valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 01:45:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Improved Linux Shell Activity Rule

Browse Source
This commit is contained in:
Florian Roth 2017-03-15 09:07:59 +01:00
parent 9afa12f4a3
commit 789b3899df
1 changed files with 7 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
rules/linux/lnx_shell_susp_activity.yml
View File

@ -7,12 +7,16 @@ logsource:
product: linux
detection:
keywords:
# Apache Struts in-the-wild exploit codes
- 'stop;service iptables stop;'
- 'stop;SuSEfirewall2 stop;'
# Generic suspicious commands
- 'wget * - http* | perl'
- 'wget * - http* | sh'
- 'wget * - http* | bash'
# Apache Struts in-the-wild exploit codes
- 'stop;service iptables stop;'
- 'stop;SuSEfirewall2 stop;'
- 'chmod 777 2020'
- '">>/etc/rc.local;'
- 'wget -c *;chmod 777'
# Metasploit framework exploit codes
- 'base64 -d /tmp/'
- ' | base64 -d'