/bin/dash'
- '/bin/fish'
- '/bin/sh'
- '/bin/zsh'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Suspicious Invocation of Shell via AWK - Linux
id: 8c1a5675-cb85-452f-a298-b01b22a51856
status: test
description: |
Detects the execution of "awk" or it's sibling commands, to invoke a shell using the system() function.
This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.
references:
- https://gtfobins.github.io/gtfobins/awk/#shell
- https://gtfobins.github.io/gtfobins/gawk/#shell
- https://gtfobins.github.io/gtfobins/nawk/#shell
- https://gtfobins.github.io/gtfobins/mawk/#shell
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith:
- '/awk'
- '/gawk'
- '/mawk'
- '/nawk'
CommandLine|contains: 'BEGIN {system'
selection_cli:
CommandLine|contains:
- '/bin/bash'
- '/bin/dash'
- '/bin/fish'
- '/bin/sh'
- '/bin/zsh'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Linux Recon Indicators
id: 0cf7a157-8879-41a2-8f55-388dd23746b7
status: test
description: Detects events with patterns found in commands used for reconnaissance on linux systems
references:
- https://github.com/sleventyeleven/linuxprivchecker/blob/0d701080bbf92efd464e97d71a70f97c6f2cd658/linuxprivchecker.py
author: Florian Roth (Nextron Systems)
date: 2022-06-20
tags:
- attack.reconnaissance
- attack.t1592.004
- attack.credential-access
- attack.t1552.001
logsource:
category: process_creation
product: linux
detection:
selection:
CommandLine|contains:
- ' -name .htpasswd'
- ' -perm -4000 '
condition: selection
falsepositives:
- Legitimate administration activities
level: high
title: Script Interpreter Spawning Credential Scanner - Linux
id: f0025a69-e1b7-4dda-a53c-db21fa2d4071
related:
- id: 0f60b28c-64dd-4e2c-9a63-5334d3e3a6e6
type: similar
status: experimental
description: |
Detects a script interpreter process (like node.js or bun) spawning a known credential scanning tool (e.g., trufflehog, gitleaks).
This behavior is indicative of an attempt to find and steal secrets, as seen in the "Shai-Hulud: The Second Coming" campaign.
references:
- https://github.com/asyncapi/cli/blob/2efa4dff59bc3d3cecdf897ccf178f99b115d63d/bun_environment.js
- https://www.stepsecurity.io/blog/sha1-hulud-the-second-coming-zapier-ens-domains-and-other-prominent-npm-packages-compromised
- https://www.endorlabs.com/learn/shai-hulud-2-malware-campaign-targets-github-and-cloud-credentials-using-bun-runtime
- https://semgrep.dev/blog/2025/digging-for-secrets-sha1-hulud-the-second-coming-of-the-npm-worm/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-25
tags:
- attack.credential-access
- attack.t1552
- attack.execution
- attack.collection
- attack.t1005
- attack.t1059.004
logsource:
category: process_creation
product: linux
detection:
selection_parent:
ParentImage|endswith:
# Add more script interpreters as needed
- '/node'
- '/bun'
selection_child:
- Image|endswith:
- '/trufflehog'
- '/gitleaks'
- CommandLine|contains:
- 'trufflehog'
- 'gitleaks'
condition: all of selection_*
falsepositives:
- Legitimate pre-commit hooks or CI/CD pipeline jobs that use a script to run a credential scanner as part of a security check.
level: high
title: Shell Execution via Nice - Linux
id: 093d68c7-762a-42f4-9f46-95e79142571a
status: test
description: |
Detects the use of the "nice" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
- https://gtfobins.github.io/gtfobins/nice/#shell
- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/nice'
CommandLine|endswith:
- '/bin/bash'
- '/bin/dash'
- '/bin/fish'
- '/bin/sh'
- '/bin/zsh'
condition: selection
falsepositives:
- Unknown
level: high
title: Suspicious Java Children Processes
id: d292e0af-9a18-420c-9525-ec0ac3936892
status: test
description: Detects java process spawning suspicious children
references:
- https://www.tecmint.com/different-types-of-linux-shells/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-03
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: linux
detection:
selection:
ParentImage|endswith: '/java'
CommandLine|contains:
- '/bin/sh'
- 'bash'
- 'dash'
- 'ksh'
- 'zsh'
- 'csh'
- 'fish'
- 'curl'
- 'wget'
- 'python'
condition: selection
falsepositives:
- Unknown
level: high
title: Vim GTFOBin Abuse - Linux
id: 7ab8f73a-fcff-428b-84aa-6a5ff7877dea
status: test
description: |
Detects the use of "vim" and it's siblings commands to execute a shell or proxy commands.
Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
- https://gtfobins.github.io/gtfobins/vim/
- https://gtfobins.github.io/gtfobins/rvim/
- https://gtfobins.github.io/gtfobins/vimdiff/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-28
modified: 2024-09-02
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith:
- '/rvim'
- '/vim'
- '/vimdiff'
CommandLine|contains:
- ' --cmd'
- ' -c '
selection_cli:
CommandLine|contains:
- ':!/'
- ':lua '
- ':py '
- '/bin/bash'
- '/bin/dash'
- '/bin/fish'
- '/bin/sh'
- '/bin/zsh'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Shell Invocation Via Ssh - Linux
id: 8737b7f6-8df3-4bb7-b1da-06019b99b687
status: test
description: |
Detects the use of the "ssh" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
- https://gtfobins.github.io/gtfobins/ssh/
- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-08-29
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/ssh'
CommandLine|contains:
- 'ProxyCommand=;'
- 'permitlocalcommand=yes'
- 'localhost'
selection_cli:
CommandLine|contains:
- '/bin/bash'
- '/bin/dash'
- '/bin/fish'
- '/bin/sh'
- '/bin/zsh'
- 'sh 0<&2 1>&2'
- 'sh 1>&2 0<&2'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: OMIGOD SCX RunAsProvider ExecuteScript
id: 6eea1bf6-f8d2-488a-a742-e6ef6c1b67db
status: test
description: |
Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell.
Script being executed gets created as a temp file in /tmp folder with a scx* prefix.
Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/.
The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including
Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.
references:
- https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure
- https://github.com/Azure/Azure-Sentinel/pull/3059
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021-10-15
modified: 2022-10-05
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.execution
- attack.t1068
- attack.t1190
- attack.t1203
logsource:
product: linux
category: process_creation
detection:
selection:
User: root
LogonId: 0
CurrentDirectory: '/var/opt/microsoft/scx/tmp'
CommandLine|contains: '/etc/opt/microsoft/scx/conf/tmpdir/scx'
condition: selection
falsepositives:
- Legitimate use of SCX RunAsProvider ExecuteScript.
level: high
title: Linux HackTool Execution
id: a015e032-146d-4717-8944-7a1884122111
status: test
description: Detects known hacktool execution based on image name.
references:
- https://github.com/Gui774ume/ebpfkit
- https://github.com/pathtofile/bad-bpf
- https://github.com/carlospolop/PEASS-ng
- https://github.com/t3l3machus/hoaxshell
- https://github.com/t3l3machus/Villain
- https://github.com/HavocFramework/Havoc
- https://github.com/1N3/Sn1per
- https://github.com/Ne0nd0g/merlin
- https://github.com/Pennyw0rth/NetExec/
author: Nasreddine Bencherchali (Nextron Systems), Georg Lauenstein (sure[secure])
date: 2023-01-03
modified: 2024-09-19
tags:
- attack.execution
- attack.resource-development
- attack.t1587
logsource:
product: linux
category: process_creation
detection:
selection_c2_frameworks:
Image|endswith:
- '/crackmapexec'
- '/havoc'
- '/merlin-agent'
- '/merlinServer-Linux-x64'
- '/msfconsole'
- '/msfvenom'
- '/ps-empire server'
- '/ps-empire'
- '/sliver-client'
- '/sliver-server'
- '/Villain.py'
selection_c2_framework_cobaltstrike:
Image|contains:
- '/cobaltstrike'
- '/teamserver'
selection_scanners:
Image|endswith:
- '/autorecon'
- '/httpx'
- '/legion'
- '/naabu'
- '/netdiscover'
- '/nuclei'
- '/recon-ng'
selection_scanners_sniper:
Image|contains: '/sniper'
selection_web_enum:
Image|endswith:
- '/dirb'
- '/dirbuster'
- '/eyewitness'
- '/feroxbuster'
- '/ffuf'
- '/gobuster'
- '/wfuzz'
- '/whatweb'
selection_web_vuln:
Image|endswith:
- '/joomscan'
- '/nikto'
- '/wpscan'
selection_exploit_tools:
Image|endswith:
- '/aircrack-ng'
- '/bloodhound-python'
- '/bpfdos'
- '/ebpfki'
- '/evil-winrm'
- '/hashcat'
- '/hoaxshell.py'
- '/hydra'
- '/john'
- '/ncrack'
# default binary: https://github.com/Pennyw0rth/NetExec/releases/download/v1.0.0/nxc-ubuntu-latest
- '/nxc-ubuntu-latest'
- '/pidhide'
- '/pspy32'
- '/pspy32s'
- '/pspy64'
- '/pspy64s'
- '/setoolkit'
- '/sqlmap'
- '/writeblocker'
selection_linpeas:
# covers: all linux versions listed here: https://github.com/carlospolop/PEASS-ng/releases
Image|contains: '/linpeas'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
title: Linux Keylogging with Pam.d
id: 49aae26c-450e-448b-911d-b3c13d178dfc
status: test
description: Detect attempt to enable auditing of TTY input
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md
- https://linux.die.net/man/8/pam_tty_audit
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing
- https://access.redhat.com/articles/4409591#audit-record-types-2
author: 'Pawel Mazur'
date: 2021-05-24
modified: 2022-12-18
tags:
- attack.collection
- attack.credential-access
- attack.t1003
- attack.t1056.001
logsource:
product: linux
service: auditd
detection:
selection_path_events:
type: PATH
name:
- '/etc/pam.d/system-auth'
- '/etc/pam.d/password-auth'
selection_tty_events:
type:
- 'TTY'
- 'USER_TTY'
condition: 1 of selection_*
falsepositives:
- Administrative work
level: high
title: BPFDoor Abnormal Process ID or Lock File Accessed
id: 808146b2-9332-4d78-9416-d7e47012d83d
status: test
description: detects BPFDoor .lock and .pid files access in temporary file storage facility
references:
- https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/
- https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor
- https://www.rapid7.com/blog/post/tr-bpfdoor-telecom-networks-sleeper-cells-threat-research-report/
- https://github.com/rapid7/Rapid7-Labs/blob/741c7196ec12a0a56b63463d1fd726ff14d3a97a/BPFDoor/rapid7_detect_bpfdoor.sh
author: Rafal Piasecki
date: 2022-08-10
modified: 2026-03-30
tags:
- attack.execution
- attack.t1106
- attack.t1059
logsource:
product: linux
service: auditd
detection:
selection:
type: 'PATH'
name:
- /var/run/aepmonend.pid
- /var/run/auditd.lock
- /var/run/cma.lock
- /var/run/console-kit.pid
- /var/run/consolekit.pid
- /var/run/daemon.pid
- /var/run/hald-addon.pid
- /var/run/hald-smartd.pid
- /var/run/haldrund.pid
- /var/run/hp-health.pid
- /var/run/hpasmlit.lock
- /var/run/hpasmlited.pid
- /var/run/kdevrund.pid
- /var/run/lldpad.lock
- /var/run/mcelog.pid
- /var/run/system.pid
- /var/run/uvp-srv.pid
- /var/run/vmtoolagt.pid
- /var/run/xinetd.lock
condition: selection
falsepositives:
- Unlikely
level: high
title: Binary Padding - Linux
id: c52a914f-3d8b-4b2a-bb75-b3991e75f8ba
status: test
description: |
Adversaries may use binary padding to add junk data and change the on-disk representation of malware.
This rule detect using dd and truncate to add a junk data to file.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md
author: Igor Fits, oscd.community
date: 2020-10-13
modified: 2023-05-03
tags:
- attack.stealth
- attack.t1027.001
logsource:
product: linux
service: auditd
detection:
selection_execve:
type: 'EXECVE'
keywords_truncate:
'|all':
- 'truncate'
- '-s'
keywords_dd:
'|all':
- 'dd'
- 'if='
keywords_filter:
- 'of='
condition: selection_execve and (keywords_truncate or (keywords_dd and not keywords_filter))
falsepositives:
- Unknown
level: high
simulation:
- type: atomic-red-team
name: Pad Binary to Change Hash - Linux/macOS dd
technique: T1027.001
atomic_guid: ffe2346c-abd5-4b45-a713-bf5f1ebd573a
title: Credentials In Files - Linux
id: df3fcaea-2715-4214-99c5-0056ea59eb35
status: test
description: 'Detecting attempts to extract passwords with grep'
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md
author: 'Igor Fits, oscd.community'
date: 2020-10-15
modified: 2023-04-30
tags:
- attack.credential-access
- attack.t1552.001
logsource:
product: linux
service: auditd
detection:
selection:
type: 'EXECVE'
keywords:
'|all':
- 'grep'
- 'password'
condition: selection and keywords
falsepositives:
- Unknown
level: high
title: Commands to Clear or Remove the Syslog - Builtin
id: e09eb557-96d2-4de9-ba2d-30f712a5afd3
status: test
description: Detects specific commands commonly used to remove or empty the syslog
references:
- https://www.virustotal.com/gui/file/fc614fb4bda24ae8ca2c44e812d12c0fab6dd7a097472a35dd12ded053ab8474
author: Max Altgelt (Nextron Systems)
date: 2021-09-10
modified: 2022-11-26
tags:
- attack.impact
- attack.t1565.001
logsource:
product: linux
detection:
selection:
- 'rm /var/log/syslog'
- 'rm -r /var/log/syslog'
- 'rm -f /var/log/syslog'
- 'rm -rf /var/log/syslog'
- 'mv /var/log/syslog'
- ' >/var/log/syslog'
- ' > /var/log/syslog'
falsepositives:
- '/syslog.'
condition: selection and not falsepositives
falsepositives:
- Log rotation
level: high
title: Privileged User Has Been Created
id: 0ac15ec3-d24f-4246-aa2a-3077bb1cf90e
status: test
description: Detects the addition of a new user to a privileged group such as "root" or "sudo"
references:
- https://digital.nhs.uk/cyber-alerts/2018/cc-2825
- https://linux.die.net/man/8/useradd
- https://github.com/redcanaryco/atomic-red-team/blob/25acadc0b43a07125a8a5b599b28bbc1a91ffb06/atomics/T1136.001/T1136.001.md#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid
author: Pawel Mazur
date: 2022-12-21
modified: 2025-01-21
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1136.001
- attack.t1098
logsource:
product: linux
definition: '/var/log/secure on REHL systems or /var/log/auth.log on debian like Systems needs to be collected in order for this detection to work'
detection:
# Example of the events that could be observed when matching these would be as follow
# Dec 21 16:42:19 testserver useradd[1337]: new user: name=butter1, UID=1000, GID=0, home=/root, shell=/bin/bash
# Dec 21 17:13:54 testserver useradd[1337]: new user: name=john, UID=0, GID=0, home=/home/john, shell=/bin/bash
# Dec 21 17:24:40 testserver useradd[1337]: new user: name=butter3, UID=1000, GID=10, home=/home/butter3, shell=/bin/bash
# Dec 21 17:30:22 testserver useradd[1337]: new user: name=butter4, UID=1000, GID=27, home=/home/butter4, shell=/bin/bash
selection_new_user:
- 'new user'
selection_uids_gids:
- 'GID=0,' # root group
- 'UID=0,' # root UID
- 'GID=10,' # wheel group
- 'GID=27,' # sudo group
condition: all of selection_*
falsepositives:
- Administrative activity
level: high
title: Buffer Overflow Attempts
id: 18b042f0-2ecd-4b6e-9f8d-aa7a7e7de781
status: test
description: Detects buffer overflow attempts in Unix system log files
references:
- https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/attack_rules.xml # OSSEC attack detection rules​:contentReference[oaicite:6]{index=6}​:contentReference[oaicite:7]{index=7}
- https://docs.oracle.com/cd/E19683-01/816-4883/6mb2joatd/index.html # Exec stack syslog message (noexec_user_stack)​:contentReference[oaicite:8]{index=8}
- https://www.giac.org/paper/gcih/266/review-ftp-protocol-cyber-defense-initiative/102802 # WU-FTPD exploit "0bin0sh" analysis​:contentReference[oaicite:9]{index=9}
- https://blu.org/mhonarc/discuss/2001/04/msg00285.php # RPC.statd exploit attempt log example​:contentReference[oaicite:10]{index=10}
- https://rapid7.com/blog/post/2019/02/19/stack-based-buffer-overflow-attacks-what-you-need-to-know/ # Stack smashing protector alert example​:contentReference[oaicite:11]{index=11}
author: Florian Roth (Nextron Systems)
date: 2017-03-01
modified: 2025-03-17
tags:
- attack.t1068
- attack.privilege-escalation
logsource:
product: linux
detection:
keywords:
- 'attempt to execute code on stack by'
- '0bin0sh1'
# - 'rpc.statd[\d+]: gethostbyname error for' # it's an expensive regex and produces questionable results
- 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' # this can cause false positives in Base64 encoded data
- 'stack smashing detected'
condition: keywords
falsepositives:
- Base64 encoded data in log entries
level: high
title: Suspicious Named Error
id: c8e35e96-19ce-4f16-aeb6-fd5588dc5365
status: test
description: Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
references:
- https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/named_rules.xml
author: Florian Roth (Nextron Systems)
date: 2018-02-20
modified: 2022-10-05
tags:
- attack.initial-access
- attack.t1190
logsource:
product: linux
service: syslog
detection:
keywords:
- ' dropping source port zero packet from '
- ' denied AXFR from '
- ' exiting (due to fatal error)'
condition: keywords
falsepositives:
- Unknown
level: high
title: Relevant ClamAV Message
id: 36aa86ca-fd9d-4456-814e-d3b1b8e1e0bb
status: stable
description: Detects relevant ClamAV messages
references:
- https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/clam_av_rules.xml
author: Florian Roth (Nextron Systems)
date: 2017-03-01
tags:
- attack.resource-development
- attack.t1588.001
logsource:
product: linux
service: clamav
detection:
keywords:
- 'Trojan*FOUND'
- 'VirTool*FOUND'
- 'Webshell*FOUND'
- 'Rootkit*FOUND'
- 'Htran*FOUND'
condition: keywords
falsepositives:
- Unknown
level: high
title: Suspicious Filename with Embedded Base64 Commands
id: 179b3686-6271-4d87-807d-17d843a8af73
status: experimental
description: |
Detects files with specially crafted filenames that embed Base64-encoded bash payloads designed to execute when processed by shell scripts.
These filenames exploit shell interpretation quirks to trigger hidden commands, a technique observed in VShell malware campaigns.
references:
- https://www.trellix.com/blogs/research/the-silent-fileless-threat-of-vshell/
author: '@kostastsale'
date: 2025-11-22
tags:
- attack.execution
- attack.stealth
- attack.t1059.004
- attack.t1027
logsource:
product: linux
category: file_event
detection:
selection:
TargetFilename|contains:
- '{echo'
- '{base64,-d}'
condition: selection
falsepositives:
- Legitimate files with similar naming patterns (very unlikely).
level: high
title: Possible Impacket SecretDump Remote Activity - Zeek
id: 92dae1ed-1c9d-4eff-a567-33acbd95b00e
status: test
description: 'Detect AD credential dumping using impacket secretdump HKTL. Based on the SIGMA rules/windows/builtin/win_impacket_secretdump.yml'
references:
- https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html
author: 'Samir Bousseaden, @neu5ron'
date: 2020-03-19
modified: 2021-11-27
tags:
- attack.credential-access
- attack.t1003.002
- attack.t1003.004
- attack.t1003.003
logsource:
product: zeek
service: smb_files
detection:
selection:
path|contains|all:
- '\'
- 'ADMIN$'
name|contains: 'SYSTEM32\'
name|endswith: '.tmp'
condition: selection
falsepositives:
- Unknown
level: high