SigmaHQ/rules/linux/auditd/lnx_auditd_susp_cmds.yml

title: Detects Suspicious Commands on Linux systems
status: experimental
description: Detects relevant commands often related to malware or hacking activity
references:
    - 'Internal Research - mostly derived from exploit code including code in MSF'
date: 2017/12/12
author: Florian Roth
logsource:
    product: linux
    service: auditd
detection:
    cmds:
        - type: 'EXECVE'
          a0: 'chmod'
          a1: '777'
        - type: 'EXECVE'
          a0: 'chmod'
          a1: 'u+s'
        - type: 'EXECVE'
          a0: 'cp'
          a1: '/bin/ksh'
        - type: 'EXECVE'
          a0: 'cp'
          a1: '/bin/sh'
    condition: 1 of cmds
falsepositives:
    - Admin activity
level: medium
Massive Title Cleanup 2018-01-27 09:57:30 +00:00			`title: Detects Suspicious Commands on Linux systems`
Added status 'experimental' to newly created auditd rules 2018-01-23 10:15:02 +00:00			`status: experimental`
Rule: Linux auditd 'suspicious commands' 2018-01-23 10:12:39 +00:00			`description: Detects relevant commands often related to malware or hacking activity`
Change All "str" references to be "list"to mach schema update 2018-01-27 23:24:16 +00:00			`references:`
			`- 'Internal Research - mostly derived from exploit code including code in MSF'`
Rule: Linux auditd 'suspicious commands' 2018-01-23 10:12:39 +00:00			`date: 2017/12/12`
			`author: Florian Roth`
			`logsource:`
			`product: linux`
			`service: auditd`
			`detection:`
			`cmds:`
			`- type: 'EXECVE'`
			`a0: 'chmod'`
			`a1: '777'`
			`- type: 'EXECVE'`
			`a0: 'chmod'`
			`a1: 'u+s'`
			`- type: 'EXECVE'`
			`a0: 'cp'`
			`a1: '/bin/ksh'`
			`- type: 'EXECVE'`
			`a0: 'cp'`
			`a1: '/bin/sh'`
			`condition: 1 of cmds`
			`falsepositives:`
			`- Admin activity`
			`level: medium`