auditd-syscall Audit: SYSCALL Messages grouped. syscall, auditd-execve Audit: EXECVE Messages grouped. execve, auditd-path Audit: PATH Messages grouped. path, auditd-config_change Detect changes in auditd configuration files. config_change, auditd-user_and_cred Audit: USER_AND_CRED Messages grouped. user_and_cred, 200112 etc/lists/bash_profile Detects change of user environment. Adversaries can insert code into these files to gain persistence each time a user logs in or opens a new shell. T1546 path, 200112 .bashrc$|.bash_profile$|.profile$ Detects change of user environment. Adversaries can insert code into these files to gain persistence each time a user logs in or opens a new shell. T1546 path, 200111 arecord -vv -fdat Detects attempts to record audio with arecord utility. T1123 execve, 200111 truncate -s Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file. T1027 execve, 200111 dd if= Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file. T1027 execve, 200112 /var/run/haldrund.pid|/var/run/xinetd.lock|/var/run/kdevrund.pid Detects BPFDoor .lock and .pid files access in temporary file storage facility. T1059 T1106 path, 200111 iptables$ -t nat All TCP traffic on particular port from attacker is routed to different port. ex. '/sbin/iptables -t nat -D PREROUTING -p tcp -s 192.168.1.1 --dport 22 -j REDIRECT --to-ports 42392'. T1562 execve, 200126 --to-ports 42|--to-ports 43 All TCP traffic on particular port from attacker is routed to different port. ex. '/sbin/iptables -t nat -D PREROUTING -p tcp -s 192.168.1.1 --dport 22 -j REDIRECT --to-ports 42392'. T1562 execve, 200111 getcap -r / Detects attempts to discover the files with setuid/setgid capability on them. That would allow adversary to escalate their privileges. T1123 T1548 execve, 200111 touch -t|-acmr|-d|-r Detect file time attribute change to hide new or changes to existing files. T1070 execve, 200111 chattr -i Detects removing immutable file attribute. T1222 execve, 200111 xclip -selection|-sel - clipboard|- clip -o Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. T1115 execve, 200111 ^--cpu-priority Detects command line parameter very often used with coin miners. T1068 execve, 200111 ^--cpu-priority Detects command line parameter very often used with coin miners. T1068 execve, 200111 ^--cpu-priority Detects command line parameter very often used with coin miners. T1068 execve, 200111 ^--cpu-priority Detects command line parameter very often used with coin miners. T1068 execve, 200111 ^--cpu-priority Detects command line parameter very often used with coin miners. T1068 execve, 200111 ^--cpu-priority Detects command line parameter very often used with coin miners. T1068 execve, 200111 ^--cpu-priority Detects command line parameter very often used with coin miners. T1068 execve, 200111 sudoedit$ -s -s -s -s Detects exploitation attempt of vulnerability described in CVE-2021-3156. T1068 execve, 200111 sudoedit$ ^\\$ ^\\$ ^\\$ ^\\$ Detects exploitation attempt of vulnerability described in CVE-2021-3156. T1068 execve, 200111 zip An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. T1560 execve, 200111 gzip -f An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. T1560 execve, 200111 tar -c An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. T1560 execve, 200111 wget ^--post-file= Detects attempts to post the file with the usage of wget utility. The adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow. T1048 execve, 200124 dd if=/dev/null|if=/dev/zero Detects overwriting (effectively wiping/deleting) of a file. T1485 execve, 200111 debugfs Detects access to a raw disk on a host to evade detection by security products. T1006 execve, 200114 firewalld|iptables|ufw Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network. T1562 user_and_cred, 200111 chmod|chown Detects file and folder permission changes. T1222 execve, 200111 grep Detecting attempts to extract passwords with grep. T1552 execve, 200149 password Detecting attempts to extract passwords with grep. T1552 execve, 200111 mkdir|touch|vim|nano|vi /.|^. Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character. T1564 execve, 200111 mkdir|touch|vim|nano|vi /.|^. Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character. T1564 execve, 200111 cat .jpg$|.png$ .zip$ Detects appending of zip file to image. T1027 execve, 200112 /etc/ld.so.preload Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes. T1574 path, 200110 insmod /usr/bin/kmod Detects loading of kernel modules with insmod command. T1547 syscall, 200112 /etc/syslog.conf|/etc/rsyslog.conf|/etc/syslog-ng/syslog-ng.conf Detect changes of syslog daemons configuration files. T1562 path, 200111 cp -i /bin/sh /crond$ Masquerading as Linux Crond Process. T1036 execve, 200110 /telnet$|/nmap$|/netcat$|/nc$ Detects enumeration of local or remote network services. T1046 syscall, 200111 tcpdump|tshark -c -i Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. T1040 execve, 200112 /etc/pam.d/common-password|/etc/security/pwquality.conf|/etc/pam.d/system-auth|/etc/login.defs Detects password policy discovery commands. T1201 path, 200111 chage|passwd --list|-l|-S|--status -i Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. T1201 execve, 200111 systemctl daemon-reload|start Detects a reload or a start of a service. T1543 execve, 200111 import -window root .png$|.jpg$|.jpeg$ Detects adversary creating screen capture of a desktop with Import Tool. T1113 execve, 200111 import .png$|.jpg$|.jpeg$ Detects adversary creating screen capture of a desktop with Import Tool. T1113 execve, 200111 xwd -root -out .xwd$ Detects adversary creating screen capture of a full with xwd. T1113 execve, 200111 xwd -out .xwd$ Detects adversary creating screen capture of a full with xwd. T1113 execve, 200110 split Detection use of the command "split" to split files into parts and possible transfer. T1030 syscall, 200111 steghide embed -cf|-ef -cf|-ef Detects embeding of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information. T1027 execve, 200111 steghide extract -sf .jpg$|.png$ Detects extraction of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information. T1027 execve, 200110 susp_activity Detects suspicious activities as declared by Florian Roth in its 'Best Practice Auditd Configuration'. This includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap. syscall, 200111 chmod|cp 777|u\ps|/bin/ksh|/bin/sh Detects relevant commands often related to malware or hacking activity. T1059 execve, 200110 ^/tmp/|^/var/www/|^/home/\.*/public_html/|^/usr/local/apache2/|^/usr/local/httpd/|^/var/apache/|^/srv/www/|^/home/httpd/html/|^/srv/http/|^/usr/share/nginx/html/|^/var/lib/pgsql/data/|^/usr/local/mysql/data/|^/var/lib/mysql/|^/var/vsftpd/|^/etc/bind/|^/var/named/ Detects program executions in suspicious non-program folders related to malware or hacking activity. T1587 T1584 syscall, 200111 .bash_history|.zsh_history|.zhistory|.history|.sh_history|fish_history Detects commandline operations on shell history files. T1552 execve, 200112 /etc/lsb-release|/etc/redhat-release|/etc/issue|/sys/class/dmi/id/bios_version|/sys/class/dmi/id/product_name|/sys/class/dmi/id/chassis_vendor|/proc/scsi/scsi|/proc/ide/hd0/model|/proc/version Detects System Information Discovery commands. T1082 path, 200111 uname|uptime Detects System Information Discovery commands. T1082 execve, 200112 CREATE ^/usr/lib/systemd/system/|^/etc/systemd/system/|/.config/systemd/user/ Detects a creation of systemd services which could be used by adversaries to execute malicious code. T1543 path, 200111 unzip .jpg$|.png$ Detects extracting of zip file from image file. T1027 execve, 200111 users|w|who Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. T1033 execve,