Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

17 rules found

3,707Total
3,116Detection
451Emerging
137Hunting
Detectionmediumstable

Linux Doas Conf File Creation

Detects the creation of doas.conf file in linux host platform.

LinuxFile Event
TA0005 · Defense EvasionTA0004 · Privilege EscalationT1548 · Abuse Elevation Control Mechanism
Sittikorn S+1Thu Jan 20linux
Detectionmediumtest

Persistence Via Cron Files

Detects creation of cron file or files in Cron directories which could indicates potential persistence.

LinuxFile Event
TA0004 · Privilege EscalationTA0002 · ExecutionTA0003 · PersistenceT1053.003 · Cron
Roberto Rodriguez (Cyb3rWard0g)+2Fri Oct 15linux
Detectionmediumtest

Persistence Via Sudoers Files

Detects creation of sudoers file or files in "sudoers.d" directory which can be used a potential method to persiste privileges for a specific user.

LinuxFile Event
TA0004 · Privilege EscalationTA0002 · ExecutionTA0003 · PersistenceT1053.003 · Cron
Nasreddine Bencherchali (Nextron Systems)Tue Jul 05linux
Detectionhighexperimental

Suspicious Filename with Embedded Base64 Commands

Detects files with specially crafted filenames that embed Base64-encoded bash payloads designed to execute when processed by shell scripts. These filenames exploit shell interpretation quirks to trigger hidden commands, a technique observed in VShell malware campaigns.

LinuxFile Event
TA0002 · ExecutionT1059.004 · Unix ShellTA0005 · Defense EvasionT1027 · Obfuscated Files or Information
kostastsaleSat Nov 22linux
Detectionlowtest

Potentially Suspicious Shell Script Creation in Profile Folder

Detects the creation of shell scripts under the "profile.d" path.

LinuxFile Event
TA0003 · Persistence
Joseliyo SanchezFri Jun 02linux
Detectionhightest

Triple Cross eBPF Rootkit Default LockFile

Detects the creation of the file "rootlog" which is used by the TripleCross rootkit as a way to check if the backdoor is already running.

LinuxFile Event
TA0005 · Defense Evasion
Nasreddine Bencherchali (Nextron Systems)Tue Jul 05linux
Detectionhightest

Triple Cross eBPF Rootkit Default Persistence

Detects the creation of "ebpfbackdoor" files in both "cron.d" and "sudoers.d" directories. Which both are related to the TripleCross persistence method

LinuxFile Event
TA0004 · Privilege EscalationTA0002 · ExecutionTA0003 · PersistenceTA0005 · Defense Evasion+1
Nasreddine Bencherchali (Nextron Systems)Tue Jul 05linux
Detectionmediumtest

Wget Creating Files in Tmp Directory

Detects the use of wget to download content in a temporary directory such as "/tmp" or "/var/tmp"

LinuxFile Event
TA0011 · Command and ControlT1105 · Ingress Tool Transfer
Joseliyo SanchezFri Jun 02linux
Emerging Threathightest

UNC4841 - Email Exfiltration File Pattern

Detects filename pattern of email related data used by UNC4841 for staging and exfiltration

LinuxFile Event
TA0002 · ExecutionTA0003 · PersistenceTA0005 · Defense Evasiondetection.emerging-threats
Nasreddine Bencherchali (Nextron Systems)Fri Jun 162023
Emerging Threathightest

UNC4841 - Barracuda ESG Exploitation Indicators

Detects file indicators as seen used by UNC4841 during their Barracuda ESG zero day exploitation.

LinuxFile Event
TA0002 · ExecutionTA0003 · PersistenceTA0005 · Defense Evasiondetection.emerging-threats
Nasreddine Bencherchali (Nextron Systems)Fri Jun 162023
Emerging Threatmediumexperimental

Potential SAP NetWeaver Webshell Creation - Linux

Detects the creation of suspicious files (jsp, java, class) in SAP NetWeaver directories, which may indicate exploitation attempts of vulnerabilities such as CVE-2025-31324.

LinuxFile Event
TA0002 · ExecutionTA0001 · Initial AccessT1190 · Exploit Public-Facing ApplicationTA0003 · Persistence+3
Elastic Security+1Mon Apr 282025
Emerging Threathighexperimental

Non-Standard Nsswitch.Conf Creation - Potential CVE-2025-32463 Exploitation

Detects the creation of nsswitch.conf files in non-standard directories, which may indicate exploitation of CVE-2025-32463. This vulnerability requires an attacker to create a nsswitch.conf in a directory that will be used during sudo chroot operations. When sudo executes, it loads malicious shared libraries from user-controlled locations within the chroot environment, potentially leading to arbitrary code execution and privilege escalation.

LinuxFile Event
TA0004 · Privilege EscalationT1068 · Exploitation for Privilege Escalationcve.2025-32463detection.emerging-threats
Swachchhanda Shrawn Poudel (Nextron Systems)Thu Oct 022025
Emerging Threathighexperimental

Shai-Hulud Malicious GitHub Workflow Creation

Detects creation of shai-hulud-workflow.yml file associated with Shai Hulud worm targeting NPM supply chain attack that exfiltrates GitHub secrets

LinuxFile Event
TA0003 · PersistenceTA0006 · Credential AccessT1552.001 · Credentials In FilesTA0009 · Collection+2
Swachchhanda Shrawan Poudel (Nextron Systems)Wed Sep 242025
Emerging Threathighexperimental

Axios NPM Compromise File Creation Indicators - Linux

Detects file creation events linked to the Axios NPM supply chain compromise. Axios is a popular JavaScript HTTP client. On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency (plain-crypto-js@4.2.1) that executed a postinstall script as a cross-platform RAT dropper.

LinuxFile Event
TA0001 · Initial AccessT1195.002 · Compromise Software Supply ChainTA0011 · Command and ControlT1105 · Ingress Tool Transfer+1
Swachchhanda Shrawan Poudel (Nextron Systems)Wed Apr 012026
Emerging Threathighexperimental

TeamPCP LiteLLM Supply Chain Attack Persistence Indicators

Detects the creation of specific persistence files as observed in the LiteLLM PyPI supply chain attack. In March 2026, a supply chain attack was discovered involving the popular open-source LLM framework LiteLLM by Threat Actor TeamPCP. The malicious package harvests every credential on the system, encrypts and exfiltrates them, and installs a persistent C2 backdoor.

LinuxFile Event
TA0003 · PersistenceTA0004 · Privilege EscalationT1543.002 · Systemd ServiceTA0001 · Initial Access+2
Swachchhanda Shrawan Poudel (Nextron Systems)Mon Mar 302026
Threat Huntmediumtest

Python Path Configuration File Creation - Linux

Detects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence. Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script. Default paths are '\lib\site-packages\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS).

LinuxFile Event
TA0002 · ExecutionT1059.006 · Pythondetection.threat-hunting
Andreas Braathen (mnemonic.io)Thu Apr 25linux
Threat Huntlowexperimental

Potentially Suspicious Long Filename Pattern - Linux

Detects the creation of files with unusually long filenames (100 or more characters), which may indicate obfuscation techniques used by malware such as VShell. This is a hunting rule to identify potential threats that use long filenames to evade detection. Keep in mind that on a legitimate system, such long filenames can and are common. Run this detection in the context of threat hunting rather than alerting. Adjust the threshold of filename length as needed based on your environment.

LinuxFile Event
TA0002 · ExecutionT1059.004 · Unix ShellTA0005 · Defense EvasionT1027 · Obfuscated Files or Information+1
kostastsaleSat Nov 22linux