title: Commands to Clear or Remove the Syslog - Builtin
id: e09eb557-96d2-4de9-ba2d-30f712a5afd3
status: test
description: Detects specific commands commonly used to remove or empty the syslog
references:
    - https://www.virustotal.com/gui/file/fc614fb4bda24ae8ca2c44e812d12c0fab6dd7a097472a35dd12ded053ab8474
author: Max Altgelt (Nextron Systems)
date: 2021-09-10
modified: 2022-11-26
tags:
    - attack.impact
    - attack.t1565.001
logsource:
    product: linux
detection:
    selection:
        - 'rm /var/log/syslog'
        - 'rm -r /var/log/syslog'
        - 'rm -f /var/log/syslog'
        - 'rm -rf /var/log/syslog'
        - 'mv /var/log/syslog'
        - ' >/var/log/syslog'
        - ' > /var/log/syslog'
    falsepositives:
        - '/syslog.'
    condition: selection and not falsepositives
falsepositives:
    - Log rotation
level: high

title: History File Deletion
id: 1182f3b3-e716-4efa-99ab-d2685d04360f
status: test
description: Detects events in which a history file gets deleted, e.g. the ~/bash_history to remove traces of malicious activity
references:
    - https://github.com/sleventyeleven/linuxprivchecker/
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md
author: Florian Roth (Nextron Systems)
date: 2022-06-20
modified: 2022-09-15
tags:
    - attack.impact
    - attack.t1565.001
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|endswith:
            - '/rm'
            - '/unlink'
            - '/shred'
    selection_history:
        - CommandLine|contains:
              - '/.bash_history'
              - '/.zsh_history'
        - CommandLine|endswith:
              - '_history'
              - '.history'
              - 'zhistory'
    condition: all of selection*
falsepositives:
    - Legitimate administration activities
level: high

title: Powershell Add Name Resolution Policy Table Rule
id: 4368354e-1797-463c-bc39-a309effbe8d7
status: test
description: |
  Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace.
  This will bypass the default DNS server and uses a specified server for answering the query.
references:
    - https://twitter.com/NathanMcNulty/status/1569497348841287681
    - https://learn.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps
author: Borna Talebi
date: 2021-09-14
modified: 2022-10-09
tags:
    - attack.impact
    - attack.t1565
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'Add-DnsClientNrptRule'
            - '-Namesp'
            - '-NameSe'
    condition: selection
falsepositives:
    - Unknown
level: high

title: AWS EC2 Disable EBS Encryption
id: 16124c2d-e40b-4fcc-8f2c-5ab7870a2223
status: stable
description: |
  Identifies disabling of default Amazon Elastic Block Store (EBS) encryption in the current region.
  Disabling default encryption does not change the encryption status of your existing volumes.
references:
    - https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html
author: Sittikorn S
date: 2021-06-29
modified: 2021-08-20
tags:
    - attack.impact
    - attack.t1486
    - attack.t1565
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: ec2.amazonaws.com
        eventName: DisableEbsEncryptionByDefault
    condition: selection
falsepositives:
    - System Administrator Activities
    - DEV, UAT, SAT environment. You should apply this rule with PROD account only.
level: medium

title: Azure DNS Zone Modified or Deleted
id: af6925b0-8826-47f1-9324-337507a0babd
status: test
description: Identifies when DNS zone is modified or deleted.
references:
    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
author: Austin Songer @austinsonger
date: 2021-08-08
modified: 2022-08-23
tags:
    - attack.impact
    - attack.t1565.001
logsource:
    product: azure
    service: activitylogs
detection:
    selection:
        operationName|startswith: 'MICROSOFT.NETWORK/DNSZONES'
        operationName|endswith:
            - '/WRITE'
            - '/DELETE'
    condition: selection
falsepositives:
    - DNS zone modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - DNS zone modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium

title: Azure Device or Configuration Modified or Deleted
id: 46530378-f9db-4af9-a9e5-889c177d3881
status: test
description: Identifies when a device or device configuration in azure is modified or deleted.
references:
    - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory
author: Austin Songer @austinsonger
date: 2021-09-03
modified: 2022-10-09
tags:
    - attack.impact
    - attack.t1485
    - attack.t1565.001
logsource:
    product: azure
    service: activitylogs
detection:
    selection:
        properties.message:
            - Delete device
            - Delete device configuration
            - Update device
            - Update device configuration
    condition: selection
falsepositives:
    - Device or device configuration being modified or deleted may be performed by a system administrator.
    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - Device or device configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium

title: Cisco Denial of Service
id: d94a35f0-7a29-45f6-90a0-80df6159967c
status: test
description: Detect a system being shutdown or put into different boot mode
author: Austin Clark
date: 2019-08-15
modified: 2023-01-04
tags:
    - attack.impact
    - attack.t1495
    - attack.t1529
    - attack.t1565.001
logsource:
    product: cisco
    service: aaa
detection:
    keywords:
        - 'shutdown'
        - 'config-register 0x2100'
        - 'config-register 0x2142'
    condition: keywords
falsepositives:
    - Legitimate administrators may run these commands, though rarely.
level: medium

title: Cisco Modify Configuration
id: 671ffc77-50a7-464f-9e3d-9ea2b493b26b
status: test
description: Modifications to a config that will serve an adversary's impacts or persistence
author: Austin Clark
date: 2019-08-12
modified: 2025-04-28
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.impact
    - attack.t1490
    - attack.t1505
    - attack.t1565.002
    - attack.t1053
logsource:
    product: cisco
    service: aaa
detection:
    keywords:
        - 'ip http server'
        - 'ip https server'
        - 'kron policy-list'
        - 'kron occurrence'
        - 'policy-list'
        - 'access-list'
        - 'ip access-group'
        - 'archive maximum'
        - 'ntp server'
    condition: keywords
falsepositives:
    - Legitimate administrators may run these commands
level: medium

title: Google Cloud Re-identifies Sensitive Information
id: 234f9f48-904b-4736-a34c-55d23919e4b7
status: test
description: Identifies when sensitive information is re-identified in google Cloud.
references:
    - https://cloud.google.com/dlp/docs/reference/rest/v2/projects.content/reidentify
author: Austin Songer @austinsonger
date: 2021-08-15
modified: 2022-10-09
tags:
    - attack.impact
    - attack.t1565
logsource:
    product: gcp
    service: gcp.audit
detection:
    selection:
        gcp.audit.method_name: projects.content.reidentify
    condition: selection
falsepositives:
    - Unknown
level: medium

title: ISATAP Router Address Was Set
id: d22df9cd-2aee-4089-93c7-9dc4eae77f2c
status: experimental
description: |
    Detects the configuration of a new ISATAP router on a Windows host. While ISATAP is a legitimate Microsoft technology for IPv6 transition, unexpected or unauthorized ISATAP router configurations could indicate a potential IPv6 DNS Takeover attack using tools like mitm6.
    In such attacks, adversaries advertise themselves as DHCPv6 servers and set malicious ISATAP routers to intercept traffic.
    This detection should be correlated with network baselines and known legitimate ISATAP deployments in your environment.
references:
    - https://www.blackhillsinfosec.com/mitm6-strikes-again-the-dark-side-of-ipv6/
    - https://redfoxsec.com/blog/ipv6-dns-takeover/
    - https://www.securityhq.com/blog/malicious-isatap-tunneling-unearthed-on-windows-server/
    - https://medium.com/@ninnesoturan/detecting-ipv6-dns-takeover-a54a6a88be1f
author: hamid
date: 2025-10-19
tags:
    - attack.impact
    - attack.credential-access
    - attack.collection
    - attack.initial-access
    - attack.privilege-escalation
    - attack.execution
    - attack.t1557
    - attack.t1565.002
logsource:
    product: windows
    service: system
detection:
    selection:
        EventID: 4100
        Provider_Name: 'Microsoft-Windows-Iphlpsvc'
    filter_main_localhost:
        IsatapRouter:
            - '127.0.0.1'
            - '::1'
    filter_optional_null:
        IsatapRouter: null
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate ISATAP router configuration in enterprise environments
    - IPv6 transition projects and network infrastructure changes
    - Network administrators configuring dual-stack networking
    - Automatic ISATAP configuration in some Windows deployments
level: medium

title: Potential Suspicious Change To Sensitive/Critical Files
id: 86157017-c2b1-4d4a-8c33-93b8e67e4af4
status: test
description: |
    Detects changes of sensitive and critical files. Monitors files that you don't expect to change without planning on Linux system.
    These files include, but are not limited to, system configuration files, authentication files, and critical application files.
    Attackers often target these files to maintain persistence, escalate privileges, or disrupt system operations.
references:
    - https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor
author: '@d4ns4n_ (Wuerth-Phoenix)'
date: 2023-05-30
modified: 2026-03-18
tags:
    - attack.impact
    - attack.t1565.001
logsource:
    category: process_creation
    product: linux
detection:
    selection_img_1:
        Image|endswith:
            - '/cat'
            - '/echo'
            - '/grep'
            - '/head'
            - '/more'
            - '/tail'
        CommandLine|contains: '>'
    selection_img_2:
        Image|endswith:
            - '/emacs'
            - '/nano'
            - '/sed'
            - '/vi'
            - '/vim'
    selection_paths:
        CommandLine|contains:
            - '/bin/login'
            - '/bin/passwd'
            - '/boot/'
            - '/etc/*.conf'
            - '/etc/cron.' # Covers different cron config files "daily", "hourly", etc.
            - '/etc/crontab'
            - '/etc/hosts'
            - '/etc/init.d'
            - '/etc/sudoers'
            - '/opt/bin/'
            - '/sbin' # Covers: '/opt/sbin', '/usr/local/sbin/', '/usr/sbin/'
            - '/usr/bin/'
            - '/usr/local/bin/'
    filter_main_mdadm.conf:
        Image|endswith: '/bin/sed'
        CommandLine|startswith:
            - 'sed -i /^*'
            - 'sed -ne s/^'
        CommandLine|endswith: '/etc/mdadm/mdadm.conf'
    condition: 1 of selection_img_* and selection_paths and not 1 of filter_main_*
falsepositives:
    - Some false positives are to be expected on user or administrator machines. Apply additional filters as needed.
level: medium