Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionlowtest

Security Software Discovery - Linux

Detects usage of system utilities (only grep and egrep for now) to discover security software discovery

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Daniil Yugoslavskiy, oscd.communityCreated Mon Oct 19Updated Sun Nov 27c9d8b7fd-78e4-44fe-88f6-599135d46d60linux
Log Source
LinuxProcess Creation
ProductLinux← raw: linux
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic1 selector
detection:
    selection:
        Image|endswith:
            # You can add more grep variations such as fgrep, rgrep...etc
            - '/grep'
            - '/egrep'
        CommandLine|contains:
            - 'nessusd'        # nessus vulnerability scanner
            - 'td-agent'       # fluentd log shipper
            - 'packetbeat'     # elastic network logger/shipper
            - 'filebeat'       # elastic log file shipper
            - 'auditbeat'      # elastic auditing agent/log shipper
            - 'osqueryd'       # facebook osquery
            - 'cbagentd'       # carbon black
            - 'falcond'        # crowdstrike falcon
    condition: selection
False Positives

Legitimate activities

References
1
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
c9d8b7fd-78e4-44fe-88f6-599135d46d60
Status
test
Level
low
Type
Detection
Created
Mon Oct 19
Modified
Sun Nov 27
Author
Daniil Yugoslavskiy, oscd.community
Path
rules/linux/process_creation/proc_creation_lnx_security_software_discovery.yml
Raw Tags
attack.discoveryattack.t1518.001
View on GitHub