SigmaHQ/rules/linux/auditd/lnx_auditd_susp_cmds.yml

36 lines
786 B
YAML
Raw Normal View History

2020-01-30 16:26:09 +00:00
title: Suspicious Commands Linux
2019-11-12 22:12:27 +00:00
id: 1543ae20-cbdf-4ec1-8d12-7664d667a825
status: experimental
description: Detects relevant commands often related to malware or hacking activity
references:
2019-11-12 22:12:27 +00:00
- Internal Research - mostly derived from exploit code including code in MSF
tags:
- attack.execution
2020-08-04 17:00:30 +00:00
- attack.t1059.004
date: 2017/12/12
author: Florian Roth
logsource:
product: linux
service: auditd
detection:
2019-07-02 13:22:26 +00:00
cmd1:
type: 'EXECVE'
a0: 'chmod'
a1: '777'
cmd2:
type: 'EXECVE'
a0: 'chmod'
a1: 'u+s'
2020-01-30 16:26:09 +00:00
cmd3:
2019-07-02 13:22:26 +00:00
type: 'EXECVE'
a0: 'cp'
a1: '/bin/ksh'
cmd4:
type: 'EXECVE'
a0: 'cp'
a1: '/bin/sh'
condition: 1 of them
falsepositives:
- Admin activity
2020-01-30 16:26:09 +00:00
level: medium