LoFP
/
linux
linux rule
Title
Tags
admin activity
t1033
t1059
t1059.004
t1070
t1136
t1136.001
t1485
t1505
t1505.003
t1546
t1546.001
t1685
t1685.001
t1685.005
t1686
linux
windows
sigma
admin activity (especially in /tmp folders)
t1584
t1587
linux
sigma
admin changing date of files.
t1070
t1070.006
linux
sigma
admin or user activity
linux
sigma
admin or user activity are expected to generate some false positives
t1546
t1546.004
linux
sigma
admin work like legit service installs.
t1543
t1543.002
linux
sigma
administrative activity
t1003
t1016
t1021
t1021.001
t1027
t1036
t1053
t1053.005
t1059
t1059.001
t1059.005
t1071
t1071.001
t1087
t1087.001
t1087.002
t1098
t1105
t1133
t1134
t1136
t1136.001
t1137
t1222
t1222.001
t1505
t1505.004
t1552
t1552.006
t1555
t1555.004
t1572
t1615
t1685
linux
windows
sigma
administrative work
t1003
t1056
t1056.001
linux
sigma
administrator interacting with immutable files (e.g. for instance backups).
t1222
t1222.002
linux
sigma
administrator or administrator scripts might delete packages for several reasons (debugging, troubleshooting).
t1070
linux
sigma
administrators or developers may execute kubeletctl during legitimate troubleshooting or incident response to validate kubelet api connectivity or enumerate pods. confirm the user/session and change window before escalating.
t1059
t1609
t1613
linux
elastic
administrators or installed processes that leverage nohup
t1059
t1059.004
linux
sigma
administrators reading kubeconfig or cloud profiles during migration can match; correlate with change tickets and bastion sessions.
t1552
linux
elastic
an administrator troubleshooting. investigate all attempts.
t1685
t1685.004
linux
sigma
any user deleting files that way.
t1485
linux
sigma
appending null bytes to files.
t1485
linux
sigma
automated tools such as jenkins may encode or decode files as part of their normal behavior. these events can be filtered by the process executable or username values.
t1027
t1132
t1140
_deprecated
linux
elastic
backup, configuration management, and image scanners may open the same paths from scripted utilities; baseline trusted agents and narrow exclusions by process executable hash or parent chain.
t1552
linux
elastic
base images, entrypoints, or init wrappers may legitimately invoke curl or wget during container startup (package installs, health checks); baseline trusted images and exclude stable image digests or namespaces when noisy.
t1105
linux
elastic
base64 encoded data in log entries
t1068
linux
sigma
build and packaging images sometimes run chroot against a staged root filesystem inside ci or init containers; correlate with approved pipelines and image build jobs before escalating.
t1611
linux
elastic
certain programs or applications may modify files or change ownership in writable directories. these can be exempted by username.
t1222
linux
elastic
certain tools may create hidden temporary directories upon installation or as part of their normal behavior. these events can be filtered by the process arguments, username, or process name values.
t1564
linux
elastic
certain tools may create hidden temporary files or directories upon installation or as part of their normal behavior. these events can be filtered by the process arguments, username, or process name values.
t1564
linux
elastic
certain tools or automated software may enumerate hardware information. these tools can be exempted via user name or process arguments to eliminate potential noise.
t1082
t1497
cross-platform
linux
elastic
cluster operators and node diagnostics may legitimately probe kubelet endpoints (for example /pods or /metrics) during troubleshooting. validate the initiating user, session, and whether the target node/ip is expected for the host.
t1021
t1059
t1613
linux
elastic
cluster provisioning (kubeadm), configuration management, or administrators editing manifests during maintenance may match. baseline approved automation and interactive admin sessions on control plane nodes.
t1053
t1543
linux
elastic
command line contains daemon-reload.
t1543
t1543.002
linux
sigma
container runtimes or security tools during initialization
t1543
t1543.003
linux
sigma
crazy web applications
t1505
t1505.003
t1584
t1587
linux
sigma
creation of legitimate files in sudoers.d folder as part of administrator work
t1548
t1548.003
linux
sigma
credential reads under non-root home trees are intentionally excluded; clone the rule with explicit per-user file.path values and optional process.executable prefixes if you must cover interactive accounts with matching audit -w lines for those paths.
t1552
linux
elastic
custom administrative wrappers or hardened images that legitimately ship a setuid shell outside /usr/bin or /bin for emergency access may match; document and exclude by executable hash or path when verified.
t1548
linux
elastic
custom container tooling, ci agents, or monitoring may connect to docker.sock or containerd.sock from non-standard paths after relocation or bind mounts. tune by process.executable or user.name when noise is high.
t1550
t1611
t1613
linux
elastic
debugging or legitimate software testing
t1055
t1055.009
t1685
linux
sigma
debugging scripts
t1685
t1685.006
linux
sigma
developer-oriented containers and ci build pods can run curl/wget from pid 1 descendants under runc; correlate with build pipelines and approved registries.
t1105
linux
elastic
device creation by legitimate scripts or init systems (udevadm, makedev)
t1543
t1543.003
linux
sigma
directories /dev/shm and /run/shm are temporary file storage directories in linux. they are intended to appear as a mounted file system, but uses virtual memory instead of a persistent storage device and thus are used for mounting file systems in legitimate purposes.
t1036
t1059
linux
elastic
false positives are expected to be very rare due to the specific nature of this rule. legitimate application deployments typically do not involve multipart form uploads to .action endpoints followed immediately by jsp file creation in webapps directories. however, custom deployment scripts or automated testing tools that simulate file uploads could potentially trigger this alert. review the source ip, user agent, uploaded file content, timing, and deployment schedules to validate if the activity is authorized. standard package manager operations are already excluded from detection.
t1105
t1190
t1505
linux
elastic
false-positives (fp) can appear if the pid file is legitimate and holding a process id as intended. to differentiate, if the pid file is an executable or larger than 10 bytes, it should be ruled suspicious.
t1036
t1106
linux
elastic
false-positives (fp) should be at a minimum with this detection as pid files are meant to hold process ids, not inherently be executables that spawn processes.
t1036
t1059
linux
elastic
field mapping differences between auditd versions can occasionally mis-populate effective versus real user ids; validate raw audit fields when triaging unexpected hits.
t1548
linux
elastic
github operations such as ghe-backup
t1059
t1059.004
linux
sigma
installation of legitimate service.
t1543
t1543.002
linux
sigma
installer scripts or automated provisioning tools
t1059
t1059.004
t1203
linux
sigma
legitimate activities
t1027
t1049
t1083
t1490
t1518
t1518.001
t1553
t1553.001
t1685
macos
linux
sigma
legitimate activity of system administrators
t1219
t1219.002
linux
windows
sigma
legitimate admin activity
t1003
t1003.003
t1018
t1069
t1069.002
t1087
t1087.002
t1482
t1686
linux
windows
sigma
legitimate administration activities
t1007
t1016
t1018
t1033
t1037
t1037.005
t1040
t1046
t1053
t1053.002
t1053.003
t1059
t1059.012
t1069
t1069.001
t1070
t1070.004
t1078
t1078.003
t1082
t1087
t1087.001
t1090
t1098
t1105
t1136
t1136.001
t1140
t1201
t1489
t1518
t1518.001
t1529
t1546
t1546.014
t1548
t1548.001
t1552
t1552.001
t1553
t1553.004
t1555
t1555.001
t1564
t1564.002
t1565
t1565.001
t1592
t1592.004
t1685
t1685.006
t1686
macos
linux
windows
sigma
legitimate administrative activities
t1059
t1059.012
t1082
t1098
t1497
t1497.001
t1685
t1690
macos
gcp
linux
sigma
legitimate administrative tasks or scripts that use 'sudo --chroot' for containerization, testing, or system management.
t1068
linux
sigma
legitimate administrative tasks, package managers, containers, configuration management tools, cloud agents, or system maintenance operations might cause false positives. apply baselining before deployment.
t1053
t1053.003
linux
sigma
legitimate administrator activities
t1531
linux
sigma
legitimate administrator or user uses network sniffing tool for legitimate reasons.
t1040
linux
sigma
legitimate af_alg usage from unprivileged users is uncommon, but some kernel crypto tests, ipsec helpers, disk encryption tooling, hsm integrations, or approved security research systems may exercise this interface. verify the process, user, and host role before adding an exception.
t1068
t1548
linux
elastic
legitimate backup, compliance scanners, or admin scripts that enumerate paths under /home or /var/run/secrets may match. tune by parent process, image, or automation identity.
t1528
t1552
linux
elastic
legitimate cases in which \"rsync\" is used to execute a shell
t1059
linux
sigma
legitimate downloads of files in the tmp folder.
t1105
linux
sigma
legitimate files with similar naming patterns (very unlikely).
t1027
t1059
t1059.004
linux
sigma
legitimate modification of crontab
t1053
t1053.003
linux
sigma
legitimate node health checks, diagnostics, or in-cluster agents may access the kubelet api on port 10250. validate the calling process, command line, and whether the destination is the local node or another node.
t1021
t1613
linux
elastic
legitimate overwrite of files.
t1485
linux
sigma
legitimate ports redirect
t1686
linux
sigma
legitimate pre-commit hooks or ci/cd pipeline jobs that use a script to run a credential scanner as part of a security check.
t1005
t1059
t1059.004
t1059.007
t1552
linux
windows
sigma
legitimate reconfiguration of service.
t1543
t1543.002
linux
sigma
legitimate sandboxing, container tooling, or maintenance scripts may use unshare and spawn privileged helpers under controlled workflows. baseline approved tools and tune by host role, parent process, or user accounts.
t1068
linux
elastic
legitimate shell scripts in the \"profile.d\" directory could be common in your environment. apply additional filter accordingly via \"image\", by adding specific filenames you \"trust\" or by correlating it with other events.
linux
sigma
legitimate software that uses these patterns
t1036
t1059
t1059.004
t1140
linux
sigma
legitimate software, cleaning hist file
t1552
t1552.003
macos
linux
sigma
legitimate system administrator usage of these commands
t1082
linux
sigma
legitimate usage of teamviewer
t1133
macos
linux
windows
sigma
legitimate usage of the unsafe option
t1059
t1059.004
linux
sigma
legitimate usage of wget utility to post a file
t1048
t1048.003
linux
sigma
legitimate usage of xclip tools.
t1115
linux
sigma
legitimate use of archiving tools by legitimate user.
t1560
t1560.001
linux
sigma
legitimate use of crontab
t1007
linux
sigma
legitimate use of crypto miners
t1496
linux
windows
sigma
legitimate use of ngrok
t1090
t1102
t1567
t1568
t1568.002
t1572
linux
sigma
legitimate use of python for decoding data, which is uncommon in typical enterprise environments but possible in development or data analysis contexts.
t1027
t1027.010
t1059
t1059.006
linux
windows
sigma
legitimate use of screenshot utility
t1113
linux
sigma
legitimate use of scx runasprovider executescript.
t1068
t1190
t1203
linux
sigma
legitimate use of scx runasprovider invoke_executeshellcommand.
t1068
t1190
t1203
linux
sigma
legitimate use of the localtonet service.
t1090
t1102
t1572
linux
windows
sigma
legitimate use of trufflehog by security teams or developers.
t1083
t1552
t1552.001
linux
windows
sigma
legitimate user shell modification activity.
t1546
linux
elastic
likely
t1006
t1059
t1059.001
t1082
t1091
t1200
t1217
t1482
t1560
t1560.001
linux
windows
sigma
log rotation.
t1685
t1685.006
linux
sigma
maintenance.
t1685
t1685.006
linux
sigma
netcat is a dual-use tool that can be used for benign or malicious activity. netcat is included in some linux distributions so its presence is not necessarily suspicious. some normal use of this program, while uncommon, may originate from scripts, automation tools, and frameworks.
t1048
t1059
t1095
linux
elastic
network administrators
t1686
linux
sigma
network monitoring or management products may have a web server component that runs shell commands as part of normal behavior.
t1059
t1190
t1505
_deprecated
linux
elastic
normal use of hping is uncommon apart from security testing and research. use by non-security engineers is very uncommon.
t1046
t1082
linux
elastic
other tools that use a --cpu-priority flag
t1068
linux
sigma
platform automation, node bootstrap, and legitimate break-glass admin sessions may use these clis with overlapping arguments. tune by parent process, user, or host role (worker vs bastion).
t1609
t1611
cloud_defend
linux
elastic
platform engineers may nsenter into pid 1 namespaces during deep node debugging; correlate with tickets and bastion sessions before escalating.
t1611
linux
elastic
rare temporary workaround for library misconfiguration
t1574
t1574.006
linux
sigma
regular file creation during system update or software installation by the package manager
linux
sigma
scripts created by developers and admins
t1071
t1071.001
t1105
t1222
t1222.001
t1567
linux
windows
sigma
security tools and device drivers may run these programs in order to enumerate kernel modules. use of these programs by ordinary users is uncommon. these can be exempted by process name or username.
t1082
t1518
linux
rules_building_block
elastic
some automation or break-glass tooling may invoke suid binaries from scripts under /home; validate parent identity and change tickets before escalating.
t1548
linux
elastic
some break-glass workflows or automation may legitimately invoke sudo/su from scripts under user home directories. validate the initiating user, parent context, and change approvals; tune by known admin tooling paths or accounts.
t1548
linux
elastic
some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered
t1082
linux
sigma
some false positives are to be expected on user or administrator machines. apply additional filters as needed.
t1565
t1565.001
linux
sigma
some false positives are to be expected. apply additional filters as needed before pushing to production.
t1222
t1222.002
t1489
t1685
linux
sigma
some normal use of this command may originate from security engineers and network or server administrators, but this is usually not routine or unannounced. use of `nping` by non-engineers or ordinary users is uncommon.
t1046
t1498
linux
elastic
system administrator manually stopping kaspersky services
t1685
linux
sigma
system administrators or scripts that intentionally clear logs
t1685
t1685.006
linux
sigma
system update scripts using temporary files
t1059
t1059.004
t1203
linux
sigma
telnet can be used for both benign or malicious purposes. telnet is included by default in some linux distributions, so its presence is not inherently suspicious. the use of telnet to manage devices remotely has declined in recent years in favor of more secure protocols such as ssh. telnet usage by non-automated tools or frameworks may be suspicious.
t1021
t1071
linux
elastic
testing or development activity
t1048
t1048.003
linux
sigma
there is a potential for false positives if the container is used for legitimate tasks that require the use of network utilities, such as network troubleshooting, testing or system monitoring. it is important to investigate any alerts generated by this rule to determine if they are indicative of malicious activity or part of legitimate container activity.
t1040
t1046
t1105
t1595
cloud_defend
linux
elastic
there is usually no reason to remove modules, but some buggy modules require it. these can be exempted by username. note that some linux distributions are not built to support the removal of modules at all.
t1547
T1562
linux
elastic
this rule may trigger in cases where a user has routine work patterns that result in infrequent authentications.
t1021
t1078
t1133
linux
elastic
trusted openssh executable updates. it's recommended to verify the integrity of openssh binary changes.
t1021
t1543
t1554
t1556
t1563
linux
elastic
trusted system module updates or allowed pluggable authentication module (pam) daemon configuration changes.
t1059
t1105
t1543
t1556
_deprecated
linux
elastic
unknown
t1003
t1003.001
t1003.002
t1003.003
t1003.004
t1003.006
t1005
t1008
t1010
t1012
t1018
t1020
t1021
t1021.001
t1021.002
t1021.003
t1021.005
t1021.006
t1027
t1027.001
t1027.003
t1027.004
t1027.005
t1027.009
t1027.010
t1033
t1036
t1036.003
t1036.005
t1036.007
t1040
t1046
t1047
t1048
t1048.003
t1049
t1053
t1053.002
t1053.005
t1055
t1055.001
t1055.003
t1055.009
t1055.011
t1055.012
t1056
t1056.001
t1057
t1059
t1059.001
t1059.002
t1059.003
t1059.004
t1059.005
t1059.006
t1059.007
t1068
t1069
t1069.001
t1069.002
t1069.003
t1070
t1070.003
t1070.004
t1070.005
t1070.006
t1071
t1071.001
t1071.004
t1072
t1074
t1074.001
t1078
t1078.001
t1078.002
t1078.003
t1078.004
t1082
t1083
t1087
t1087.001
t1087.002
t1087.004
t1090
t1090.001
t1090.003
t1095
t1098
t1102
t1102.001
t1102.003
t1105
t1106
t1110
t1110.001
t1112
t1113
t1114
t1114.001
t1115
t1119
t1123
t1127
t1127.001
t1133
t1134
t1134.001
t1134.002
t1134.003
t1135
t1136
t1136.001
t1136.002
t1137
t1137.002
t1137.006
t1140
t1176
t1176.001
t1185
t1187
t1190
t1195
t1195.001
t1197
t1199
t1200
t1201
t1202
t1203
t1204
t1204.001
t1204.002
t1204.004
t1207
t1210
t1211
t1212
t1216
t1216.001
t1217
t1218
t1218.001
t1218.002
t1218.003
t1218.005
t1218.007
t1218.009
t1218.010
t1218.011
t1218.013
t1219
t1219.002
t1220
t1222
t1222.001
t1482
t1484
t1485
t1486
t1489
t1490
t1491
t1491.001
t1497
t1497.001
t1498
t1499
t1499.004
t1505
t1505.003
t1505.004
t1518
t1518.001
t1526
t1528
t1529
t1531
t1537
t1539
t1543
t1543.001
t1543.003
t1543.004
t1546
t1546.001
t1546.002
t1546.003
t1546.007
t1546.008
t1546.009
t1546.010
t1546.011
t1546.012
t1546.015
t1547
t1547.001
t1547.003
t1547.004
t1547.005
t1547.006
t1547.008
t1547.009
t1547.010
t1548
t1548.002
t1552
t1552.001
t1552.002
t1552.004
t1552.006
t1553
t1553.004
t1554
t1555
t1555.003
t1555.004
t1555.005
t1556
t1556.002
t1557
t1557.001
t1557.003
t1558
t1558.003
t1559
t1559.001
t1559.002
t1560
t1560.001
t1563
t1563.002
t1564
t1564.001
t1564.002
t1564.003
t1564.004
t1565
t1566
t1566.001
t1566.002
t1567
t1567.002
t1569
t1569.002
t1571
t1572
t1573
t1574
t1574.001
t1574.005
t1574.006
t1574.008
t1574.011
t1584
t1587
t1587.001
t1588
t1588.001
t1588.002
t1593
t1593.003
t1595
t1608
t1609
t1611
t1614
t1614.001
t1615
t1621
t1649
t1685
t1685.001
t1686
t1686.003
kubernetes
rpc_firewall
macos
gcp
azure
m365
aws
linux
windows
cisco
zeek
okta
onelogin
sigma
unlikely
t1003
t1003.001
t1003.002
t1003.003
t1003.004
t1003.005
t1003.006
t1005
t1007
t1008
t1012
t1014
t1016
t1018
t1021
t1021.001
t1021.002
t1021.003
t1021.006
t1027
t1027.005
t1027.010
t1033
t1036
t1036.003
t1036.005
t1036.007
t1041
t1046
t1047
t1048
t1048.001
t1053
t1053.003
t1053.005
t1055
t1055.001
t1055.012
t1056
t1057
t1059
t1059.001
t1059.002
t1059.003
t1068
t1070
t1071
t1071.001
t1071.004
t1078
t1078.004
t1082
t1083
t1087
t1090
t1090.001
t1090.003
t1105
t1106
t1112
t1115
t1123
t1127
t1132
t1132.001
t1133
t1134
t1134.001
t1134.002
t1134.004
t1136
t1136.001
t1136.002
t1137
t1137.002
t1140
t1190
t1195
t1195.002
t1202
t1203
t1204
t1204.001
t1204.004
t1213
t1213.003
t1216
t1218
t1218.001
t1218.008
t1218.010
t1218.011
t1218.013
t1219
t1219.002
t1486
t1489
t1490
t1496
t1498
t1499
t1499.001
t1505
t1505.003
t1526
t1528
t1543
t1543.003
t1546
t1546.008
t1546.015
t1548
t1548.002
t1550
t1550.003
t1552
t1552.004
t1553
t1553.004
t1555
t1556
t1556.006
t1557
t1557.001
t1558
t1558.003
t1564
t1564.004
t1566
t1566.001
t1566.002
t1569
t1569.002
t1570
t1574
t1574.001
t1574.007
t1586
t1587
t1587.001
t1588
t1588.002
t1590
t1590.001
t1590.002
t1620
t1649
t1653
t1685
t1685.001
t1689
opencanary
bitbucket
macos
azure
m365
aws
linux
windows
okta
sigma
updates to approved and trusted ssh executables can trigger this rule.
t1074
t1554
t1556
linux
elastic
user interacting with files permissions (normal/daily behaviour).
t1222
t1222.002
linux
sigma
web applications that invoke linux command line tools
t1505
t1505.003
linux
sigma
LoFP
/
linux