title: HackTool - PCHunter Execution
id: fca949cc-79ca-446e-8064-01aa7e52ece5
status: test
description: Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff
references:
    - https://web.archive.org/web/20231210115125/http://www.xuetr.com/
    - https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/
    - https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali
date: 2022-10-10
modified: 2024-11-23
tags:
    - attack.execution
    - attack.discovery
    - attack.t1082
    - attack.t1057
    - attack.t1012
    - attack.t1083
    - attack.t1007
logsource:
    category: process_creation
    product: windows
detection:
    selection_image:
        Image|endswith:
            - '\PCHunter64.exe'
            - '\PCHunter32.exe'
    selection_pe:
        - OriginalFileName: 'PCHunter.exe'
        - Description: 'Epoolsoft Windows Information View Tools'
    selection_hashes:
        Hashes|contains:
            - 'SHA1=5F1CBC3D99558307BC1250D084FA968521482025'
            - 'MD5=987B65CD9B9F4E9A1AFD8F8B48CF64A7'
            - 'SHA256=2B214BDDAAB130C274DE6204AF6DBA5AEEC7433DA99AA950022FA306421A6D32'
            - 'IMPHASH=444D210CEA1FF8112F256A4997EED7FF'
            - 'SHA1=3FB89787CB97D902780DA080545584D97FB1C2EB'
            - 'MD5=228DD0C2E6287547E26FFBD973A40F14'
            - 'SHA256=55F041BF4E78E9BFA6D4EE68BE40E496CE3A1353E1CA4306598589E19802522C'
            - 'IMPHASH=0479F44DF47CFA2EF1CCC4416A538663'
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: high

title: PUA - Seatbelt Execution
id: 38646daa-e78f-4ace-9de0-55547b2d30da
status: test
description: Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters
references:
    - https://github.com/GhostPack/Seatbelt
    - https://www.bluetangle.dev/2022/08/fastening-seatbelt-on-threat-hunting.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-18
modified: 2023-02-04
tags:
    - attack.discovery
    - attack.t1526
    - attack.t1087
    - attack.t1083
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\Seatbelt.exe'
        - OriginalFileName: 'Seatbelt.exe'
        - Description: 'Seatbelt'
        - CommandLine|contains:
              # This just a list of the commands that will produce the least amount of FP in "theory"
              # Comment out/in as needed in your environment
              # To get the full list of commands see reference section
              - ' DpapiMasterKeys'
              - ' InterestingProcesses'
              - ' InterestingFiles'
              - ' CertificateThumbprints'
              - ' ChromiumBookmarks'
              - ' ChromiumHistory'
              - ' ChromiumPresence'
              - ' CloudCredentials'
              - ' CredEnum'
              - ' CredGuard'
              - ' FirefoxHistory'
              - ' ProcessCreationEvents'
              # - ' RDPSessions'
              # - ' PowerShellHistory'
    selection_group_list:
        CommandLine|contains:
            - ' -group=misc'
            - ' -group=remote'
            - ' -group=chromium'
            - ' -group=slack'
            - ' -group=system'
            - ' -group=user'
            - ' -group=all'
    selection_group_output:
        CommandLine|contains: ' -outputfile='
    condition: selection_img or all of selection_group_*
falsepositives:
    - Unlikely
level: high

title: Shell Execution GCC  - Linux
id: 9b5de532-a757-4d70-946c-1f3e44f48b4d
status: test
description: |
    Detects the use of the "gcc" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
    - https://gtfobins.github.io/gtfobins/gcc/#shell
    - https://gtfobins.github.io/gtfobins/c89/#shell
    - https://gtfobins.github.io/gtfobins/c99/#shell
    - https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
    - attack.discovery
    - attack.t1083
logsource:
    category: process_creation
    product: linux
detection:
    selection_img:
        Image|endswith:
            - '/c89'
            - '/c99'
            - '/gcc'
        CommandLine|contains: '-wrapper'
    selection_cli:
        CommandLine|contains:
            - '/bin/bash,-s'
            - '/bin/dash,-s'
            - '/bin/fish,-s'
            - '/bin/sh,-s'
            - '/bin/zsh,-s'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: Shell Execution via Find - Linux
id: 6adfbf8f-52be-4444-9bac-81b539624146
status: test
description: |
    Detects the use of the find command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or exploitation attempt.
references:
    - https://gtfobins.github.io/gtfobins/find/#shell
    - https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
    - attack.discovery
    - attack.t1083
logsource:
    category: process_creation
    product: linux
detection:
    selection_img:
        Image|endswith: '/find'
        CommandLine|contains|all:
            - ' . '
            - '-exec'
    selection_cli:
        CommandLine|contains:
            - '/bin/bash'
            - '/bin/dash'
            - '/bin/fish'
            - '/bin/sh'
            - '/bin/zsh'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: Shell Execution via Flock - Linux
id: 4b09c71e-4269-4111-9cdd-107d8867f0cc
status: test
description: |
    Detects the use of the "flock" command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
    - https://gtfobins.github.io/gtfobins/flock/#shell
    - https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
    - attack.discovery
    - attack.t1083
logsource:
    category: process_creation
    product: linux
detection:
    selection_img:
        Image|endswith: '/flock'
        CommandLine|contains: ' -u '
    selection_cli:
        CommandLine|contains:
            - '/bin/bash'
            - '/bin/dash'
            - '/bin/fish'
            - '/bin/sh'
            - '/bin/zsh'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: Shell Execution via Nice - Linux
id: 093d68c7-762a-42f4-9f46-95e79142571a
status: test
description: |
    Detects the use of the "nice" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
    - https://gtfobins.github.io/gtfobins/nice/#shell
    - https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
    - attack.discovery
    - attack.t1083
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|endswith: '/nice'
        CommandLine|endswith:
            - '/bin/bash'
            - '/bin/dash'
            - '/bin/fish'
            - '/bin/sh'
            - '/bin/zsh'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Vim GTFOBin Abuse - Linux
id: 7ab8f73a-fcff-428b-84aa-6a5ff7877dea
status: test
description: |
    Detects the use of "vim" and it's siblings commands to execute a shell or proxy commands.
    Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
    - https://gtfobins.github.io/gtfobins/vim/
    - https://gtfobins.github.io/gtfobins/rvim/
    - https://gtfobins.github.io/gtfobins/vimdiff/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-28
modified: 2024-09-02
tags:
    - attack.discovery
    - attack.t1083
logsource:
    category: process_creation
    product: linux
detection:
    selection_img:
        Image|endswith:
            - '/rvim'
            - '/vim'
            - '/vimdiff'
        CommandLine|contains:
            - ' --cmd'
            - ' -c '
    selection_cli:
        CommandLine|contains:
            - ':!/'
            - ':lua '
            - ':py '
            - '/bin/bash'
            - '/bin/dash'
            - '/bin/fish'
            - '/bin/sh'
            - '/bin/zsh'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: PUA - TruffleHog Execution
id: 44030449-b0df-4c94-aae1-502359ab28ee
related:
    - id: d7a650c4-226c-451e-948f-cc490db506aa
      type: similar
status: experimental
description: |
    Detects execution of TruffleHog, a tool used to search for secrets in different platforms like Git, Jira, Slack, SharePoint, etc. that could be used maliciously.
    While it is a legitimate tool, intended for use in CI pipelines and security assessments,
    It was observed in the Shai-Hulud malware campaign targeting npm packages to steal sensitive information.
references:
    - https://github.com/trufflesecurity/trufflehog
    - https://www.getsafety.com/blog-posts/shai-hulud-npm-attack
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-09-24
tags:
    - attack.discovery
    - attack.credential-access
    - attack.t1083
    - attack.t1552.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith: '\trufflehog.exe'
    selection_cli_platform:
        CommandLine|contains:
            - ' docker --image '
            - ' Git '
            - ' GitHub '
            - ' Jira '
            - ' Slack '
            - ' Confluence '
            - ' SharePoint '
            - ' s3 '
            - ' gcs '
    selection_cli_verified:
        CommandLine|contains: ' --results=verified'
    condition: selection_img or all of selection_cli_*
falsepositives:
    - Legitimate use of TruffleHog by security teams or developers.
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_trufflehog/info.yml

title: PUA - TruffleHog Execution - Linux
id: d7a650c4-226c-451e-948f-cc490db506aa
related:
    - id: 44030449-b0df-4c94-aae1-502359ab28ee
      type: similar
status: experimental
description: |
    Detects execution of TruffleHog, a tool used to search for secrets in different platforms like Git, Jira, Slack, SharePoint, etc. that could be used maliciously.
    While it is a legitimate tool, intended for use in CI pipelines and security assessments,
    It was observed in the Shai-Hulud malware campaign targeting npm packages to steal sensitive information.
references:
    - https://github.com/trufflesecurity/trufflehog
    - https://www.getsafety.com/blog-posts/shai-hulud-npm-attack
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-09-24
tags:
    - attack.discovery
    - attack.credential-access
    - attack.t1083
    - attack.t1552.001
logsource:
    category: process_creation
    product: linux
detection:
    selection_img:
        Image|endswith: '/trufflehog'
    selection_cli_platform:
        CommandLine|contains:
            - ' docker --image '
            - ' Git '
            - ' GitHub '
            - ' Jira '
            - ' Slack '
            - ' Confluence '
            - ' SharePoint '
            - ' s3 '
            - ' gcs '
    selection_cli_verified:
        CommandLine|contains: ' --results=verified'
    condition: selection_img or all of selection_cli_*
falsepositives:
    - Legitimate use of TruffleHog by security teams or developers.
level: medium

title: Potential Discovery Activity Using Find - Linux
id: 8344c0e5-5783-47cc-9cf9-a0f7fd03e6cf
related:
    - id: 85de3a19-b675-4a51-bfc6-b11a5186c971
      type: similar
status: test
description: Detects usage of "find" binary in a suspicious manner to perform discovery
references:
    - https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-28
tags:
    - attack.discovery
    - attack.t1083
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|endswith: '/find'
        CommandLine|contains:
            - '-perm -4000'
            - '-perm -2000'
            - '-perm 0777'
            - '-perm -222'
            - '-perm -o w'
            - '-perm -o x'
            - '-perm -u=s'
            - '-perm -g=s'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Potential Discovery Activity Using Find - MacOS
id: 85de3a19-b675-4a51-bfc6-b11a5186c971
related:
    - id: 8344c0e5-5783-47cc-9cf9-a0f7fd03e6cf
      type: similar
status: test
description: Detects usage of "find" binary in a suspicious manner to perform discovery
references:
    - https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-28
tags:
    - attack.discovery
    - attack.t1083
logsource:
    category: process_creation
    product: macos
detection:
    selection:
        Image|endswith: '/find'
        CommandLine|contains:
            - '-perm -4000'
            - '-perm -2000'
            - '-perm 0777'
            - '-perm -222'
            - '-perm -o w'
            - '-perm -o x'
            - '-perm -u=s'
            - '-perm -g=s'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Powershell Directory Enumeration
id: 162e69a7-7981-4344-84a9-0f1c9a217a52
status: test
description: Detects technique used by MAZE ransomware to enumerate directories using Powershell
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md
    - https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents
author: frack113
date: 2022-03-17
tags:
    - attack.discovery
    - attack.t1083
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - foreach
            - Get-ChildItem
            - '-Path '
            - '-ErrorAction '
            - SilentlyContinue
            - 'Out-File '
            - '-append'
    condition: selection
falsepositives:
    - Legitimate PowerShell scripts
level: medium

title: Powershell Sensitive File Discovery
id: 7d416556-6502-45b2-9bad-9d2f05f38997
related:
    - id: d23f2ba5-9da0-4463-8908-8ee47f614bb9
      type: derived
status: test
description: Detect adversaries enumerate sensitive files
references:
    - https://twitter.com/malmoeb/status/1570814999370801158
author: frack113
date: 2022-09-16
tags:
    - attack.discovery
    - attack.t1083
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_action:
        ScriptBlockText|contains:
            - ls
            - get-childitem
            - gci
    selection_recurse:
        ScriptBlockText|contains: '-recurse'
    selection_file:
        ScriptBlockText|contains:
            - '.pass'
            - '.kdbx'
            - '.kdb'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: Shell Invocation via Apt - Linux
id: bb382fd5-b454-47ea-a264-1828e4c766d6
status: test
description: |
    Detects the use of the "apt" and "apt-get" commands to execute a shell or proxy commands.
    Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
    - https://gtfobins.github.io/gtfobins/apt/
    - https://gtfobins.github.io/gtfobins/apt-get/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-28
modified: 2024-09-02
tags:
    - attack.discovery
    - attack.t1083
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|endswith:
            - '/apt'
            - '/apt-get'
        CommandLine|contains: 'APT::Update::Pre-Invoke::='
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Source Code Enumeration Detection by Keyword
id: 953d460b-f810-420a-97a2-cfca4c98e602
status: test
description: Detects source code enumeration that use GET requests by keyword searches in URL strings
references:
    - https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html
    - https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1
author: James Ahearn
date: 2019-06-08
modified: 2022-10-05
tags:
    - attack.discovery
    - attack.t1083
logsource:
    category: webserver
detection:
    keywords:
        - '.git/'
    condition: keywords
falsepositives:
    - Unknown
level: medium

title: Capabilities Discovery - Linux
id: d8d97d51-122d-4cdd-9e2f-01b4b4933530
status: test
description: Detects usage of "getcap" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other.
references:
    - https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes
    - https://github.com/carlospolop/PEASS-ng
    - https://github.com/diego-treitos/linux-smart-enumeration
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-28
modified: 2026-01-24
tags:
    - attack.discovery
    - attack.t1083
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|endswith: '/getcap'
        CommandLine|contains: ' -r '
    condition: selection
falsepositives:
    - Unknown
level: low

title: Cisco Discovery
id: 9705a6a1-6db6-4a16-a987-15b7151e299b
status: test
description: Find information about network devices that is not stored in config files
references:
    - https://www.cisco.com/c/en/us/td/docs/server_nw_virtual/2-5_release/command_reference/show.html
author: Austin Clark
date: 2019-08-12
modified: 2023-01-04
tags:
    - attack.discovery
    - attack.t1083
    - attack.t1201
    - attack.t1057
    - attack.t1018
    - attack.t1082
    - attack.t1016
    - attack.t1049
    - attack.t1033
    - attack.t1124
logsource:
    product: cisco
    service: aaa
detection:
    keywords:
        - 'dir'
        - 'show arp'
        - 'show cdp'
        - 'show clock'
        - 'show ip interface'
        - 'show ip route'
        - 'show ip sockets'
        - 'show processes'
        - 'show ssh'
        - 'show users'
        - 'show version'
    condition: keywords
falsepositives:
    - Commonly used by administrators for troubleshooting
level: low

title: DirLister Execution
id: b4dc61f5-6cce-468e-a608-b48b469feaa2
status: test
description: Detect the usage of "DirLister.exe" a utility for quickly listing folder or drive contents. It was seen used by BlackCat ransomware to create a list of accessible directories and files.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1083/T1083.md
    - https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/
author: frack113
date: 2022-08-20
modified: 2023-02-04
tags:
    - attack.discovery
    - attack.t1083
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - OriginalFileName: 'DirLister.exe'
        - Image|endswith: '\DirLister.exe'
    condition: selection
falsepositives:
    - Legitimate use by users
level: low
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_dirlister_execution/info.yml
simulation:
    - type: atomic-red-team
      name: Launch DirLister Executable
      technique: T1083
      atomic_guid: c5bec457-43c9-4a18-9a24-fe151d8971b7

title: Linux Capabilities Discovery
id: fe10751f-1995-40a5-aaa2-c97ccb4123fe
status: test
description: Detects attempts to discover the files with setuid/setgid capability on them. That would allow adversary to escalate their privileges.
references:
    - https://man7.org/linux/man-pages/man8/getcap.8.html
    - https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/
    - https://mn3m.info/posts/suid-vs-capabilities/
    - https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099
author: 'Pawel Mazur'
date: 2021-11-28
modified: 2022-12-25
tags:
    - attack.discovery
    - attack.privilege-escalation
    - attack.t1083
    - attack.t1548
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: EXECVE
        a0: getcap
        a1: '-r'
        a2: '/'
    condition: selection
falsepositives:
    - Unknown
level: low

title: Notepad Password Files Discovery
id: 3b4e950b-a3ea-44d3-877e-432071990709
status: experimental
description: Detects the execution of Notepad to open a file that has the string "password" which may indicate unauthorized access to credentials or suspicious activity.
references:
    - https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/
    - https://intel.thedfirreport.com/eventReports/view/57  # Private Report
author: 'The DFIR Report'
tags:
    - attack.discovery
    - attack.t1083
date: 2025-02-21
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        ParentImage|endswith: '\explorer.exe'
        Image|endswith: '\notepad.exe'
        CommandLine|endswith:
        # Note: Commandline to contain a file with the string password and a specific extension
            - 'password*.txt'
            - 'password*.csv'
            - 'password*.doc'
            - 'password*.xls'
    condition: selection
falsepositives:
    - Legitimate use of opening files from remote hosts by administrators or users. However, storing passwords in text readable format could potentially be a violation of the organization's policy. Any match should be investigated further.
level: low

title: File and Directory Discovery - Linux
id: d3feb4ee-ff1d-4d3d-bd10-5b28a238cc72
status: test
description: |
    Detects usage of system utilities such as "find", "tree", "findmnt", etc, to discover files, directories and network shares.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md
author: Daniil Yugoslavskiy, oscd.community, CheraghiMilad
date: 2020-10-19
modified: 2024-12-01
tags:
    - attack.discovery
    - attack.t1083
logsource:
    category: process_creation
    product: linux
detection:
    selection_file_with_asterisk:
        Image|endswith: '/file'
        CommandLine|re: '(.){200,}' # execution of the 'file */* *>> /tmp/output.txt' will produce huge commandline
    selection_recursive_ls:
        Image|endswith: '/ls'
        CommandLine|contains: '-R'
    selection_find_execution:
        Image|endswith: '/find'
    selection_tree_execution:
        Image|endswith: '/tree'
    selection_findmnt_execution:
        Image|endswith: '/findmnt'
    selection_locate_execution:
        Image|endswith: '/mlocate'
    condition: 1 of selection_*
falsepositives:
    - Legitimate activities
level: informational

title: File and Directory Discovery - MacOS
id: 089dbdf6-b960-4bcc-90e3-ffc3480c20f6
status: test
description: Detects usage of system utilities to discover files and directories
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-19
modified: 2022-11-25
tags:
    - attack.discovery
    - attack.t1083
logsource:
    category: process_creation
    product: macos
detection:
    select_file_with_asterisk:
        Image: '/usr/bin/file'
        CommandLine|re: '(.){200,}' # execution of the 'file */* *>> /tmp/output.txt' will produce huge commandline
    select_recursive_ls:
        Image: '/bin/ls'
        CommandLine|contains: '-R'
    select_find_execution:
        Image: '/usr/bin/find'
    select_mdfind_execution:
        Image: '/usr/bin/mdfind'
    select_tree_execution|endswith:
        Image: '/tree'
    condition: 1 of select*
falsepositives:
    - Legitimate activities
level: informational