Sigma Rules
1,473 rules found
Suspicious Log Entries
Detects suspicious log entries in Linux log files
Suspicious Use of /dev/tcp
Detects suspicious command with /dev/tcp
Suspicious OpenSSH Daemon Error
Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
Disabling Security Tools - Builtin
Detects disabling security tools
Suspicious VSFTPD Error Messages
Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
Linux Doas Conf File Creation
Detects the creation of doas.conf file in linux host platform.
Persistence Via Cron Files
Detects creation of cron file or files in Cron directories which could indicates potential persistence.
Persistence Via Sudoers Files
Detects creation of sudoers file or files in "sudoers.d" directory which can be used a potential method to persiste privileges for a specific user.
Wget Creating Files in Tmp Directory
Detects the use of wget to download content in a temporary directory such as "/tmp" or "/var/tmp"
Shell Invocation via Apt - Linux
Detects the use of the "apt" and "apt-get" commands to execute a shell or proxy commands. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Linux Base64 Encoded Pipe to Shell
Detects suspicious process command line that uses base64 encoded input for execution with a shell
Linux Base64 Encoded Shebang In CLI
Detects the presence of a base64 version of the shebang in the commandline, which could indicate a malicious payload about to be decoded
BPFtrace Unsafe Option Usage
Detects the usage of the unsafe bpftrace option
Enable BPF Kprobes Tracing
Detects common command used to enable bpf kprobes tracing
Remove Immutable File Attribute
Detects usage of the 'chattr' utility to remove immutable file attribute.
Clear Linux Logs
Detects attempts to clear logs on the system. Adversaries may clear system logs to hide evidence of an intrusion
Remove Scheduled Cron Task/Job
Detects usage of the 'crontab' utility to remove the current crontab. This is a common occurrence where cryptocurrency miners compete against each other by removing traces of other miners to hijack the maximum amount of resources possible
Potential Linux Process Code Injection Via DD Utility
Detects the injection of code by overwriting the memory map of a Linux process using the "dd" Linux command.
Ufw Force Stop Using Ufw-Init
Detects attempts to force stop the ufw using ufw-init
ESXi Network Configuration Discovery Via ESXCLI
Detects execution of the "esxcli" command with the "network" flag in order to retrieve information about the network configuration.
ESXi Storage Information Discovery Via ESXCLI
Detects execution of the "esxcli" command with the "storage" flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and LockBit.
ESXi Syslog Configuration Change Via ESXCLI
Detects changes to the ESXi syslog configuration via "esxcli"
ESXi System Information Discovery Via ESXCLI
Detects execution of the "esxcli" command with the "system" flag in order to retrieve information about the different component of the system. Such as accounts, modules, NTP, etc.
ESXi Account Creation Via ESXCLI
Detects user account creation on ESXi system via esxcli
ESXi VM List Discovery Via ESXCLI
Detects execution of the "esxcli" command with the "vm" flag in order to retrieve information about the installed VMs.
ESXi VM Kill Via ESXCLI
Detects execution of the "esxcli" command with the "vm" and "kill" flag in order to kill/shutdown a specific VM.
ESXi VSAN Information Discovery Via ESXCLI
Detects execution of the "esxcli" command with the "vsan" flag in order to retrieve information about virtual storage. Seen used by malware such as DarkSide.
Group Has Been Deleted Via Groupdel
Detects execution of the "groupdel" binary. Which is used to delete a group. This is sometimes abused by threat actors in order to cover their tracks
Suspicious Package Installed - Linux
Detects installation of suspicious packages using system installation utilities
Flush Iptables Ufw Chain
Detect use of iptables to flush all firewall rules, tables and chains and allow all network traffic
Potentially Suspicious Named Pipe Created Via Mkfifo
Detects the creation of a new named pipe using the "mkfifo" utility in a potentially suspicious location
Mount Execution With Hidepid Parameter
Detects execution of the "mount" command with "hidepid" parameter to make invisible processes to other users from the system
Nohup Execution
Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments
Pnscan Binary Data Transmission Activity
Detects command line patterns associated with the use of Pnscan for sending and receiving binary data across the network. This behavior has been identified in a Linux malware campaign targeting Docker, Apache Hadoop, Redis, and Confluence and was previously used by the threat actor known as TeamTNT
PUA - TruffleHog Execution - Linux
Detects execution of TruffleHog, a tool used to search for secrets in different platforms like Git, Jira, Slack, SharePoint, etc. that could be used maliciously. While it is a legitimate tool, intended for use in CI pipelines and security assessments, It was observed in the Shai-Hulud malware campaign targeting npm packages to steal sensitive information.
Python WebServer Execution - Linux
Detects the execution of Python web servers via command line interface (CLI). After gaining access to target systems, adversaries may use Python's built-in HTTP server modules to quickly establish a web server without requiring additional software. This technique is commonly used in post-exploitation scenarios as it provides a simple method for transferring files between the compromised host and attacker-controlled systems.
Python Spawning Pretty TTY Via PTY Module
Detects a python process calling to the PTY module in order to spawn a pretty tty which could be indicative of potential reverse shell activity.
Potential Ruby Reverse Shell
Detects execution of ruby with the "-e" flag and calls to "socket" related functions. This could be an indication of a potential attempt to setup a reverse shell
Scheduled Cron Task/Job - Linux
Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
Disabling Security Tools
Detects disabling security tools
Disable Or Stop Services
Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services
Potential Linux Amazon SSM Agent Hijacking
Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.
Chmod Suspicious Directory
Detects chmod targeting files in abnormal directory paths.
Suspicious Curl File Upload - Linux
Detects a suspicious curl process start the adds a file to a web request
Suspicious Curl Change User Agents - Linux
Detects a suspicious curl process start on linux with set useragent options
Potentially Suspicious Execution From Tmp Folder
Detects a potentially suspicious execution of a process located in the '/tmp/' folder
Potential Discovery Activity Using Find - Linux
Detects usage of "find" binary in a suspicious manner to perform discovery
Suspicious Git Clone - Linux
Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious