Detectionmediumtest

Suspicious Git Clone - Linux

Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nasreddine Bencherchali (Nextron Systems)Created Tue Jan 03Updated Thu Jan 05cfec9d29-64ec-4a0f-9ffe-0fdb856d5446linux

Log Source

LinuxProcess Creation

ProductLinux← raw: linux

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection_img:
        Image|endswith: '/git'
        CommandLine|contains: ' clone '
    selection_keyword:
        CommandLine|contains:
            # Add more suspicious keywords
            - 'exploit'
            - 'Vulns'
            - 'vulnerability'
            - 'RCE'
            - 'RemoteCodeExecution'
            - 'Invoke-'
            - 'CVE-'
            - 'poc-'
            - 'ProofOfConcept'
            # Add more vuln names
            - 'proxyshell'
            - 'log4shell'
            - 'eternalblue'
            - 'eternal-blue'
            - 'MS17-'
    condition: all of selection_*

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

gist.githubusercontent.com

MITRE ATT&CK

Tactics

TA0043 · Reconnaissance

Other

attack.t1593.003

Rule Metadata

Rule ID

cfec9d29-64ec-4a0f-9ffe-0fdb856d5446

Status

test

Level

medium

Type

Detection

Created

Tue Jan 03

Modified

Thu Jan 05

Author

Nasreddine Bencherchali (Nextron Systems)

Path

rules/linux/process_creation/proc_creation_lnx_susp_git_clone.yml

Raw Tags

attack.reconnaissanceattack.t1593.003

View on GitHub