title: Detects Suspicious Commands on Linux systems
status: experimental
description: Detects relevant commands often related to malware or hacking activity
references: 'Internal Research - mostly derived from exploit code including code in MSF'
date: 2017/12/12
author: Florian Roth
logsource:
    product: linux
    service: auditd
detection:
    cmds:
        - type: 'EXECVE'
          a0: 'chmod'
          a1: '777'
        - type: 'EXECVE'
          a0: 'chmod'
          a1: 'u+s'
        - type: 'EXECVE'
          a0: 'cp'
          a1: '/bin/ksh'
        - type: 'EXECVE'
          a0: 'cp'
          a1: '/bin/sh'
    condition: 1 of cmds
falsepositives:
    - Admin activity
level: medium