Detectionlowtest

System Information Discovery - Auditd

Detects System Information Discovery commands

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Pawel MazurCreated Fri Sep 03Updated Mon Mar 06f34047d9-20d3-4e8b-8672-0a35cc50dc71linux

Log Source

Linuxauditd

ProductLinux← raw: linux

Serviceauditd← raw: auditd

Detection Logic

detection:
    selection_1:
        type: PATH
        name:
            - /etc/lsb-release
            - /etc/redhat-release
            - /etc/issue
    selection_2:
        type: EXECVE
        a0:
            - uname
            - uptime
            - lsmod
            - hostname
            - env
    selection_3:
        type: EXECVE
        a0: grep
        a1|contains:
            - vbox
            - vm
            - xen
            - virtio
            - hv
    selection_4:
        type: EXECVE
        a0: kmod
        a1: list
    condition: 1 of selection_*