Sigma Rules
1,701 rules found
Guacamole Two Users Sharing Session Anomaly
Detects suspicious session with two users present
Equation Group Indicators
Detects suspicious shell commands used in various Equation Group scripts and tools
Buffer Overflow Attempts
Detects buffer overflow attempts in Unix system log files
Commands to Clear or Remove the Syslog - Builtin
Detects specific commands commonly used to remove or empty the syslog
Code Injection by ld.so Preload
Detects the ld.so preload persistence file. See `man ld.so` for more information.
Potential Suspicious BPF Activity - Linux
Detects the presence of "bpf_probe_write_user" BPF helper-generated warning messages. Which could be a sign of suspicious eBPF activity on the system.
Privileged User Has Been Created
Detects the addition of a new user to a privileged group such as "root" or "sudo"
Shellshock Expression
Detects shellshock expressions in log files
Linux Command History Tampering
Detects commands that try to clear or tamper with the Linux command history. This technique is used by threat actors in order to evade defenses and execute commands without them being recorded in files such as "bash_history" or "zsh_history".
Suspicious Activity in Shell Commands
Detects suspicious shell commands used in various exploit codes (see references)
Suspicious Reverse Shell Command Line
Detects suspicious shell commands or program code that may be executed or used in command line to establish a reverse shell
JexBoss Command Sequence
Detects suspicious command sequence that JexBoss
Symlink Etc Passwd
Detects suspicious command lines that look as if they would create symbolic links to /etc/passwd
Suspicious Named Error
Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
Suspicious Filename with Embedded Base64 Commands
Detects files with specially crafted filenames that embed Base64-encoded bash payloads designed to execute when processed by shell scripts. These filenames exploit shell interpretation quirks to trigger hidden commands, a technique observed in VShell malware campaigns.
Triple Cross eBPF Rootkit Default LockFile
Detects the creation of the file "rootlog" which is used by the TripleCross rootkit as a way to check if the backdoor is already running.
Triple Cross eBPF Rootkit Default Persistence
Detects the creation of "ebpfbackdoor" files in both "cron.d" and "sudoers.d" directories. Which both are related to the TripleCross persistence method
Linux Crypto Mining Pool Connections
Detects process connections to a Monero crypto mining pool
Communication To LocaltoNet Tunneling Service Initiated - Linux
Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains. LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet. Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.
Communication To Ngrok Tunneling Service - Linux
Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors
Potentially Suspicious Malware Callback Communication - Linux
Detects programs that connect to known malware callback ports based on threat intelligence reports.
Audit Rules Deleted Via Auditctl
Detects the execution of 'auditctl' with the '-D' command line parameter, which deletes all configured audit rules and watches on Linux systems. This technique is commonly used by attackers to disable audit logging and cover their tracks by removing monitoring capabilities. Removal of audit rules can significantly impair detection of malicious activities on the affected system.
Kaspersky Endpoint Security Stopped Via CommandLine - Linux
Detects execution of the Kaspersky init.d stop script on Linux systems either directly or via systemctl. This activity may indicate a manual interruption of the antivirus service by an administrator, or it could be a sign of potential tampering or evasion attempts by malicious actors.
Suspicious Invocation of Shell via AWK - Linux
Detects the execution of "awk" or it's sibling commands, to invoke a shell using the system() function. This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.
Capsh Shell Invocation - Linux
Detects the use of the "capsh" utility to invoke a shell.
Syslog Clearing or Removal Via System Utilities
Detects specific commands commonly used to remove or empty the syslog. Which is a technique often used by attacker as a method to hide their tracks
Copy Passwd Or Shadow From TMP Path
Detects when the file "passwd" or "shadow" is copied from tmp path
Linux Crypto Mining Indicators
Detects command line parameters or strings often used by crypto miners
Suspicious Download and Execute Pattern via Curl/Wget
Detects suspicious use of command-line tools such as curl or wget to download remote content - particularly scripts - into temporary directories (e.g., /dev/shm, /tmp), followed by immediate execution, indicating potential malicious activity. This pattern is commonly used by malicious scripts, stagers, or downloaders in fileless or multi-stage Linux attacks.
Shell Invocation via Env Command - Linux
Detects the use of the env command to invoke a shell. This may indicate an attempt to bypass restricted environments, escalate privileges, or execute arbitrary commands.
ESXi Admin Permission Assigned To Account Via ESXCLI
Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account.
Shell Execution via Find - Linux
Detects the use of the find command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or exploitation attempt.
Shell Execution via Flock - Linux
Detects the use of the "flock" command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Shell Execution GCC - Linux
Detects the use of the "gcc" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Shell Execution via Git - Linux
Detects the use of the "git" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Potential GobRAT File Discovery Via Grep
Detects the use of grep to discover specific files created by the GobRAT malware
Potential Netcat Reverse Shell Execution
Detects execution of netcat with the "-e" flag followed by common shells. This could be a sign of a potential reverse shell setup.
Shell Execution via Nice - Linux
Detects the use of the "nice" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Suspicious Nohup Execution
Detects execution of binaries located in potentially suspicious locations via "nohup"
OMIGOD SCX RunAsProvider ExecuteScript
Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* prefix. Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.
OMIGOD SCX RunAsProvider ExecuteShellCommand
Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.
Potential Perl Reverse Shell Execution
Detects execution of the perl binary with the "-e" flag and common strings related to potential reverse shell activity
Potential PHP Reverse Shell
Detects usage of the PHP CLI with the "-r" flag which allows it to run inline PHP code. The rule looks for calls to the "fsockopen" function which allows the creation of sockets. Attackers often leverage this in combination with functions such as "exec" or "fopen" to initiate a reverse shell connection.
Python Reverse Shell Execution Via PTY And Socket Modules
Detects the execution of python with calls to the socket and pty module in order to connect and spawn a potential reverse shell.
Inline Python Execution - Spawn Shell Via OS System Library
Detects execution of inline Python code via the "-c" in order to call the "system" function from the "os" library, and spawn a shell.
Shell Execution via Rsync - Linux
Detects the use of the "rsync" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Suspicious Invocation of Shell via Rsync
Detects the execution of a shell as sub process of "rsync" without the expected command line flag "-e" being used, which could be an indication of exploitation as described in CVE-2024-12084. This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.
Shell Invocation Via Ssh - Linux
Detects the use of the "ssh" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.