title: Detects Suspicious Commands on Linux systems status: experimental description: Detects relevant commands often related to malware or hacking activity references: - 'Internal Research - mostly derived from exploit code including code in MSF' date: 2017/12/12 author: Florian Roth logsource: product: linux service: auditd detection: cmd1: type: 'EXECVE' a0: 'chmod' a1: '777' cmd2: type: 'EXECVE' a0: 'chmod' a1: 'u+s' cmd3: type: 'EXECVE' a0: 'cp' a1: '/bin/ksh' cmd4: type: 'EXECVE' a0: 'cp' a1: '/bin/sh' condition: 1 of them falsepositives: - Admin activity level: medium