Rule Library

Sigma Rules

2 rules found for "Rafal Piasecki"

3,707Total

3,116Detection

451Emerging

137Hunting

Filters

Type

Severity

Status

Product

Bpfdoor TCP Ports Redirect

All TCP traffic on particular port from attacker is routed to different port. ex. '/sbin/iptables -t nat -D PREROUTING -p tcp -s 192.168.1.1 --dport 22 -j REDIRECT --to-ports 42392' The traffic looks like encrypted SSH communications going to TCP port 22, but in reality is being directed to the shell port once it hits the iptables rule for the attacker host only.

Linuxauditd

TA0005 · Defense EvasionT1562.004 · Disable or Modify System Firewall

Rafal PiaseckiWed Aug 10linux

Detectionhightest

BPFDoor Abnormal Process ID or Lock File Accessed

detects BPFDoor .lock and .pid files access in temporary file storage facility

Linuxauditd

TA0002 · ExecutionT1106 · Native APIT1059 · Command and Scripting Interpreter

Rafal PiaseckiWed Aug 10linux