mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 09:48:58 +00:00
28 lines
707 B
YAML
28 lines
707 B
YAML
title: Detects Suspicious Commands on Linux systems
|
|
status: experimental
|
|
description: Detects relevant commands often related to malware or hacking activity
|
|
references:
|
|
- 'Internal Research - mostly derived from exploit code including code in MSF'
|
|
date: 2017/12/12
|
|
author: Florian Roth
|
|
logsource:
|
|
product: linux
|
|
service: auditd
|
|
detection:
|
|
cmds:
|
|
- type: 'EXECVE'
|
|
a0: 'chmod'
|
|
a1: '777'
|
|
- type: 'EXECVE'
|
|
a0: 'chmod'
|
|
a1: 'u+s'
|
|
- type: 'EXECVE'
|
|
a0: 'cp'
|
|
a1: '/bin/ksh'
|
|
- type: 'EXECVE'
|
|
a0: 'cp'
|
|
a1: '/bin/sh'
|
|
condition: 1 of cmds
|
|
falsepositives:
|
|
- Admin activity
|
|
level: medium |