Sigma Rules
139 rules found
Install Root Certificate
Detects installation of new certificate on the system which attackers may use to avoid warnings when connecting to controlled web servers or C2s
Suspicious Package Installed - Linux
Detects installation of suspicious packages using system installation utilities
Flush Iptables Ufw Chain
Detect use of iptables to flush all firewall rules, tables and chains and allow all network traffic
Local System Accounts Discovery - Linux
Detects enumeration of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.
Local Groups Discovery - Linux
Detects enumeration of local system groups. Adversaries may attempt to find local system groups and permission settings
Potential GobRAT File Discovery Via Grep
Detects the use of grep to discover specific files created by the GobRAT malware
Named Pipe Created Via Mkfifo
Detects the creation of a new named pipe using the "mkfifo" utility
Potentially Suspicious Named Pipe Created Via Mkfifo
Detects the creation of a new named pipe using the "mkfifo" utility in a potentially suspicious location
Mount Execution With Hidepid Parameter
Detects execution of the "mount" command with "hidepid" parameter to make invisible processes to other users from the system
Potential Netcat Reverse Shell Execution
Detects execution of netcat with the "-e" flag followed by common shells. This could be a sign of a potential reverse shell setup.
Shell Execution via Nice - Linux
Detects the use of the "nice" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Nohup Execution
Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments
Suspicious Nohup Execution
Detects execution of binaries located in potentially suspicious locations via "nohup"
OMIGOD SCX RunAsProvider ExecuteScript
Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* prefix. Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.
OMIGOD SCX RunAsProvider ExecuteShellCommand
Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.
Potential Perl Reverse Shell Execution
Detects execution of the perl binary with the "-e" flag and common strings related to potential reverse shell activity
Potential PHP Reverse Shell
Detects usage of the PHP CLI with the "-r" flag which allows it to run inline PHP code. The rule looks for calls to the "fsockopen" function which allows the creation of sockets. Attackers often leverage this in combination with functions such as "exec" or "fopen" to initiate a reverse shell connection.
Pnscan Binary Data Transmission Activity
Detects command line patterns associated with the use of Pnscan for sending and receiving binary data across the network. This behavior has been identified in a Linux malware campaign targeting Docker, Apache Hadoop, Redis, and Confluence and was previously used by the threat actor known as TeamTNT
Connection Proxy
Detects setting proxy configuration
PUA - TruffleHog Execution - Linux
Detects execution of TruffleHog, a tool used to search for secrets in different platforms like Git, Jira, Slack, SharePoint, etc. that could be used maliciously. While it is a legitimate tool, intended for use in CI pipelines and security assessments, It was observed in the Shai-Hulud malware campaign targeting npm packages to steal sensitive information.
Python WebServer Execution - Linux
Detects the execution of Python web servers via command line interface (CLI). After gaining access to target systems, adversaries may use Python's built-in HTTP server modules to quickly establish a web server without requiring additional software. This technique is commonly used in post-exploitation scenarios as it provides a simple method for transferring files between the compromised host and attacker-controlled systems.
Python Spawning Pretty TTY Via PTY Module
Detects a python process calling to the PTY module in order to spawn a pretty tty which could be indicative of potential reverse shell activity.
Python Reverse Shell Execution Via PTY And Socket Modules
Detects the execution of python with calls to the socket and pty module in order to connect and spawn a potential reverse shell.
Inline Python Execution - Spawn Shell Via OS System Library
Detects execution of inline Python code via the "-c" in order to call the "system" function from the "os" library, and spawn a shell.
Remote Access Tool - Team Viewer Session Started On Linux Host
Detects the command line executed when TeamViewer starts a session started by a remote host. Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
Linux Remote System Discovery
Detects the enumeration of other remote systems.
Linux Package Uninstall
Detects linux package removal using builtin tools such as "yum", "apt", "apt-get" or "dpkg".
Shell Execution via Rsync - Linux
Detects the use of the "rsync" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Suspicious Invocation of Shell via Rsync
Detects the execution of a shell as sub process of "rsync" without the expected command line flag "-e" being used, which could be an indication of exploitation as described in CVE-2024-12084. This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.
Potential Ruby Reverse Shell
Detects execution of ruby with the "-e" flag and calls to "socket" related functions. This could be an indication of a potential attempt to setup a reverse shell
Scheduled Cron Task/Job - Linux
Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
Security Software Discovery - Linux
Detects usage of system utilities (only grep and egrep for now) to discover security software discovery
Disabling Security Tools
Detects disabling security tools
Disable Or Stop Services
Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services
Setuid and Setgid
Detects suspicious change of file privileges with chown and chmod commands
Shell Invocation Via Ssh - Linux
Detects the use of the "ssh" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Potential Linux Amazon SSM Agent Hijacking
Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.
Chmod Suspicious Directory
Detects chmod targeting files in abnormal directory paths.
Container Residence Discovery Via Proc Virtual FS
Detects potential container discovery via listing of certain kernel features in the "/proc" virtual filesystem
Suspicious Curl File Upload - Linux
Detects a suspicious curl process start the adds a file to a web request
Suspicious Curl Change User Agents - Linux
Detects a suspicious curl process start on linux with set useragent options
Docker Container Discovery Via Dockerenv Listing
Detects listing or file reading of ".dockerenv" which can be a sing of potential container discovery
Potentially Suspicious Execution From Tmp Folder
Detects a potentially suspicious execution of a process located in the '/tmp/' folder
Potential Discovery Activity Using Find - Linux
Detects usage of "find" binary in a suspicious manner to perform discovery
Suspicious Git Clone - Linux
Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious
History File Deletion
Detects events in which a history file gets deleted, e.g. the ~/bash_history to remove traces of malicious activity
Print History File Contents
Detects events in which someone prints the contents of history files to the commandline or redirects it to a file for reconnaissance
Linux HackTool Execution
Detects known hacktool execution based on image name.