Rule: Linux auditd 'suspicious commands'

2024-11-07 01:45:21 +00:00 · 2018-01-23 11:12:39 +01:00 · 2018-01-23 11:12:39 +01:00 · 228ca1b765
commit 228ca1b765
parent 7708a538f4
1 changed files with 26 additions and 0 deletions
--- a/rules/linux/auditd/lnx_auditd_susp_cmds.yml
+++ b/rules/linux/auditd/lnx_auditd_susp_cmds.yml
@ -0,0 +1,26 @@
+title: Detects suspicious commands on Linux systems
+description: Detects relevant commands often related to malware or hacking activity
+reference: 'Internal Research - mostly derived from exploit code including code in MSF'
+date: 2017/12/12
+author: Florian Roth
+logsource:
+    product: linux
+    service: auditd
+detection:
+    cmds:
+        - type: 'EXECVE'
+          a0: 'chmod'
+          a1: '777'
+        - type: 'EXECVE'
+          a0: 'chmod'
+          a1: 'u+s'
+        - type: 'EXECVE'
+          a0: 'cp'
+          a1: '/bin/ksh'
+        - type: 'EXECVE'
+          a0: 'cp'
+          a1: '/bin/sh'
+    condition: 1 of cmds
+falsepositives:
+    - Admin activity
+level: medium