Tool
Splunk ESCU
2,101 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
50 shown of 2,101Kubernetes Suspicious Image Pulling
The following analytic detects suspicious image pulling in Kubernetes environments. It identifies this activity by monitoring Kubernetes audit logs for image pull requests that do not match a predefined list of allowed images. This behavior is significant for a SOC as it may indicate an attacker attempting to deploy malicious software or infiltrate the system. If confirmed malicious, the impact could be severe, potentially leading to unauthorized access to sensitive systems or data, and enabling further malicious activities within the cluster.
Show query
`kube_audit` requestObject.message="Pulling image*"
| search NOT `kube_allowed_images`
| fillnull
| stats count
BY objectRef.name objectRef.namespace objectRef.resource
requestReceivedTimestamp requestURI responseStatus.code
sourceIPs{} stage user.groups{}
user.uid user.username userAgent
verb
| rename sourceIPs{} as src_ip, user.username as user
| `kubernetes_suspicious_image_pulling_filter`Kubernetes Unauthorized Access
The following analytic detects unauthorized access attempts to Kubernetes by analyzing Kubernetes audit logs. It identifies anomalies in access patterns by examining the source of requests and their response statuses. This activity is significant for a SOC as it may indicate an attacker attempting to infiltrate the Kubernetes environment. If confirmed malicious, such access could lead to unauthorized control over Kubernetes resources, potentially compromising sensitive systems or data within the cluster.
Show query
`kube_audit` verb=create responseStatus.reason=Forbidden
| fillnull
| stats count
BY objectRef.namespace objectRef.resource requestReceivedTimestamp
requestURI responseStatus.code responseStatus.message
sourceIPs{} stage user.groups{}
user.uid user.username userAgent
verb
| rename sourceIPs{} as src_ip, user.username as user
| `kubernetes_unauthorized_access_filter`Kubernetes newly seen TCP edge
The following analytic identifies newly seen TCP communication between source and destination workload pairs within a Kubernetes cluster. It leverages Network Performance Monitoring metrics collected via an OTEL collector and pulled from Splunk Observability Cloud. The detection compares network activity over the last hour with the past 30 days to spot new inter-workload communications. This is significant as new connections can indicate changes in application behavior or potential security threats. If malicious, unauthorized connections could lead to data breaches, privilege escalation, lateral movement, or disruption of critical services, compromising the application's integrity, availability, and confidentiality.
Show query
| mstats count(tcp.packets) as tcp.packets_count where `kubernetes_metrics` AND earliest=-1h by k8s.cluster.name source.workload.name dest.workload.name | eval current="True" | append [ mstats count(tcp.packets) as tcp.packets_count where `kubernetes_metrics` AND earliest=-30d latest=-1h by source.workload.name dest.workload.name | eval current="false" ] | eventstats values(current) as current BY source.workload.name dest.workload.name | search current="true" current!="false" | rename k8s.cluster.name as host | `kubernetes_newly_seen_tcp_edge_filter`
Kubernetes newly seen UDP edge
The following analytic detects UDP communication between a newly seen source and destination workload pair within a Kubernetes cluster. It leverages Network Performance Monitoring metrics collected via an OTEL collector and pulled from Splunk Observability Cloud. This detection compares network activity over the last hour with the past 30 days to identify new inter-workload communication. Such changes in network behavior can indicate potential security threats or anomalies. If confirmed malicious, unauthorized connections may enable attackers to infiltrate the application ecosystem, leading to data breaches, privilege escalation, lateral movement, or disruption of critical services.
Show query
| mstats count(udp.packets) as udp.packets_count where `kubernetes_metrics` AND earliest=-1h by k8s.cluster.name source.workload.name dest.workload.name | eval current="True" | append [ mstats count(udp.packets) as udp.packets_count where `kubernetes_metrics` AND earliest=-30d latest=-1h by source.workload.name dest.workload.name | eval current="false" ] | eventstats values(current) as current BY source.workload.name dest.workload.name | search current="true" current!="false" | rename k8s.cluster.name as host | `kubernetes_newly_seen_udp_edge_filter`
LLM Model File Creation
Detects the creation of Large Language Model (LLM) files on Windows endpoints by monitoring file creation events for specific model file formats and extensions commonly used by local AI frameworks.
This detection identifies potential shadow AI deployments, unauthorized model downloads, and rogue LLM infrastructure by detecting file creation patterns associated with quantized models (.gguf, .ggml), safetensors model format files, and Ollama Modelfiles.
These file types are characteristic of local inference frameworks such as Ollama, llama.cpp, GPT4All, LM Studio, and similar tools that enable running LLMs locally without cloud dependencies.
Organizations can use this detection to identify potential data exfiltration risks, policy violations related to unapproved AI usage, and security blind spots created by decentralized AI deployments that bypass enterprise governance and monitoring.
Show query
| tstats `security_content_summariesonly` count
min(_time) as firstTime
max(_time) as lastTime
from datamodel=Endpoint.Filesystem
where Filesystem.file_name IN (
"*.gguf*",
"*ggml*",
"*Modelfile*",
"*safetensors*"
)
by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time
Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path
Filesystem.file_acl Filesystem.file_size Filesystem.process_guid Filesystem.process_id
Filesystem.user Filesystem.vendor_product
| `drop_dm_object_name(Filesystem)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `llm_model_file_creation_filter`
LOLBAS With Network Traffic
The following analytic identifies the use of Living Off the Land Binaries and Scripts (LOLBAS) with network traffic. It leverages data from the Network Traffic data model to detect when native Windows binaries, often abused by adversaries, initiate network connections. This activity is significant as LOLBAS are frequently used to download malicious payloads, enabling lateral movement, command-and-control, or data exfiltration. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a severe threat to organizational security.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
from datamodel=Network_Traffic.All_Traffic where
All_Traffic.app IN (
"*\\At.exe",
"*\\Atbroker.exe",
"*\\Bash.exe",
"*\\Bitsadmin.exe",
"*\\Certoc.exe",
"*\\certutil.exe",
"*\\cmd.exe",
"*\\Cmstp.exe",
"*\\cscript.exe",
"*\\Diskshadow.exe",
"*\\Dnscmd.exe",
"*\\Extexport.exe",
"*\\Forfiles.exe",
"*\\Ftp.exe",
"*\\Gpscript.exe",
"*\\Hh.exe",
"*\\Ie4uinit.exe",
"*\\Ieexec.exe",
"*\\Infdefaultinstall.exe",
"*\\Installutil.exe",
"*\\makecab.exe",
"*\\Mavinject.exe",
"*\\Microsoft.Workflow.Compiler.exe",
"*\\Msbuild.exe",
"*\\Msconfig.exe",
"*\\Msdt.exe",
"*\\Mshta.exe",
"*\\Msiexec.exe",
"*\\Netsh.exe",
"*\\notepad.exe",
"*\\Odbcconf.exe",
"*\\OfflineScannerShell.exe",
"*\\Pcalua.exe",
"*\\Pcwrun.exe",
"*\\Pnputil.exe",
"*\\powershell_ise.exe",
"*\\powershell.exe",
"*\\Presentationhost.exe",
"*\\pwsh.exe",
"*\\Rasautou.exe",
"*\\Regasm.exe",
"*\\Register-cimprovider.exe",
"*\\Regsvcs.exe",
"*\\Regsvr32.exe",
"*\\Runonce.exe",
"*\\Runscripthelper.exe",
"*\\Schtasks.exe",
"*\\Scriptrunner.exe",
"*\\SettingSyncHost.exe",
"*\\Stordiag.exe",
"*\\Syncappvpublishingserver.exe",
"*\\Ttdinject.exe",
"*\\Tttracer.exe",
"*\\Verclsid.exe",
"*\\Wab.exe",
"*\\Wmic.exe",
"*\\WorkFolders.exe",
"*\\Wuauclt.exe",
"*\\Xwizard.exe"
)
NOT All_Traffic.dest_ip IN (
"10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10",
"127.0.0.0/8", "169.254.0.0/16", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32",
"192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
"192.31.196.0/24", "192.52.193.0/24", "192.88.99.0/24", "224.0.0.0/4", "192.175.48.0/24",
"198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4"
)
by All_Traffic.action All_Traffic.app All_Traffic.dest All_Traffic.dest_ip All_Traffic.dest_port
All_Traffic.direction All_Traffic.dvc All_Traffic.protocol All_Traffic.protocol_version
All_Traffic.src All_Traffic.src_ip All_Traffic.src_port All_Traffic.transport All_Traffic.user
All_Traffic.vendor_product
| `drop_dm_object_name(All_Traffic)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| rex field=app ".*\\\(?<process_name>.*)$"
| `lolbas_with_network_traffic_filter`
Large Volume of DNS ANY Queries
The following analytic identifies a large volume of DNS ANY queries, which may indicate a DNS amplification attack. It leverages the Network_Resolution data model to count DNS queries of type "ANY" directed to specific destinations. This activity is significant because DNS amplification attacks can overwhelm network resources, leading to Denial of Service (DoS) conditions. If confirmed malicious, this activity could disrupt services, degrade network performance, and potentially be part of a larger Distributed Denial of Service (DDoS) attack, impacting the availability of critical infrastructure.
Show query
| tstats `security_content_summariesonly` count FROM datamodel=Network_Resolution
WHERE nodename=DNS "DNS.message_type"="QUERY" "DNS.record_type"="ANY"
BY "DNS.dest"
| `drop_dm_object_name("DNS")`
| where count>200
| `large_volume_of_dns_any_queries_filter`Linux APT Privilege Escalation
The following analytic detects the use of the Advanced Package Tool (APT) or apt-get with elevated privileges via sudo on Linux systems. It leverages Endpoint Detection and Response (EDR) telemetry to identify processes where APT commands are executed with sudo rights. This activity is significant because it indicates a user can run system commands as root, potentially leading to unauthorized root shell access. If confirmed malicious, this could allow an attacker to escalate privileges, execute arbitrary commands, and gain full control over the affected system, posing a severe security risk.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*apt*" AND Processes.process="*APT::Update::Pre-Invoke::*" AND Processes.process="*sudo*" by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_apt_privilege_escalation_filter`
Linux AWK Privilege Escalation
The following analytic detects the use of the AWK command with elevated privileges to execute system commands. It leverages Endpoint Detection and Response (EDR) telemetry, specifically monitoring processes that include "sudo," "awk," and "BEGIN*system" in their command lines. This activity is significant because it indicates a potential privilege escalation attempt, where a user could gain root access by executing commands as the root user. If confirmed malicious, this could allow an attacker to fully compromise the system, execute arbitrary commands, and maintain persistent control over the affected endpoint.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.process="*sudo*"
AND
Processes.process="*awk*"
AND
Processes.process="*BEGIN*system*"
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_awk_privilege_escalation_filter`Linux Account Manipulation Of SSH Config and Keys
The following analytic detects the deletion of SSH keys on a Linux machine. It leverages filesystem event logs to identify when files within "/etc/ssh/*" or "~/.ssh/*" are deleted. This activity is significant because attackers may delete or modify SSH keys to evade security measures or as part of a destructive payload, similar to the AcidRain malware. If confirmed malicious, this behavior could lead to impaired security features, hindered forensic investigations, or further unauthorized access, necessitating immediate investigation to identify the responsible process and user.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem
WHERE Filesystem.action=deleted
AND
Filesystem.file_path IN ("/etc/ssh/*", "~/.ssh/*")
BY Filesystem.action Filesystem.dest Filesystem.file_access_time
Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time
Filesystem.file_name Filesystem.file_path Filesystem.file_acl
Filesystem.file_size Filesystem.process_guid Filesystem.process_id
Filesystem.user Filesystem.vendor_product
| `drop_dm_object_name(Filesystem)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_account_manipulation_of_ssh_config_and_keys_filter`Linux Add Files In Known Crontab Directories
The following analytic detects unauthorized file creation in known crontab directories on Unix-based systems. It leverages filesystem data to identify new files in directories such as /etc/cron* and /var/spool/cron/*. This activity is significant as it may indicate an attempt by threat actors or malware to establish persistence on a compromised host. If confirmed malicious, this could allow attackers to execute arbitrary code at scheduled intervals, potentially leading to further system compromise and unauthorized access to sensitive information.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem
WHERE Filesystem.file_path IN ("*/etc/cron*", "*/var/spool/cron/*")
BY Filesystem.action Filesystem.dest Filesystem.file_access_time
Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time
Filesystem.file_name Filesystem.file_path Filesystem.file_acl
Filesystem.file_size Filesystem.process_guid Filesystem.process_id
Filesystem.user Filesystem.vendor_product
| `drop_dm_object_name(Filesystem)`
| `security_content_ctime(lastTime)`
| `security_content_ctime(firstTime)`
| `linux_add_files_in_known_crontab_directories_filter`Linux Add User Account
The following analytic detects the creation of new user accounts on Linux systems using commands like "useradd" or "adduser." It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as adversaries often create new user accounts to establish persistence on compromised hosts. If confirmed malicious, this could allow attackers to maintain access, escalate privileges, and further compromise the system, posing a severe security risk.
Show query
| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes
WHERE Processes.process_name IN ("useradd", "adduser")
OR
Processes.process IN ("*useradd *", "*adduser *")
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_add_user_account_filter`Linux Adding Crontab Using List Parameter
The following analytic detects suspicious modifications to cron jobs on Linux systems using the crontab command with list parameters. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it may indicate an attempt to establish persistence or execute malicious code on a schedule. If confirmed malicious, the impact could include unauthorized code execution, data destruction, or other damaging outcomes. Further investigation should analyze the added cron job, its associated command, and any related processes.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.process_name = "crontab" Processes.process= "* -l*"
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_adding_crontab_using_list_parameter_filter`Linux At Allow Config File Creation
The following analytic detects the creation of the /etc/at.allow or /etc/at.deny configuration files in Linux. It leverages file creation events from the Endpoint datamodel to identify when these files are created. This activity is significant as these files control user permissions for the "at" scheduling application and can be abused by attackers to establish persistence. If confirmed malicious, this could allow unauthorized execution of malicious code, leading to potential data theft or further system compromise. Analysts should review the file path, creation time, and associated processes to assess the threat.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem
WHERE Filesystem.file_path IN ("*/etc/at.allow", "*/etc/at.deny")
BY Filesystem.action Filesystem.dest Filesystem.file_access_time
Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time
Filesystem.file_name Filesystem.file_path Filesystem.file_acl
Filesystem.file_size Filesystem.process_guid Filesystem.process_id
Filesystem.user Filesystem.vendor_product
| `drop_dm_object_name(Filesystem)`
| `security_content_ctime(lastTime)`
| `security_content_ctime(firstTime)`
| `linux_at_allow_config_file_creation_filter`Linux At Application Execution
The following analytic detects the execution of the "At" application in Linux, which can be used by attackers to create persistence entries on a compromised host. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and parent process names associated with "at" or "atd". This activity is significant because the "At" application can be exploited to maintain unauthorized access or deliver additional malicious payloads. If confirmed malicious, this behavior could lead to data theft, ransomware attacks, or other severe consequences. Immediate investigation is required to determine the legitimacy of the execution and mitigate potential risks.
Show query
| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes
WHERE Processes.process_name IN ("at", "atd")
OR
Processes.parent_process_name IN ("at", "atd")
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_at_application_execution_filter`Linux Auditd AI CLI Permission Override Activated
This detection identifies when an AI command-line tool is launched in an unsafe mode that bypasses normal safety checks and user approvals.
For instance, running claude --dangerously-skip-permissions skips all safety restrictions, allowing the tool to operate freely, while gemini --yolo automatically approves all actions without prompting the user.
These modes, often called permission overrides or YOLO mode, let the AI execute commands, modify files, or perform tasks without confirmation.
Detecting their use is important to prevent unintended or potentially harmful operations.
Show query
`linux_auditd` (proctitle = "*gemini*" AND proctitle IN ("*--yolo*", "*-y *")) OR
(proctitle = "*claude*" AND proctitle= "*--dangerously-skip-permissions*")
| rename host as dest
| stats count min(_time) as firstTime max(_time) as lastTime
BY proctitle dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` | `linux_auditd_ai_cli_permission_override_activated_filter`Linux Auditd Add User Account
The following analytic detects the creation of new user accounts on Linux systems using commands like "useradd" or "adduser." It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as adversaries often create new user accounts to establish persistence on compromised hosts. If confirmed malicious, this could allow attackers to maintain access, escalate privileges, and further compromise the system, posing a severe security risk.
Show query
`linux_auditd` proctitle IN ("*useradd*", "*adduser*")
| rename host as dest
| stats count min(_time) as firstTime max(_time) as lastTime
BY proctitle dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_add_user_account_filter`Linux Auditd Add User Account Type
The following analytic detects the suspicious add user account type. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents.
Show query
`linux_auditd` type=ADD_USER
| rename host as dest
| stats count min(_time) as firstTime max(_time) as lastTime
BY exe pid dest
res type
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_add_user_account_type_filter`Linux Auditd At Application Execution
The following analytic detects the execution of the "At" application in Linux, which can be used by attackers to create persistence entries on a compromised host. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and parent process names associated with "at" or "atd". This activity is significant because the "At" application can be exploited to maintain unauthorized access or deliver additional malicious payloads. If confirmed malicious, this behavior could lead to data theft, ransomware attacks, or other severe consequences. Immediate investigation is required to determine the legitimacy of the execution and mitigate potential risks.
Show query
`linux_auditd` type=SYSCALL comm IN ("at", "atd") OR exe IN ("/usr/bin/at","/usr/bin/atd") AND NOT (uid IN ("daemon"))
| rename host as dest
| stats count min(_time) as firstTime max(_time) as lastTime
BY comm exe syscall
uid ppid pid
dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_at_application_execution_filter`Linux Auditd Auditd Daemon Abort
The following analytic detects the abnormal termination of the Linux audit daemon (auditd) by identifying DAEMON_ABORT events in audit logs. These terminations suggest a serious failure of the auditing subsystem, potentially due to resource exhaustion, corruption, or malicious interference. Unlike a clean shutdown, DAEMON_ABORT implies that audit logging may have been disabled without system administrator intent. Alerts should be generated on detection and correlated with DAEMON_START, DAEMON_END, and system logs to determine root cause. If no DAEMON_START follows soon after, or this pattern repeats, it indicates a high-severity issue that impacts log integrity and should be immediately investigated.
Show query
`linux_auditd` type=DAEMON_ABORT
| rename host as dest
| stats count min(_time) as firstTime max(_time) as lastTime
BY type op res
uid dest pid
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_auditd_daemon_abort_filter`Linux Auditd Auditd Daemon Shutdown
The following analytic detects the unexpected termination of the Linux Audit daemon (auditd) by monitoring for log entries of type DAEMON_END. This event signifies that the audit logging service has stopped, either due to a legitimate system shutdown, manual administrative action, or potentially malicious tampering. Since auditd is responsible for recording critical security events, its sudden stoppage may indicate an attempt to disable security monitoring or evade detection during an attack. This detection should be correlated with system logs to determine whether the shutdown was part of routine maintenance or an anomaly. If confirmed as malicious, this could lead to a compromised system where security events are no longer being logged, allowing attackers to operate undetected. Therefore, monitoring and alerting on auditd shutdown events is crucial for maintaining the integrity of system security monitoring.
Show query
`linux_auditd` type=DAEMON_END
| rename host as dest
| stats count min(_time) as firstTime max(_time) as lastTime
BY type op res
auid dest pid
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_auditd_daemon_shutdown_filter`Linux Auditd Auditd Daemon Start
The following analytic detects the (re)initialization of the Linux audit daemon (auditd) by identifying log entries of type DAEMON_START. This event indicates that the audit subsystem has resumed logging after being stopped or has started during system boot. While DAEMON_START may be expected during reboots or legitimate configuration changes, it can also signal attempts to re-enable audit logging after evasion, or restarts with modified or reduced rule sets. Monitoring this event in correlation with DAEMON_END, DAEMON_ABORT, and auditctl activity provides visibility into the continuity and integrity of audit logs. Frequent or unexplained DAEMON_START events should be investigated, especially if they are not accompanied by valid administrative or system activity.
Show query
`linux_auditd` type=DAEMON_START
| rename host as dest
| stats count min(_time) as firstTime max(_time) as lastTime
BY type op res
auid dest pid
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_auditd_daemon_start_filter`Linux Auditd Auditd Service Stop
The following analytic detects the suspicious auditd service stop. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents.
Show query
`linux_auditd` type=SERVICE_STOP unit IN ("auditd")
| rename host as dest
| stats count min(_time) as firstTime max(_time) as lastTime
BY type pid comm
exe unit dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_auditd_service_stop_filter`Linux Auditd Base64 Decode Files
The following analytic detects suspicious Base64 decode operations that may indicate malicious activity, such as data exfiltration or execution of encoded commands. Base64 is commonly used to encode data for safe transmission, but attackers may abuse it to conceal malicious payloads. This detection focuses on identifying unusual or unexpected Base64 decoding processes, particularly when associated with critical files or directories. By monitoring these activities, the analytic helps uncover potential threats, enabling security teams to respond promptly and mitigate risks associated with encoded malware or unauthorized data access.
Show query
`linux_auditd` execve_command = "*base64*" AND execve_command IN ("*-d*", "* --d*")
| rename host as dest
| rename comm as process_name
| rename exe as process
| stats count min(_time) as firstTime max(_time) as lastTime
BY argc execve_command dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_base64_decode_files_filter`Linux Auditd Change File Owner To Root
The following analytic detects the use of the 'chown' command to change a file owner to 'root' on a Linux system. It leverages Linux Auditd telemetry, specifically monitoring command-line executions and process details. This activity is significant as it may indicate an attempt to escalate privileges by adversaries, malware, or red teamers. If confirmed malicious, this action could allow an attacker to gain root-level access, leading to full control over the compromised host and potential persistence within the environment.
Show query
`linux_auditd` proctitle = "*chown *root*"
| rename host as dest
| stats count min(_time) as firstTime max(_time) as lastTime
BY proctitle dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_change_file_owner_to_root_filter`Linux Auditd Clipboard Data Copy
The following analytic detects the use of the Linux 'xclip' command to copy data from the clipboard. It leverages Linux Auditd telemetry, focusing on process names and command-line arguments related to clipboard operations. This activity is significant because adversaries can exploit clipboard data to capture sensitive information such as passwords or IP addresses. If confirmed malicious, this technique could lead to unauthorized data exfiltration, compromising sensitive information and potentially aiding further attacks within the environment.
Show query
`linux_auditd` execve_command IN ("*xclip*", "*clipboard*") AND execve_command IN ("*-o*", "*-selection *", "*-sel *" )
| rename host as dest
| rename comm as process_name
| rename exe as process
| stats count min(_time) as firstTime max(_time) as lastTime
BY argc execve_command dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_clipboard_data_copy_filter`Linux Auditd Copy Fail Privilege Escalation
Detects the exploitation pattern associated with Copy Fail.
Copy Fail (CVE-2026-31431) is a logic bug in the Linux kernel's authentication cryptographic template.
It lets an unprivileged local user trigger a deterministic, controlled 4-byte write into the page cache of any readable file on the system.
A single 732-byte Python script can edit a setuid binary and obtain root on essentially all Linux distributions shipped since 2017.
This search relies on the auditd configuration linked in the references section. If you are using a custom configuration, make sure the Key names are the same or adapt the search accordingly.
Show query
`linux_auditd`
type=SYSCALL
key IN (
"af_alg",
"process_creation",
"splice_user"
)
| eval setuid_binary = case(
name IN (
"/usr/bin/chfn",
"/usr/bin/chsh",
"/usr/bin/fusermount3",
"/usr/bin/gpasswd",
"/usr/bin/mount",
"/usr/bin/newgrp",
"/usr/bin/passwd",
"/usr/bin/su",
"/usr/bin/sudo",
"/usr/bin/umount",
"/usr/lib/dbus-1.0/dbus-daemon-launch-helper",
"/usr/lib/landscape/apt-update",
"/usr/lib/openssh/ssh-keysign",
"/usr/lib/polkit-1/polkit-agent-helper-1"
), name,
exe IN (
"/usr/bin/chfn",
"/usr/bin/chsh",
"/usr/bin/fusermount3",
"/usr/bin/gpasswd",
"/usr/bin/mount",
"/usr/bin/newgrp",
"/usr/bin/passwd",
"/usr/bin/su",
"/usr/bin/sudo",
"/usr/bin/umount",
"/usr/lib/dbus-1.0/dbus-daemon-launch-helper",
"/usr/lib/landscape/apt-update",
"/usr/lib/openssh/ssh-keysign",
"/usr/lib/polkit-1/polkit-agent-helper-1"
), exe,
true(), null()
)
| eval indicator = case(
key="af_alg", "AF_ALG socket",
key="splice_user", "splice syscall",
isnotnull(setuid_binary), "setuid_exec:" . setuid_binary,
true(), null()
)
| where isnotnull(indicator)
| stats
dc(indicator) as unique_signals
max(_time) as lastTime
min(_time) as firstTime
values(comm) as comm
values(exe) as exe
values(name) as name
values(host) as dest
values(indicator) as signals
values(setuid_binary) as setuid_binaries
values(pid) as pid
values(ppid) as ppid
values(uid) as uid
by auid
| where unique_signals >= 3
| eval risk_score_factor = unique_signals * 25
| sort - risk_score_factor
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_copy_fail_privilege_escalation_filter`Linux Auditd Data Destruction Command
The following analytic detects the execution of a Unix shell command designed to wipe root directories on a Linux host. It leverages data from Linux Auditd, focusing on the 'rm' command with force recursive deletion and the '--no-preserve-root' option. This activity is significant as it indicates potential data destruction attempts, often associated with malware like Awfulshred. If confirmed malicious, this behavior could lead to severe data loss, system instability, and compromised integrity of the affected Linux host. Immediate investigation and response are crucial to mitigate potential damage.
Show query
`linux_auditd` (proctitle = "*rm *" AND proctitle = "*-rf *" AND proctitle = "*--no-preserve-root*")
| rename host as dest
| rename comm as process_name
| rename exe as process
| stats count min(_time) as firstTime max(_time) as lastTime
BY proctitle dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_data_destruction_command_filter`Linux Auditd Data Transfer Size Limits Via Split
The following analytic detects suspicious data transfer activities that involve the use of the `split` syscall, potentially indicating an attempt to evade detection by breaking large files into smaller parts. Attackers may use this technique to bypass size-based security controls, facilitating the covert exfiltration of sensitive data. By monitoring for unusual or unauthorized use of the `split` syscall, this analytic helps identify potential data exfiltration attempts, allowing security teams to intervene and prevent the unauthorized transfer of critical information from the network.
Show query
`linux_auditd` execve_command = "*split*" AND execve_command = "*-b *"
| rename host as dest
| rename comm as process_name
| rename exe as process
| stats count min(_time) as firstTime max(_time) as lastTime
BY argc execve_command dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_data_transfer_size_limits_via_split_filter`Linux Auditd Data Transfer Size Limits Via Split Syscall
The following analytic detects suspicious data transfer activities that involve the use of the `split` syscall, potentially indicating an attempt to evade detection by breaking large files into smaller parts. Attackers may use this technique to bypass size-based security controls, facilitating the covert exfiltration of sensitive data. By monitoring for unusual or unauthorized use of the `split` syscall, this analytic helps identify potential data exfiltration attempts, allowing security teams to intervene and prevent the unauthorized transfer of critical information from the network.
Show query
`linux_auditd` type=SYSCALL comm=split OR exe= "*/split"
| rename host as dest
| stats count min(_time) as firstTime max(_time) as lastTime
BY comm exe syscall
uid ppid pid
success dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_data_transfer_size_limits_via_split_syscall_filter`Linux Auditd Database File And Directory Discovery
The following analytic detects suspicious database file and directory discovery activities, which may signal an attacker attempt to locate and assess critical database assets on a compromised system. This behavior is often a precursor to data theft, unauthorized access, or privilege escalation, as attackers seek to identify valuable information stored in databases. By monitoring for unusual or unauthorized attempts to locate database files and directories, this analytic aids in early detection of potential reconnaissance or data breach efforts, enabling security teams to respond swiftly and mitigate the risk of further compromise.
Show query
`linux_auditd` execve_command IN ("*find*", "*grep*") AND execve_command IN("*.db*", "*.sql*", "*.sqlite*", "*.mdb*", "*.accdb*", "*.mdf*", "*.ndf*", "*.ldf*", "*.frm*", "*.myd*", "*.myi*", "*.dbf*", "*.db2*", "*.dbc*", "*.fpt*", "*.ora*")
| rename host as dest
| rename comm as process_name
| rename exe as process
| stats count min(_time) as firstTime max(_time) as lastTime
BY argc execve_command dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_database_file_and_directory_discovery_filter`Linux Auditd Dd File Overwrite
The following analytic detects the use of the 'dd' command to overwrite files on a Linux system. It leverages data from Linux Auditd telemetry, focusing on process execution logs that include command-line details. This activity is significant because adversaries often use the 'dd' command to destroy or irreversibly overwrite files, disrupting system availability and services. If confirmed malicious, this behavior could lead to data destruction, making recovery difficult and potentially causing significant operational disruptions.
Show query
`linux_auditd` proctitle = "*dd *" AND proctitle = "*of=*" AND proctitle = "*if=/dev/zero*"
| rename host as dest
| stats count min(_time) as firstTime max(_time) as lastTime
BY proctitle dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_dd_file_overwrite_filter`Linux Auditd Disable Or Modify System Firewall
The following analytic detects the suspicious disable or modify system firewall. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents.
Show query
`linux_auditd` type=SERVICE_STOP unit IN ("firewalld", "ufw")
| rename host as dest
| stats count min(_time) as firstTime max(_time) as lastTime
BY type pid comm
exe unit dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_disable_or_modify_system_firewall_filter`Linux Auditd Doas Conf File Creation
The following analytic detects the creation of the doas.conf file on a Linux host.
This file is used by the doas utility to allow standard users to perform tasks as root, similar to sudo.
The detection leverages Linux Auditd data, focusing on the creation of the doas.conf file.
This activity is significant because it can indicate an attempt to gain elevated privileges, potentially by an adversary. If confirmed malicious, this could allow an attacker to execute commands with root commands with root privileges, leading to full system compromise.
Show query
`linux_auditd`
(
(type=PATH nametype="CREATE")
OR
type=CWD
)
| rex "msg=audit\([^)]*:(?<audit_id>\d+)\)"
| stats
values(type) as types
values(name) as names
values(nametype) as nametype
values(cwd) as cwd_list
values(_time) as event_times
by audit_id host
| eval current_working_directory = coalesce(mvindex(cwd_list, 0), "N/A")
| eval candidate_paths = mvmap(names, if(match(names, "^/"), names, current_working_directory + "/" + names))
| eval matched_paths = mvfilter(match(candidate_paths, "/etc/doas.conf.*"))
| eval match_count = mvcount(matched_paths)
| eval reconstructed_path = mvindex(matched_paths, 0)
| eval e_time = mvindex(event_times, 0)
| where match_count > 0
| rename host as dest
| stats count min(e_time) as firstTime max(e_time) as lastTime
values(nametype) as nametype
by current_working_directory
reconstructed_path
match_count
dest
audit_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table nametype current_working_directory reconstructed_path dest audit_id match_count firstTime lastTime
| `linux_auditd_doas_conf_file_creation_filter`
Linux Auditd Doas Tool Execution
The following analytic detects the execution of the 'doas' tool on a Linux host. This tool allows standard users to perform tasks with root privileges, similar to 'sudo'. The detection leverages data from Linux Auditd, focusing on process names and command-line executions. This activity is significant as 'doas' can be exploited by adversaries to gain elevated privileges on a compromised host. If confirmed malicious, this could lead to unauthorized administrative access, potentially compromising the entire system.
Show query
`linux_auditd` type=SYSCALL comm=doas
| rename host as dest
| stats count min(_time) as firstTime max(_time) as lastTime
BY comm exe syscall
uid ppid pid
success dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_doas_tool_execution_filter`Linux Auditd Edit Cron Table Parameter
The following analytic detects the suspicious editing of cron jobs in Linux using the crontab command-line parameter (-e). It identifies this activity by monitoring command-line executions involving 'crontab' and the edit parameter. This behavior is significant for a SOC as cron job manipulations can indicate unauthorized persistence attempts or scheduled malicious actions. If confirmed malicious, this activity could lead to system compromise, unauthorized access, or broader network compromise.
Show query
`linux_auditd` type=SYSCALL syscall IN ("rename", "execve") (comm IN ("crontab") OR exe IN ("*/crontab")) success=yes AND NOT (UID IN("daemon"))
| rename host as dest
| stats count min(_time) as firstTime max(_time) as lastTime
BY comm exe syscall
uid ppid pid
dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_edit_cron_table_parameter_filter`Linux Auditd File And Directory Discovery
The following analytic detects suspicious file and directory discovery activities, which may indicate an attacker's effort to locate sensitive documents and files on a compromised system. This behavior often precedes data exfiltration, as adversaries seek to identify valuable or confidential information for theft. By identifying unusual or unauthorized attempts to browse or enumerate files and directories, this analytic helps security teams detect potential reconnaissance or preparatory actions by an attacker, enabling timely intervention to prevent data breaches or unauthorized access.
Show query
`linux_auditd` execve_command IN ("*grep*", "*find*") AND execve_command IN ("*.tif*", "*.tiff*", "*.gif*", "*.jpeg*", "*.jpg*", "*.jif*", "*.jfif*", "*.jp2*", "*.jpx*", "*.j2k*", "*.j2c*", "*.fpx*", "*.pcd*", "*.png*", "*.flv*", "*.pdf*", "*.mp4*", "*.mp3*", "*.gifv*", "*.avi*", "*.mov*", "*.mpeg*", "*.wav*", "*.doc*", "*.docx*", "*.xls*", "*.xlsx*", "*.svg*")
| rename host as dest
| rename comm as process_name
| rename exe as process
| stats count min(_time) as firstTime max(_time) as lastTime
BY argc execve_command dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_file_and_directory_discovery_filter`Linux Auditd File Permission Modification Via Chmod
The following analytic detects suspicious file permission modifications using the `chmod` command, which may indicate an attacker attempting to alter access controls on critical files or directories. Such modifications can be used to grant unauthorized users elevated privileges or to conceal malicious activities by restricting legitimate access. By monitoring for unusual or unauthorized `chmod` usage, this analytic helps identify potential security breaches, allowing security teams to respond promptly to prevent privilege escalation, data tampering, or other unauthorized actions on the system.
Show query
`linux_auditd` proctitle="*chmod*" AND proctitle IN ("* 777 *", "* 755 *", "*+*x*", "* 754 *")
| rename host as dest
| stats count min(_time) as firstTime max(_time) as lastTime
BY proctitle dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_file_permission_modification_via_chmod_filter`Linux Auditd File Permissions Modification Via Chattr
The following analytic detects suspicious file permissions modifications using the chattr command, which may indicate an attacker attempting to manipulate file attributes to evade detection or prevent alteration. The chattr command can be used to make files immutable or restrict deletion, which can be leveraged to protect malicious files or disrupt system operations. By monitoring for unusual or unauthorized chattr usage, this analytic helps identify potential tampering with critical files, enabling security teams to quickly respond to and mitigate threats associated with unauthorized file attribute changes.
Show query
`linux_auditd` proctitle = "*chattr *" AND proctitle = "* -i*"
| rename host as dest
| stats count min(_time) as firstTime max(_time) as lastTime
BY proctitle dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_file_permissions_modification_via_chattr_filter`Linux Auditd Find Credentials From Password Managers
The following analytic detects suspicious attempts to find credentials stored in password managers, which may indicate an attacker's effort to retrieve sensitive login information. Password managers are often targeted by adversaries seeking to access stored passwords for further compromise or lateral movement within a network. By monitoring for unusual or unauthorized access to password manager files or processes, this analytic helps identify potential credential theft attempts, enabling security teams to respond quickly to protect critical accounts and prevent further unauthorized access.
Show query
`linux_auditd` execve_command IN ("*find*", "*grep*") AND execve_command IN ("*.kdbx*", "*KeePass*", "*.enforced*", "*.lpdb*", "*.opvault*", "*.agilekeychain*", "*.dashlane*", "*.rfx*", "*passbolt*", "*.spdb*", "*StickyPassword*", "*.walletx*", "*enpass*", "*vault*", "*.kdb*")
| rename host as dest
| rename comm as process_name
| rename exe as process
| stats count min(_time) as firstTime max(_time) as lastTime
BY argc execve_command dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_find_credentials_from_password_managers_filter`Linux Auditd Find Credentials From Password Stores
The following analytic detects suspicious attempts to find credentials stored in password stores, indicating a potential attacker's effort to access sensitive login information. Password stores are critical repositories that contain valuable credentials, and unauthorized access to them can lead to significant security breaches. By monitoring for unusual or unauthorized activities related to password store access, this analytic helps identify potential credential theft attempts, allowing security teams to respond promptly and prevent unauthorized access to critical systems and data.
Show query
`linux_auditd` execve_command IN ("*find*", "*grep*") AND execve_command IN ("*password*", "*pass *", "*credential*", "*creds*")
| rename host as dest
| rename comm as process_name
| rename exe as process
| stats count min(_time) as firstTime max(_time) as lastTime
BY argc execve_command dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_find_credentials_from_password_stores_filter`Linux Auditd Find Ssh Private Keys
The following analytic detects suspicious attempts to find SSH private keys, which may indicate an attacker's effort to compromise secure access to systems. SSH private keys are essential for secure authentication, and unauthorized access to these keys can enable attackers to gain unauthorized access to servers and other critical infrastructure. By monitoring for unusual or unauthorized searches for SSH private keys, this analytic helps identify potential threats to network security, allowing security teams to quickly respond and safeguard against unauthorized access and potential breaches.
Show query
`linux_auditd` execve_command IN ("*find*", "*grep*") AND execve_command IN ("*id_rsa*", "*id_dsa*", "*.key*", "*ssh_key*", "*authorized_keys*")
| rename host as dest
| rename comm as process_name
| rename exe as process
| stats count min(_time) as firstTime max(_time) as lastTime
BY argc execve_command dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_find_ssh_private_keys_filter`Linux Auditd Hardware Addition Swapoff
The following analytic detects the execution of the "swapoff" command, which disables the swapping of paging devices on a Linux system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant because disabling swap can be a tactic used by malware, such as Awfulshred, to evade detection and hinder forensic analysis. If confirmed malicious, this action could allow an attacker to manipulate system memory management, potentially leading to data corruption, system instability, or evasion of memory-based detection mechanisms.
Show query
`linux_auditd` proctitle = "*swapoff*" AND proctitle = "*-a*"
| rename host as dest
| stats count min(_time) as firstTime max(_time) as lastTime
BY proctitle dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_hardware_addition_swapoff_filter`Linux Auditd Hidden Files And Directories Creation
The following analytic detects suspicious creation of hidden files and directories, which may indicate an attacker's attempt to conceal malicious activities or unauthorized data. Hidden files and directories are often used to evade detection by security tools and administrators, providing a stealthy means for storing malware, logs, or sensitive information. By monitoring for unusual or unauthorized creation of hidden files and directories, this analytic helps identify potential attempts to hide or unauthorized creation of hidden files and directories, this analytic helps identify potential attempts to hide malicious operations, enabling security teams to uncover and address hidden threats effectively.
Show query
`linux_auditd` execve_command IN ("*touch *", "*mkdir *", "*vim *", "*vi *", "*nano *") AND execve_command IN ("* ./.*", "* .*", "*/.*")
| rename host as dest
| rename comm as process_name
| rename exe as process
| stats count min(_time) as firstTime max(_time) as lastTime
BY argc execve_command dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_hidden_files_and_directories_creation_filter`Linux Auditd Insert Kernel Module Using Insmod Utility
The following analytic detects the insertion of a Linux kernel module using the insmod utility. It leverages data from Linux Auditd, focusing on process execution logs that include process names and command-line details. This activity is significant as it may indicate the installation of a rootkit or malicious kernel module, potentially allowing an attacker to gain elevated privileges and bypass security detections. If confirmed malicious, this could lead to unauthorized code execution, persistent access, and severe compromise of the affected system.
Show query
`linux_auditd` type=SYSCALL comm=insmod
| rename host as dest
| stats count min(_time) as firstTime max(_time) as lastTime
BY comm exe syscall
uid ppid pid
success dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_insert_kernel_module_using_insmod_utility_filter`Linux Auditd Install Kernel Module Using Modprobe Utility
The following analytic detects the installation of a Linux kernel module using the modprobe utility. It leverages data from Linux Auditd, focusing on process names and command-line executions. This activity is significant because installing a kernel module can indicate an attempt to deploy a rootkit or other malicious kernel-level code, potentially leading to elevated privileges and bypassing security detections. If confirmed malicious, this could allow an attacker to gain persistent, high-level access to the system, compromising its integrity and security.
Show query
`linux_auditd` type=SYSCALL comm=modprobe
| rename host as dest
| stats count min(_time) as firstTime max(_time) as lastTime
BY comm exe syscall
uid ppid pid
success dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_install_kernel_module_using_modprobe_utility_filter`Linux Auditd Kernel Module Enumeration
The following analytic identifies the use of the 'kmod' process to list kernel modules on a Linux system. This detection leverages data from Linux Auditd, focusing on process names and command-line executions. While listing kernel modules is not inherently malicious, it can be a precursor to loading unauthorized modules using 'insmod'. If confirmed malicious, this activity could allow an attacker to load kernel modules, potentially leading to privilege escalation, persistence, or other malicious actions within the system.
Show query
`linux_auditd` type=SYSCALL comm=lsmod
| rename host as dest
| stats count min(_time) as firstTime max(_time) as lastTime
BY comm exe syscall
uid ppid pid
success dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_kernel_module_enumeration_filter`Linux Auditd Kernel Module Using Rmmod Utility
The following analytic detects suspicious use of the `rmmod` utility for kernel module removal, which may indicate an attacker attempt to unload critical or security-related kernel modules. The `rmmod` command is used to remove modules from the Linux kernel, and unauthorized use can be a tactic to disable security features, conceal malicious activities, or disrupt system operations. By monitoring for unusual or unauthorized `rmmod` activity, this analytic helps identify potential tampering with kernel modules, enabling security teams to take proactive measures to protect system integrity and security.
Show query
`linux_auditd` type=SYSCALL comm=rmmod
| rename host as dest
| stats count min(_time) as firstTime max(_time) as lastTime
BY comm exe syscall
uid ppid pid
success dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_kernel_module_using_rmmod_utility_filter`Linux Auditd Nopasswd Entry In Sudoers File
The following analytic detects the addition of NOPASSWD entries to the /etc/sudoers file on Linux systems. It leverages Linux Auditd data to identify command lines containing "NOPASSWD:". This activity is significant because it allows users to execute commands with elevated privileges without requiring a password, which can be exploited by adversaries to maintain persistent, privileged access. If confirmed malicious, this could lead to unauthorized privilege escalation, persistent access, and potential compromise of sensitive data and system integrity.
Show query
`linux_auditd` proctitle = "*NOPASSWD*"
| rename host as dest
| stats count min(_time) as firstTime max(_time) as lastTime
BY proctitle dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_nopasswd_entry_in_sudoers_file_filter`Linux Auditd Osquery Service Stop
The following analytic detects suspicious stopping of the `osquery` service, which may indicate an attempt to disable monitoring and evade detection. `Osquery` is a powerful tool used for querying system information and detecting anomalies, and stopping its service can be a sign that an attacker is trying to disrupt security monitoring or hide malicious activities. By monitoring for unusual or unauthorized stops of the `osquery` service, this analytic helps identify potential efforts to bypass security controls, enabling security teams to investigate and respond to possible threats effectively.
Show query
`linux_auditd` type=SERVICE_STOP unit IN ("osqueryd")
| rename host as dest
| stats count min(_time) as firstTime max(_time) as lastTime
BY type pid comm
exe unit dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_osquery_service_stop_filter`Showing 701-750 of 2,101