Phoenix
Sigma IntelligenceBeta
Back to Rules
Threat Huntlowstable

Process Discovery

Detects process discovery commands. Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Ömer Günal, oscd.community, CheraaghiMiladCreated Tue Oct 06Updated Thu Jul 074e2f5868-08d4-413d-899f-dc2f1508627blinux
Hunting Hypothesis
Log Source
LinuxProcess Creation
ProductLinux← raw: linux
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic1 selector
detection:
    selection:
        Image|endswith:
            - '/atop'
            - '/htop'
            - '/pgrep'
            - '/ps'
            - '/pstree'
            - '/top'
    condition: selection
False Positives

Legitimate administration activities

References
1
Resolving title…
github.com
2
Resolving title…
cyberciti.biz
MITRE ATT&CK

Other

detection.threat-hunting
Rule Metadata
Rule ID
4e2f5868-08d4-413d-899f-dc2f1508627b
Status
stable
Level
low
Type
Threat Hunt
Created
Tue Oct 06
Modified
Thu Jul 07
Author
Ömer Günal, oscd.community, CheraaghiMilad
Path
rules-threat-hunting/linux/process_creation/proc_creation_lnx_susp_running_process_discovery.yml
Raw Tags
attack.discoveryattack.t1057detection.threat-hunting
View on GitHub