Sigma Rules
3,116 rules found
ASLR Disabled Via Sysctl or Direct Syscall - Linux
Detects actions that disable Address Space Layout Randomization (ASLR) in Linux, including: - Use of the `personality` syscall with the ADDR_NO_RANDOMIZE flag (0x0040000) - Modification of the /proc/sys/kernel/randomize_va_space file - Execution of the `sysctl` command to set `kernel.randomize_va_space=0` Disabling ASLR is often used by attackers during exploit development or to bypass memory protection mechanisms. A successful use of these methods can reduce the effectiveness of ASLR and make memory corruption attacks more reliable.
Linux Keylogging with Pam.d
Detect attempt to enable auditing of TTY input
Password Policy Discovery - Linux
Detects password policy discovery commands
Suspicious C2 Activities
Detects suspicious activities as declared by Florian Roth in its 'Best Practice Auditd Configuration'. This includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap. These commands match a few techniques from the tactics "Command and Control", including not exhaustively the following; Application Layer Protocol (T1071), Non-Application Layer Protocol (T1095), Data Encoding (T1132)
System Information Discovery - Auditd
Detects System Information Discovery commands
Auditing Configuration Changes on Linux Host
Detect changes in auditd configuration files
BPFDoor Abnormal Process ID or Lock File Accessed
detects BPFDoor .lock and .pid files access in temporary file storage facility
Use Of Hidden Paths Or Files
Detects calls to hidden files or files located in hidden directories in NIX systems.
Modification of ld.so.preload
Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.
Logging Configuration Changes on Linux Host
Detect changes of syslog daemons configuration files
Potential Abuse of Linux Magic System Request Key
Detects the potential abuse of the Linux Magic SysRq (System Request) key by adversaries with root or sufficient privileges to silently manipulate or destabilize a system. By writing to /proc/sysrq-trigger, they can crash the system, kill processes, or disrupt forensic analysis—all while bypassing standard logging. Though intended for recovery and debugging, SysRq can be misused as a stealthy post-exploitation tool. It is controlled via /proc/sys/kernel/sysrq or permanently through /etc/sysctl.conf.
System and Hardware Information Discovery
Detects system information discovery commands
Systemd Service Creation
Detects a creation of systemd services which could be used by adversaries to execute malicious code.
Unix Shell Configuration Modification
Detect unix shell configuration modification. Adversaries may establish persistence through executing malicious commands triggered when a new shell is opened.
Disable System Firewall
Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network.
Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall
Detects the use of the `syslog` syscall with action code 5 (SYSLOG_ACTION_CLEAR), (4 is SYSLOG_ACTION_READ_CLEAR and 6 is SYSLOG_ACTION_CONSOLE_OFF) which clears the kernel ring buffer (dmesg logs). This can be used by attackers to hide traces after exploitation or privilege escalation. A common technique is running `dmesg -c`, which triggers this syscall internally.
Creation Of An User Account
Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.
Loading of Kernel Module via Insmod
Detects loading of kernel modules with insmod command. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. Adversaries may use LKMs to obtain persistence within the system or elevate the privileges.
Linux Network Service Scanning - Auditd
Detects enumeration of local or remote network services.
Split A File Into Pieces - Linux
Detection use of the command "split" to split files into parts and possible transfer.
System Info Discovery via Sysinfo Syscall
Detects use of the sysinfo system call in Linux, which provides a snapshot of key system statistics such as uptime, load averages, memory usage, and the number of running processes. Malware or reconnaissance tools might leverage sysinfo to fingerprint the system - gathering data to determine if it's a viable target.
Program Executions in Suspicious Folders
Detects program executions in suspicious non-program folders related to malware or hacking activity
Special File Creation via Mknod Syscall
Detects usage of the `mknod` syscall to create special files (e.g., character or block devices). Attackers or malware might use `mknod` to create fake devices, interact with kernel interfaces, or establish covert channels in Linux systems. Monitoring the use of `mknod` is important because this syscall is rarely used by legitimate applications, and it can be abused to bypass file system restrictions or create backdoors.
Webshell Remote Command Execution
Detects possible command execution by web application/web shell
Relevant ClamAV Message
Detects relevant ClamAV messages
Modifying Crontab
Detects suspicious modification of crontab file.
Guacamole Two Users Sharing Session Anomaly
Detects suspicious session with two users present
Equation Group Indicators
Detects suspicious shell commands used in various Equation Group scripts and tools
Buffer Overflow Attempts
Detects buffer overflow attempts in Unix system log files
Commands to Clear or Remove the Syslog - Builtin
Detects specific commands commonly used to remove or empty the syslog
Remote File Copy
Detects the use of tools that copy files from or to remote systems
Code Injection by ld.so Preload
Detects the ld.so preload persistence file. See `man ld.so` for more information.
Potential Suspicious BPF Activity - Linux
Detects the presence of "bpf_probe_write_user" BPF helper-generated warning messages. Which could be a sign of suspicious eBPF activity on the system.
Privileged User Has Been Created
Detects the addition of a new user to a privileged group such as "root" or "sudo"
Linux Command History Tampering
Detects commands that try to clear or tamper with the Linux command history. This technique is used by threat actors in order to evade defenses and execute commands without them being recorded in files such as "bash_history" or "zsh_history".
Suspicious Activity in Shell Commands
Detects suspicious shell commands used in various exploit codes (see references)
Suspicious Log Entries
Detects suspicious log entries in Linux log files
Suspicious Reverse Shell Command Line
Detects suspicious shell commands or program code that may be executed or used in command line to establish a reverse shell
Shellshock Expression
Detects shellshock expressions in log files
Suspicious Use of /dev/tcp
Detects suspicious command with /dev/tcp
JexBoss Command Sequence
Detects suspicious command sequence that JexBoss
Symlink Etc Passwd
Detects suspicious command lines that look as if they would create symbolic links to /etc/passwd
Suspicious OpenSSH Daemon Error
Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
Disabling Security Tools - Builtin
Detects disabling security tools
Suspicious Named Error
Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
Suspicious VSFTPD Error Messages
Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
Linux Doas Conf File Creation
Detects the creation of doas.conf file in linux host platform.
Persistence Via Cron Files
Detects creation of cron file or files in Cron directories which could indicates potential persistence.