Sigma Rules
22 rules found for "Pawel Mazur"
Linux Capabilities Discovery
Detects attempts to discover the files with setuid/setgid capability on them. That would allow adversary to escalate their privileges.
Clipboard Collection with Xclip Tool - Auditd
Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
Clipboard Collection of Image Data with Xclip Tool
Detects attempts to collect image data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
Data Exfiltration with Wget
Detects attempts to post the file with the usage of wget utility. The adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow.
Hidden Files and Directories
Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character
Steganography Hide Zip Information in Picture File
Detects appending of zip file to image
Screen Capture with Import Tool
Detects adversary creating screen capture of a desktop with Import Tool. Highly recommended using rule on servers, due to high usage of screenshot utilities on user workstations. ImageMagick must be installed.
Screen Capture with Xwd
Detects adversary creating screen capture of a full with xwd. Highly recommended using rule on servers, due high usage of screenshot utilities on user workstations
Steganography Hide Files with Steghide
Detects embedding of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.
Steganography Extract Files with Steghide
Detects extraction of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.
Steganography Unzip Hidden Information From Picture File
Detects extracting of zip file from image file
Audio Capture
Detects attempts to record audio using the arecord and ecasound utilities.
Linux Keylogging with Pam.d
Detect attempt to enable auditing of TTY input
Password Policy Discovery - Linux
Detects password policy discovery commands
System Information Discovery - Auditd
Detects System Information Discovery commands
Systemd Service Creation
Detects a creation of systemd services which could be used by adversaries to execute malicious code.
Disable System Firewall
Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network.
Creation Of An User Account
Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.
Loading of Kernel Module via Insmod
Detects loading of kernel modules with insmod command. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. Adversaries may use LKMs to obtain persistence within the system or elevate the privileges.
Modifying Crontab
Detects suspicious modification of crontab file.
Privileged User Has Been Created
Detects the addition of a new user to a privileged group such as "root" or "sudo"
Clipboard Collection with Xclip Tool
Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.