Sigma Rules
241 rules found
Bash Interactive Shell
Detects execution of the bash shell with the interactive flag "-i".
BPFtrace Unsafe Option Usage
Detects the usage of the unsafe bpftrace option
Enable BPF Kprobes Tracing
Detects common command used to enable bpf kprobes tracing
Capabilities Discovery - Linux
Detects usage of "getcap" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other.
Capsh Shell Invocation - Linux
Detects the use of the "capsh" utility to invoke a shell.
Linux Setgid Capability Set on a Binary via Setcap Utility
Detects the use of the 'setcap' utility to set the 'setgid' capability (cap_setgid) on a binary file. This capability allows a non privileged process to make arbitrary manipulations of group IDs (GIDs), including setting its current GID to a value that would otherwise be restricted (i.e. GID 0, the root group). This behavior can be used by adversaries to backdoor a binary in order to escalate privileges again in the future if needed.
Linux Setuid Capability Set on a Binary via Setcap Utility
Detects the use of the 'setcap' utility to set the 'setuid' capability (cap_setuid) on a binary file. This capability allows a non privileged process to make arbitrary manipulations of user IDs (UIDs), including setting its current UID to a value that would otherwise be restricted (i.e. UID 0, the root user). This behavior can be used by adversaries to backdoor a binary in order to escalate privileges again in the future if needed.
Remove Immutable File Attribute
Detects usage of the 'chattr' utility to remove immutable file attribute.
Linux Sudo Chroot Execution
Detects the execution of 'sudo' command with '--chroot' option, which is used to change the root directory for command execution. Attackers may use this technique to evade detection and execute commands in a modified environment. This can be part of a privilege escalation strategy, as it allows the execution of commands with elevated privileges in a controlled environment as seen in CVE-2025-32463. While investigating, look out for unusual or unexpected use of 'sudo --chroot' in conjunction with other commands or scripts such as execution from temporary directories or unusual user accounts.
Clear Linux Logs
Detects attempts to clear logs on the system. Adversaries may clear system logs to hide evidence of an intrusion
Syslog Clearing or Removal Via System Utilities
Detects specific commands commonly used to remove or empty the syslog. Which is a technique often used by attacker as a method to hide their tracks
Clipboard Collection with Xclip Tool
Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
Copy Passwd Or Shadow From TMP Path
Detects when the file "passwd" or "shadow" is copied from tmp path
Crontab Enumeration
Detects usage of crontab to list the tasks of the user
Remove Scheduled Cron Task/Job
Detects usage of the 'crontab' utility to remove the current crontab. This is a common occurrence where cryptocurrency miners compete against each other by removing traces of other miners to hijack the maximum amount of resources possible
Linux Crypto Mining Indicators
Detects command line parameters or strings often used by crypto miners
Curl Usage on Linux
Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server
Suspicious Download and Execute Pattern via Curl/Wget
Detects suspicious use of command-line tools such as curl or wget to download remote content - particularly scripts - into temporary directories (e.g., /dev/shm, /tmp), followed by immediate execution, indicating potential malicious activity. This pattern is commonly used by malicious scripts, stagers, or downloaders in fileless or multi-stage Linux attacks.
DD File Overwrite
Detects potential overwriting and deletion of a file using DD.
Potential Linux Process Code Injection Via DD Utility
Detects the injection of code by overwriting the memory map of a Linux process using the "dd" Linux command.
Ufw Force Stop Using Ufw-Init
Detects attempts to force stop the ufw using ufw-init
Linux Doas Tool Execution
Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does.
Shell Invocation via Env Command - Linux
Detects the use of the env command to invoke a shell. This may indicate an attempt to bypass restricted environments, escalate privileges, or execute arbitrary commands.
ESXi Network Configuration Discovery Via ESXCLI
Detects execution of the "esxcli" command with the "network" flag in order to retrieve information about the network configuration.
ESXi Admin Permission Assigned To Account Via ESXCLI
Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account.
ESXi Storage Information Discovery Via ESXCLI
Detects execution of the "esxcli" command with the "storage" flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and LockBit.
ESXi Syslog Configuration Change Via ESXCLI
Detects changes to the ESXi syslog configuration via "esxcli"
ESXi System Information Discovery Via ESXCLI
Detects execution of the "esxcli" command with the "system" flag in order to retrieve information about the different component of the system. Such as accounts, modules, NTP, etc.
ESXi Account Creation Via ESXCLI
Detects user account creation on ESXi system via esxcli
ESXi VM List Discovery Via ESXCLI
Detects execution of the "esxcli" command with the "vm" flag in order to retrieve information about the installed VMs.
ESXi VM Kill Via ESXCLI
Detects execution of the "esxcli" command with the "vm" and "kill" flag in order to kill/shutdown a specific VM.
ESXi VSAN Information Discovery Via ESXCLI
Detects execution of the "esxcli" command with the "vsan" flag in order to retrieve information about virtual storage. Seen used by malware such as DarkSide.
File and Directory Discovery - Linux
Detects usage of system utilities such as "find", "tree", "findmnt", etc, to discover files, directories and network shares.
File Deletion
Detects file deletion using "rm", "shred" or "unlink" commands which are used often by adversaries to delete files left behind by the actions of their intrusion activity
Shell Execution via Find - Linux
Detects the use of the find command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or exploitation attempt.
Shell Execution via Flock - Linux
Detects the use of the "flock" command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Shell Execution GCC - Linux
Detects the use of the "gcc" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Shell Execution via Git - Linux
Detects the use of the "git" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
OS Architecture Discovery Via Grep
Detects the use of grep to identify information about the operating system architecture. Often combined beforehand with the execution of "uname" or "cat /proc/cpuinfo"
Group Has Been Deleted Via Groupdel
Detects execution of the "groupdel" binary. Which is used to delete a group. This is sometimes abused by threat actors in order to cover their tracks
Install Root Certificate
Detects installation of new certificate on the system which attackers may use to avoid warnings when connecting to controlled web servers or C2s
Suspicious Package Installed - Linux
Detects installation of suspicious packages using system installation utilities
Flush Iptables Ufw Chain
Detect use of iptables to flush all firewall rules, tables and chains and allow all network traffic
Local System Accounts Discovery - Linux
Detects enumeration of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.
Local Groups Discovery - Linux
Detects enumeration of local system groups. Adversaries may attempt to find local system groups and permission settings
Potential GobRAT File Discovery Via Grep
Detects the use of grep to discover specific files created by the GobRAT malware
Named Pipe Created Via Mkfifo
Detects the creation of a new named pipe using the "mkfifo" utility
Potentially Suspicious Named Pipe Created Via Mkfifo
Detects the creation of a new named pipe using the "mkfifo" utility in a potentially suspicious location