Sigma Rules
515 rules found for "Red Canary"
Binary Padding - Linux
Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.
File Time Attribute Change - Linux
Detect file time attribute change to hide new or changes to existing files.
Remove Immutable File Attribute - Auditd
Detects removing immutable file attribute.
Data Compressed
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
Overwriting the File with Dev Zero or Null
Detects overwriting (effectively wiping/deleting) of a file.
File or Folder Permissions Change
Detects file and folder permission changes.
Credentials In Files - Linux
Detecting attempts to extract passwords with grep
Hidden Files and Directories
Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character
Masquerading as Linux Crond Process
Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.
Network Sniffing - Linux
Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
Screen Capture with Import Tool
Detects adversary creating screen capture of a desktop with Import Tool. Highly recommended using rule on servers, due to high usage of screenshot utilities on user workstations. ImageMagick must be installed.
Screen Capture with Xwd
Detects adversary creating screen capture of a full with xwd. Highly recommended using rule on servers, due high usage of screenshot utilities on user workstations
Suspicious History File Operations - Linux
Detects commandline operations on shell history files
Service Reload or Start - Linux
Detects the start, reload or restart of a service.
System Shutdown/Reboot - Linux
Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.
System Owner or User Discovery - Linux
Detects the execution of host or user discovery utilities such as "whoami", "hostname", "id", etc. Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Linux Keylogging with Pam.d
Detect attempt to enable auditing of TTY input
Password Policy Discovery - Linux
Detects password policy discovery commands
System Information Discovery - Auditd
Detects System Information Discovery commands
Use Of Hidden Paths Or Files
Detects calls to hidden files or files located in hidden directories in NIX systems.
Modification of ld.so.preload
Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.
Systemd Service Creation
Detects a creation of systemd services which could be used by adversaries to execute malicious code.
System and Hardware Information Discovery
Detects system information discovery commands
Disable System Firewall
Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network.
Loading of Kernel Module via Insmod
Detects loading of kernel modules with insmod command. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. Adversaries may use LKMs to obtain persistence within the system or elevate the privileges.
Linux Network Service Scanning - Auditd
Detects enumeration of local or remote network services.
Split A File Into Pieces - Linux
Detection use of the command "split" to split files into parts and possible transfer.
Modifying Crontab
Detects suspicious modification of crontab file.
Potential Suspicious BPF Activity - Linux
Detects the presence of "bpf_probe_write_user" BPF helper-generated warning messages. Which could be a sign of suspicious eBPF activity on the system.
Privileged User Has Been Created
Detects the addition of a new user to a privileged group such as "root" or "sudo"
Linux Command History Tampering
Detects commands that try to clear or tamper with the Linux command history. This technique is used by threat actors in order to evade defenses and execute commands without them being recorded in files such as "bash_history" or "zsh_history".
Suspicious Use of /dev/tcp
Detects suspicious command with /dev/tcp
Disabling Security Tools - Builtin
Detects disabling security tools
Scheduled Task/Job At
Detects the use of at/atd which are utilities that are used to schedule tasks. They are often abused by adversaries to maintain persistence or to perform task scheduling for initial or recurring execution of malicious code
Decode Base64 Encoded Text
Detects usage of base64 utility to decode arbitrary base64-encoded text
Clear Linux Logs
Detects attempts to clear logs on the system. Adversaries may clear system logs to hide evidence of an intrusion
Syslog Clearing or Removal Via System Utilities
Detects specific commands commonly used to remove or empty the syslog. Which is a technique often used by attacker as a method to hide their tracks
DD File Overwrite
Detects potential overwriting and deletion of a file using DD.
File and Directory Discovery - Linux
Detects usage of system utilities such as "find", "tree", "findmnt", etc, to discover files, directories and network shares.
File Deletion
Detects file deletion using "rm", "shred" or "unlink" commands which are used often by adversaries to delete files left behind by the actions of their intrusion activity
Install Root Certificate
Detects installation of new certificate on the system which attackers may use to avoid warnings when connecting to controlled web servers or C2s
Local System Accounts Discovery - Linux
Detects enumeration of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.
Local Groups Discovery - Linux
Detects enumeration of local system groups. Adversaries may attempt to find local system groups and permission settings
Linux Remote System Discovery
Detects the enumeration of other remote systems.
Scheduled Cron Task/Job - Linux
Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
Security Software Discovery - Linux
Detects usage of system utilities (only grep and egrep for now) to discover security software discovery
Disabling Security Tools
Detects disabling security tools
Setuid and Setgid
Detects suspicious change of file privileges with chown and chmod commands