auditd-syscall
Audit: SYSCALL Messages grouped.
syscall,
auditd-execve
Audit: EXECVE Messages grouped.
execve,
auditd-path
Audit: PATH Messages grouped.
path,
auditd-config_change
Detect changes in auditd configuration files.
config_change,
auditd-user_and_cred
Audit: USER_AND_CRED Messages grouped.
user_and_cred,
200112
etc/lists/bash_profile
Detects change of user environment. Adversaries can insert code into these files to gain persistence each time a user logs in or opens a new shell.
T1546
path,
200112
.bashrc$|.bash_profile$|.profile$
Detects change of user environment. Adversaries can insert code into these files to gain persistence each time a user logs in or opens a new shell.
T1546
path,
200111
arecord
-vv
-fdat
Detects attempts to record audio with arecord utility.
T1123
execve,
200111
truncate
-s
Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.
T1027
execve,
200111
dd
if=
Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.
T1027
execve,
200112
/var/run/haldrund.pid|/var/run/xinetd.lock|/var/run/kdevrund.pid
Detects BPFDoor .lock and .pid files access in temporary file storage facility.
T1059
T1106
path,
200111
iptables$
-t
nat
All TCP traffic on particular port from attacker is routed to different port. ex. '/sbin/iptables -t nat -D PREROUTING -p tcp -s 192.168.1.1 --dport 22 -j REDIRECT --to-ports 42392'.
T1562
execve,
200126
--to-ports 42|--to-ports 43
All TCP traffic on particular port from attacker is routed to different port. ex. '/sbin/iptables -t nat -D PREROUTING -p tcp -s 192.168.1.1 --dport 22 -j REDIRECT --to-ports 42392'.
T1562
execve,
200111
getcap
-r
/
Detects attempts to discover the files with setuid/setgid capability on them. That would allow adversary to escalate their privileges.
T1123
T1548
execve,
200111
touch
-t|-acmr|-d|-r
Detect file time attribute change to hide new or changes to existing files.
T1070
execve,
200111
chattr
-i
Detects removing immutable file attribute.
T1222
execve,
200111
xclip
-selection|-sel
- clipboard|- clip
-o
Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool.
T1115
execve,
200111
^--cpu-priority
Detects command line parameter very often used with coin miners.
T1068
execve,
200111
^--cpu-priority
Detects command line parameter very often used with coin miners.
T1068
execve,
200111
^--cpu-priority
Detects command line parameter very often used with coin miners.
T1068
execve,
200111
^--cpu-priority
Detects command line parameter very often used with coin miners.
T1068
execve,
200111
^--cpu-priority
Detects command line parameter very often used with coin miners.
T1068
execve,
200111
^--cpu-priority
Detects command line parameter very often used with coin miners.
T1068
execve,
200111
^--cpu-priority
Detects command line parameter very often used with coin miners.
T1068
execve,
200111
sudoedit$
-s
-s
-s
-s
Detects exploitation attempt of vulnerability described in CVE-2021-3156.
T1068
execve,
200111
sudoedit$
^\\$
^\\$
^\\$
^\\$
Detects exploitation attempt of vulnerability described in CVE-2021-3156.
T1068
execve,
200111
zip
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
T1560
execve,
200111
gzip
-f
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
T1560
execve,
200111
tar
-c
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
T1560
execve,
200111
wget
^--post-file=
Detects attempts to post the file with the usage of wget utility. The adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow.
T1048
execve,
200124
dd
if=/dev/null|if=/dev/zero
Detects overwriting (effectively wiping/deleting) of a file.
T1485
execve,
200111
debugfs
Detects access to a raw disk on a host to evade detection by security products.
T1006
execve,
200114
firewalld|iptables|ufw
Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network.
T1562
user_and_cred,
200111
chmod|chown
Detects file and folder permission changes.
T1222
execve,
200111
grep
Detecting attempts to extract passwords with grep.
T1552
execve,
200149
password
Detecting attempts to extract passwords with grep.
T1552
execve,
200111
mkdir|touch|vim|nano|vi
/.|^.
Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character.
T1564
execve,
200111
mkdir|touch|vim|nano|vi
/.|^.
Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character.
T1564
execve,
200111
cat
.jpg$|.png$
.zip$
Detects appending of zip file to image.
T1027
execve,
200112
/etc/ld.so.preload
Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.
T1574
path,
200110
insmod
/usr/bin/kmod
Detects loading of kernel modules with insmod command.
T1547
syscall,
200112
/etc/syslog.conf|/etc/rsyslog.conf|/etc/syslog-ng/syslog-ng.conf
Detect changes of syslog daemons configuration files.
T1562
path,
200111
cp
-i
/bin/sh
/crond$
Masquerading as Linux Crond Process.
T1036
execve,
200110
/telnet$|/nmap$|/netcat$|/nc$
Detects enumeration of local or remote network services.
T1046
syscall,
200111
tcpdump|tshark
-c
-i
Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.
T1040
execve,
200112
/etc/pam.d/common-password|/etc/security/pwquality.conf|/etc/pam.d/system-auth|/etc/login.defs
Detects password policy discovery commands.
T1201
path,
200111
chage|passwd
--list|-l|-S|--status
-i
Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.
T1201
execve,
200111
systemctl
daemon-reload|start
Detects a reload or a start of a service.
T1543
execve,
200111
import
-window
root
.png$|.jpg$|.jpeg$
Detects adversary creating screen capture of a desktop with Import Tool.
T1113
execve,
200111
import
.png$|.jpg$|.jpeg$
Detects adversary creating screen capture of a desktop with Import Tool.
T1113
execve,
200111
xwd
-root
-out
.xwd$
Detects adversary creating screen capture of a full with xwd.
T1113
execve,
200111
xwd
-out
.xwd$
Detects adversary creating screen capture of a full with xwd.
T1113
execve,
200110
split
Detection use of the command "split" to split files into parts and possible transfer.
T1030
syscall,
200111
steghide
embed
-cf|-ef
-cf|-ef
Detects embeding of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.
T1027
execve,
200111
steghide
extract
-sf
.jpg$|.png$
Detects extraction of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.
T1027
execve,
200110
susp_activity
Detects suspicious activities as declared by Florian Roth in its 'Best Practice Auditd Configuration'. This includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap.
syscall,
200111
chmod|cp
777|u\ps|/bin/ksh|/bin/sh
Detects relevant commands often related to malware or hacking activity.
T1059
execve,
200110
^/tmp/|^/var/www/|^/home/\.*/public_html/|^/usr/local/apache2/|^/usr/local/httpd/|^/var/apache/|^/srv/www/|^/home/httpd/html/|^/srv/http/|^/usr/share/nginx/html/|^/var/lib/pgsql/data/|^/usr/local/mysql/data/|^/var/lib/mysql/|^/var/vsftpd/|^/etc/bind/|^/var/named/
Detects program executions in suspicious non-program folders related to malware or hacking activity.
T1587
T1584
syscall,
200111
.bash_history|.zsh_history|.zhistory|.history|.sh_history|fish_history
Detects commandline operations on shell history files.
T1552
execve,
200112
/etc/lsb-release|/etc/redhat-release|/etc/issue|/sys/class/dmi/id/bios_version|/sys/class/dmi/id/product_name|/sys/class/dmi/id/chassis_vendor|/proc/scsi/scsi|/proc/ide/hd0/model|/proc/version
Detects System Information Discovery commands.
T1082
path,
200111
uname|uptime
Detects System Information Discovery commands.
T1082
execve,
200112
CREATE
^/usr/lib/systemd/system/|^/etc/systemd/system/|/.config/systemd/user/
Detects a creation of systemd services which could be used by adversaries to execute malicious code.
T1543
path,
200111
unzip
.jpg$|.png$
Detects extracting of zip file from image file.
T1027
execve,
200111
users|w|who
Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
T1033
execve,