Sigma Rules
3,332 rules found
Hidden Files and Directories
Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character
Steganography Hide Zip Information in Picture File
Detects appending of zip file to image
Masquerading as Linux Crond Process
Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.
Modify System Firewall
Detects the removal of system firewall rules. Adversaries may only delete or modify a specific system firewall rule to bypass controls limiting network usage or access. Detection rules that match only on the disabling of firewalls will miss this.
Network Sniffing - Linux
Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
Screen Capture with Import Tool
Detects adversary creating screen capture of a desktop with Import Tool. Highly recommended using rule on servers, due to high usage of screenshot utilities on user workstations. ImageMagick must be installed.
Screen Capture with Xwd
Detects adversary creating screen capture of a full with xwd. Highly recommended using rule on servers, due high usage of screenshot utilities on user workstations
Steganography Hide Files with Steghide
Detects embedding of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.
Steganography Extract Files with Steghide
Detects extraction of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.
Suspicious Commands Linux
Detects relevant commands often related to malware or hacking activity
Suspicious History File Operations - Linux
Detects commandline operations on shell history files
Service Reload or Start - Linux
Detects the start, reload or restart of a service.
System Shutdown/Reboot - Linux
Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.
Steganography Unzip Hidden Information From Picture File
Detects extracting of zip file from image file
System Owner or User Discovery - Linux
Detects the execution of host or user discovery utilities such as "whoami", "hostname", "id", etc. Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Audio Capture
Detects attempts to record audio using the arecord and ecasound utilities.
Linux Keylogging with Pam.d
Detect attempt to enable auditing of TTY input
Suspicious C2 Activities
Detects suspicious activities as declared by Florian Roth in its 'Best Practice Auditd Configuration'. This includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap. These commands match a few techniques from the tactics "Command and Control", including not exhaustively the following; Application Layer Protocol (T1071), Non-Application Layer Protocol (T1095), Data Encoding (T1132)
System Information Discovery - Auditd
Detects System Information Discovery commands
Auditing Configuration Changes on Linux Host
Detect changes in auditd configuration files
BPFDoor Abnormal Process ID or Lock File Accessed
detects BPFDoor .lock and .pid files access in temporary file storage facility
Use Of Hidden Paths Or Files
Detects calls to hidden files or files located in hidden directories in NIX systems.
Modification of ld.so.preload
Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.
Logging Configuration Changes on Linux Host
Detect changes of syslog daemons configuration files
Systemd Service Creation
Detects a creation of systemd services which could be used by adversaries to execute malicious code.
Unix Shell Configuration Modification
Detect unix shell configuration modification. Adversaries may establish persistence through executing malicious commands triggered when a new shell is opened.
Disable System Firewall
Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network.
Creation Of An User Account
Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.
Loading of Kernel Module via Insmod
Detects loading of kernel modules with insmod command. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. Adversaries may use LKMs to obtain persistence within the system or elevate the privileges.
Linux Network Service Scanning - Auditd
Detects enumeration of local or remote network services.
Split A File Into Pieces - Linux
Detection use of the command "split" to split files into parts and possible transfer.
Program Executions in Suspicious Folders
Detects program executions in suspicious non-program folders related to malware or hacking activity
Webshell Remote Command Execution
Detects possible command execution by web application/web shell
Modifying Crontab
Detects suspicious modification of crontab file.
Guacamole Two Users Sharing Session Anomaly
Detects suspicious session with two users present
Equation Group Indicators
Detects suspicious shell commands used in various Equation Group scripts and tools
Buffer Overflow Attempts
Detects buffer overflow attempts in Unix system log files
Commands to Clear or Remove the Syslog - Builtin
Detects specific commands commonly used to remove or empty the syslog
Code Injection by ld.so Preload
Detects the ld.so preload persistence file. See `man ld.so` for more information.
Potential Suspicious BPF Activity - Linux
Detects the presence of "bpf_probe_write_user" BPF helper-generated warning messages. Which could be a sign of suspicious eBPF activity on the system.
Privileged User Has Been Created
Detects the addition of a new user to a privileged group such as "root" or "sudo"
Linux Command History Tampering
Detects commands that try to clear or tamper with the Linux command history. This technique is used by threat actors in order to evade defenses and execute commands without them being recorded in files such as "bash_history" or "zsh_history".
Suspicious Activity in Shell Commands
Detects suspicious shell commands used in various exploit codes (see references)
Suspicious Log Entries
Detects suspicious log entries in Linux log files
Suspicious Reverse Shell Command Line
Detects suspicious shell commands or program code that may be executed or used in command line to establish a reverse shell
Shellshock Expression
Detects shellshock expressions in log files
Suspicious Use of /dev/tcp
Detects suspicious command with /dev/tcp
JexBoss Command Sequence
Detects suspicious command sequence that JexBoss