Sigma Rules
352 rules found for "oscd.community"
Binary Padding - Linux
Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.
File Time Attribute Change - Linux
Detect file time attribute change to hide new or changes to existing files.
Remove Immutable File Attribute - Auditd
Detects removing immutable file attribute.
Data Compressed
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
Overwriting the File with Dev Zero or Null
Detects overwriting (effectively wiping/deleting) of a file.
File or Folder Permissions Change
Detects file and folder permission changes.
Credentials In Files - Linux
Detecting attempts to extract passwords with grep
Masquerading as Linux Crond Process
Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.
Network Sniffing - Linux
Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
Suspicious History File Operations - Linux
Detects commandline operations on shell history files
Service Reload or Start - Linux
Detects the start, reload or restart of a service.
System Shutdown/Reboot - Linux
Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.
System Owner or User Discovery - Linux
Detects the execution of host or user discovery utilities such as "whoami", "hostname", "id", etc. Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Password Policy Discovery - Linux
Detects password policy discovery commands
Auditing Configuration Changes on Linux Host
Detect changes in auditd configuration files
Modification of ld.so.preload
Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.
Logging Configuration Changes on Linux Host
Detect changes of syslog daemons configuration files
System and Hardware Information Discovery
Detects system information discovery commands
Linux Network Service Scanning - Auditd
Detects enumeration of local or remote network services.
Split A File Into Pieces - Linux
Detection use of the command "split" to split files into parts and possible transfer.
Webshell Remote Command Execution
Detects possible command execution by web application/web shell
Disabling Security Tools - Builtin
Detects disabling security tools
Scheduled Task/Job At
Detects the use of at/atd which are utilities that are used to schedule tasks. They are often abused by adversaries to maintain persistence or to perform task scheduling for initial or recurring execution of malicious code
Decode Base64 Encoded Text
Detects usage of base64 utility to decode arbitrary base64-encoded text
Clear Linux Logs
Detects attempts to clear logs on the system. Adversaries may clear system logs to hide evidence of an intrusion
File and Directory Discovery - Linux
Detects usage of system utilities such as "find", "tree", "findmnt", etc, to discover files, directories and network shares.
File Deletion
Detects file deletion using "rm", "shred" or "unlink" commands which are used often by adversaries to delete files left behind by the actions of their intrusion activity
Install Root Certificate
Detects installation of new certificate on the system which attackers may use to avoid warnings when connecting to controlled web servers or C2s
Local System Accounts Discovery - Linux
Detects enumeration of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.
Local Groups Discovery - Linux
Detects enumeration of local system groups. Adversaries may attempt to find local system groups and permission settings
Linux Remote System Discovery
Detects the enumeration of other remote systems.
Scheduled Cron Task/Job - Linux
Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
Security Software Discovery - Linux
Detects usage of system utilities (only grep and egrep for now) to discover security software discovery
Disabling Security Tools
Detects disabling security tools
Linux Network Service Scanning Tools Execution
Detects execution of network scanning and reconnaisance tools. These tools can be used for the enumeration of local or remote network services for example.
System Information Discovery
Detects system information discovery commands
System Network Connections Discovery - Linux
Detects usage of system utilities to discover system network connections
System Network Discovery - Linux
Detects enumeration of local network configuration
MacOS Emond Launch Daemon
Detects additions to the Emond Launch Daemon that adversaries may use to gain persistence and elevate privileges.
Startup Item File Created - MacOS
Detects the creation of a startup item plist file, that automatically get executed at boot initialization to establish persistence. Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.
MacOS Scripting Interpreter AppleScript
Detects execution of AppleScript of the macOS scripting language AppleScript.
Decode Base64 Encoded Text -MacOs
Detects usage of base64 utility to decode arbitrary base64-encoded text
Binary Padding - MacOS
Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.
File Time Attribute Change
Detect file time attribute change to hide new or changes to existing files
Indicator Removal on Host - Clear Mac System Logs
Detects deletion of local audit logs
Creation Of A Local User Account
Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.
Hidden User Creation
Detects creation of a hidden user account on macOS (UserID < 500) or with IsHidden option
Credentials from Password Stores - Keychain
Detects passwords dumps from Keychain