mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 09:48:58 +00:00
41 lines
1.4 KiB
YAML
41 lines
1.4 KiB
YAML
title: Program Executions in Suspicious Folders
|
|
status: experimental
|
|
description: Detects program executions in suspicious non-program folders related to malware or hacking activity
|
|
references:
|
|
- 'Internal Research'
|
|
date: 2018/01/23
|
|
author: Florian Roth
|
|
logsource:
|
|
product: linux
|
|
service: auditd
|
|
detection:
|
|
selection:
|
|
type: 'SYSCALL'
|
|
exe:
|
|
# Temporary folder
|
|
- '/tmp/*'
|
|
# Web server
|
|
- '/var/www/*' # Standard
|
|
- '/home/*/public_html/*' # Per-user
|
|
- '/usr/local/apache2/*' # Classical Apache
|
|
- '/usr/local/httpd/*' # Old SuSE Linux 6.* Apache
|
|
- '/var/apache/*' # Solaris Apache
|
|
- '/srv/www/*' # SuSE Linux 9.*
|
|
- '/home/httpd/html/*' # Redhat 6 or older Apache
|
|
- '/srv/http/*' # ArchLinux standard
|
|
- '/usr/share/nginx/html/*' # ArchLinux nginx
|
|
# Data dirs of typically exploited services (incomplete list)
|
|
- '/var/lib/pgsql/data/*'
|
|
- '/usr/local/mysql/data/*'
|
|
- '/var/lib/mysql/*'
|
|
- '/var/vsftpd/*'
|
|
- '/etc/bind/*'
|
|
- '/var/named/*'
|
|
condition: selection
|
|
falsepositives:
|
|
- Admin activity (especially in /tmp folders)
|
|
- Crazy web applications
|
|
level: medium
|
|
|
|
|