Deployable detection rules
4 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
4 shown of 4Linux Auditd Database File And Directory Discovery
The following analytic detects suspicious database file and directory discovery activities, which may signal an attacker attempt to locate and assess critical database assets on a compromised system. This behavior is often a precursor to data theft, unauthorized access, or privilege escalation, as attackers seek to identify valuable information stored in databases. By monitoring for unusual or unauthorized attempts to locate database files and directories, this analytic aids in early detection of potential reconnaissance or data breach efforts, enabling security teams to respond swiftly and mitigate the risk of further compromise.
Show query
`linux_auditd` execve_command IN ("*find*", "*grep*") AND execve_command IN("*.db*", "*.sql*", "*.sqlite*", "*.mdb*", "*.accdb*", "*.mdf*", "*.ndf*", "*.ldf*", "*.frm*", "*.myd*", "*.myi*", "*.dbf*", "*.db2*", "*.dbc*", "*.fpt*", "*.ora*")
| rename host as dest
| rename comm as process_name
| rename exe as process
| stats count min(_time) as firstTime max(_time) as lastTime
BY argc execve_command dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_database_file_and_directory_discovery_filter`Linux Auditd File And Directory Discovery
The following analytic detects suspicious file and directory discovery activities, which may indicate an attacker's effort to locate sensitive documents and files on a compromised system. This behavior often precedes data exfiltration, as adversaries seek to identify valuable or confidential information for theft. By identifying unusual or unauthorized attempts to browse or enumerate files and directories, this analytic helps security teams detect potential reconnaissance or preparatory actions by an attacker, enabling timely intervention to prevent data breaches or unauthorized access.
Show query
`linux_auditd` execve_command IN ("*grep*", "*find*") AND execve_command IN ("*.tif*", "*.tiff*", "*.gif*", "*.jpeg*", "*.jpg*", "*.jif*", "*.jfif*", "*.jp2*", "*.jpx*", "*.j2k*", "*.j2c*", "*.fpx*", "*.pcd*", "*.png*", "*.flv*", "*.pdf*", "*.mp4*", "*.mp3*", "*.gifv*", "*.avi*", "*.mov*", "*.mpeg*", "*.wav*", "*.doc*", "*.docx*", "*.xls*", "*.xlsx*", "*.svg*")
| rename host as dest
| rename comm as process_name
| rename exe as process
| stats count min(_time) as firstTime max(_time) as lastTime
BY argc execve_command dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_file_and_directory_discovery_filter`Linux Auditd Hidden Files And Directories Creation
The following analytic detects suspicious creation of hidden files and directories, which may indicate an attacker's attempt to conceal malicious activities or unauthorized data. Hidden files and directories are often used to evade detection by security tools and administrators, providing a stealthy means for storing malware, logs, or sensitive information. By monitoring for unusual or unauthorized creation of hidden files and directories, this analytic helps identify potential attempts to hide or unauthorized creation of hidden files and directories, this analytic helps identify potential attempts to hide malicious operations, enabling security teams to uncover and address hidden threats effectively.
Show query
`linux_auditd` execve_command IN ("*touch *", "*mkdir *", "*vim *", "*vi *", "*nano *") AND execve_command IN ("* ./.*", "* .*", "*/.*")
| rename host as dest
| rename comm as process_name
| rename exe as process
| stats count min(_time) as firstTime max(_time) as lastTime
BY argc execve_command dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_hidden_files_and_directories_creation_filter`Linux Auditd Virtual Disk File And Directory Discovery
The following analytic detects suspicious discovery of virtual disk files and directories, which may indicate an attacker's attempt to locate and access virtualized storage environments. Virtual disks can contain sensitive data or critical system configurations, and unauthorized discovery attempts could signify preparatory actions for data exfiltration or further compromise. By monitoring for unusual or unauthorized searches for virtual disk files and directories, this analytic helps identify potential reconnaissance activities, enabling security teams to respond promptly and safeguard against unauthorized access and data breaches.
Show query
`linux_auditd` execve_command IN ("*find*", "*grep*") AND execve_command IN ("*.vhd*", "*.vhdx*", "*.vmdk*")
| rename host as dest
| rename comm as process_name
| rename exe as process
| stats count min(_time) as firstTime max(_time) as lastTime
BY argc execve_command dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_virtual_disk_file_and_directory_discovery_filter`Showing 1-4 of 4