title: Commands to Clear or Remove the Syslog - Builtin
id: e09eb557-96d2-4de9-ba2d-30f712a5afd3
status: test
description: Detects specific commands commonly used to remove or empty the syslog
references:
- https://www.virustotal.com/gui/file/fc614fb4bda24ae8ca2c44e812d12c0fab6dd7a097472a35dd12ded053ab8474
author: Max Altgelt (Nextron Systems)
date: 2021-09-10
modified: 2022-11-26
tags:
- attack.impact
- attack.t1565.001
logsource:
product: linux
detection:
selection:
- 'rm /var/log/syslog'
- 'rm -r /var/log/syslog'
- 'rm -f /var/log/syslog'
- 'rm -rf /var/log/syslog'
- 'mv /var/log/syslog'
- ' >/var/log/syslog'
- ' > /var/log/syslog'
falsepositives:
- '/syslog.'
condition: selection and not falsepositives
falsepositives:
- Log rotation
level: high
title: History File Deletion
id: 1182f3b3-e716-4efa-99ab-d2685d04360f
status: test
description: Detects events in which a history file gets deleted, e.g. the ~/bash_history to remove traces of malicious activity
references:
- https://github.com/sleventyeleven/linuxprivchecker/
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md
author: Florian Roth (Nextron Systems)
date: 2022-06-20
modified: 2022-09-15
tags:
- attack.impact
- attack.t1565.001
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith:
- '/rm'
- '/unlink'
- '/shred'
selection_history:
- CommandLine|contains:
- '/.bash_history'
- '/.zsh_history'
- CommandLine|endswith:
- '_history'
- '.history'
- 'zhistory'
condition: all of selection*
falsepositives:
- Legitimate administration activities
level: high
title: Azure DNS Zone Modified or Deleted
id: af6925b0-8826-47f1-9324-337507a0babd
status: test
description: Identifies when DNS zone is modified or deleted.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
author: Austin Songer @austinsonger
date: 2021-08-08
modified: 2022-08-23
tags:
- attack.impact
- attack.t1565.001
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName|startswith: 'MICROSOFT.NETWORK/DNSZONES'
operationName|endswith:
- '/WRITE'
- '/DELETE'
condition: selection
falsepositives:
- DNS zone modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- DNS zone modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Azure Device or Configuration Modified or Deleted
id: 46530378-f9db-4af9-a9e5-889c177d3881
status: test
description: Identifies when a device or device configuration in azure is modified or deleted.
references:
- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory
author: Austin Songer @austinsonger
date: 2021-09-03
modified: 2022-10-09
tags:
- attack.impact
- attack.t1485
- attack.t1565.001
logsource:
product: azure
service: activitylogs
detection:
selection:
properties.message:
- Delete device
- Delete device configuration
- Update device
- Update device configuration
condition: selection
falsepositives:
- Device or device configuration being modified or deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Device or device configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Cisco Denial of Service
id: d94a35f0-7a29-45f6-90a0-80df6159967c
status: test
description: Detect a system being shutdown or put into different boot mode
author: Austin Clark
date: 2019-08-15
modified: 2023-01-04
tags:
- attack.impact
- attack.t1495
- attack.t1529
- attack.t1565.001
logsource:
product: cisco
service: aaa
detection:
keywords:
- 'shutdown'
- 'config-register 0x2100'
- 'config-register 0x2142'
condition: keywords
falsepositives:
- Legitimate administrators may run these commands, though rarely.
level: medium
title: Potential Suspicious Change To Sensitive/Critical Files
id: 86157017-c2b1-4d4a-8c33-93b8e67e4af4
status: test
description: |
Detects changes of sensitive and critical files. Monitors files that you don't expect to change without planning on Linux system.
These files include, but are not limited to, system configuration files, authentication files, and critical application files.
Attackers often target these files to maintain persistence, escalate privileges, or disrupt system operations.
references:
- https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor
author: '@d4ns4n_ (Wuerth-Phoenix)'
date: 2023-05-30
modified: 2026-03-18
tags:
- attack.impact
- attack.t1565.001
logsource:
category: process_creation
product: linux
detection:
selection_img_1:
Image|endswith:
- '/cat'
- '/echo'
- '/grep'
- '/head'
- '/more'
- '/tail'
CommandLine|contains: '>'
selection_img_2:
Image|endswith:
- '/emacs'
- '/nano'
- '/sed'
- '/vi'
- '/vim'
selection_paths:
CommandLine|contains:
- '/bin/login'
- '/bin/passwd'
- '/boot/'
- '/etc/*.conf'
- '/etc/cron.' # Covers different cron config files "daily", "hourly", etc.
- '/etc/crontab'
- '/etc/hosts'
- '/etc/init.d'
- '/etc/sudoers'
- '/opt/bin/'
- '/sbin' # Covers: '/opt/sbin', '/usr/local/sbin/', '/usr/sbin/'
- '/usr/bin/'
- '/usr/local/bin/'
filter_main_mdadm.conf:
Image|endswith: '/bin/sed'
CommandLine|startswith:
- 'sed -i /^*'
- 'sed -ne s/^'
CommandLine|endswith: '/etc/mdadm/mdadm.conf'
condition: 1 of selection_img_* and selection_paths and not 1 of filter_main_*
falsepositives:
- Some false positives are to be expected on user or administrator machines. Apply additional filters as needed.
level: medium