Detectionmediumtest

Suspicious Commands Linux

Detects relevant commands often related to malware or hacking activity

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Florian Roth (Nextron Systems)Created Tue Dec 12Updated Wed Oct 051543ae20-cbdf-4ec1-8d12-7664d667a825linux

Log Source

Linuxauditd

ProductLinux← raw: linux

Serviceauditd← raw: auditd

Detection Logic

detection:
    cmd1:
        type: 'EXECVE'
        a0: 'chmod'
        a1: 777
    cmd2:
        type: 'EXECVE'
        a0: 'chmod'
        a1: 'u+s'
    cmd3:
        type: 'EXECVE'
        a0: 'cp'
        a1: '/bin/ksh'
    cmd4:
        type: 'EXECVE'
        a0: 'cp'
        a1: '/bin/sh'
    condition: 1 of cmd*

False Positives

Admin activity

References

Resolving title…

Internal Research - mostly derived from exploit code including code in MSF

MITRE ATT&CK

Tactics

TA0002 · Execution

Sub-techniques

T1059.004 · Unix Shell

Rule Metadata

Rule ID

1543ae20-cbdf-4ec1-8d12-7664d667a825

Status

test

Level

medium

Type

Detection

Created

Tue Dec 12

Modified

Wed Oct 05

Author

Florian Roth (Nextron Systems)

Path

rules/linux/auditd/execve/lnx_auditd_susp_cmds.yml

Raw Tags

attack.executionattack.t1059.004

View on GitHub