LoFP LoFP / linux

linux rule

TitleTags
admin activity
admin activity (especially in /tmp folders)
admin changing date of files.
admin changing file permissions.
admin or user activity
admin or user activity are expected to generate some false positives
admin work like legit service installs.
administrative activity
administrative work
administrator interacting with immutable files (e.g. for instance backups).
administrator or administrator scripts might delete packages for several reasons (debugging, troubleshooting).
administrators or installed processes that leverage nohup
any legitimate cron file.
any user deleting files that way.
appending null bytes to files.
automated tools such as jenkins may encode or decode files as part of their normal behavior. these events can be filtered by the process executable or username values.
certain programs or applications may modify files or change ownership in writable directories. these can be exempted by username.
certain tools may create hidden temporary files or directories upon installation or as part of their normal behavior. these events can be filtered by the process arguments, username, or process name values.
certain tools or automated software may enumerate hardware information. these tools can be exempted via user name or process arguments to eliminate potential noise.
crazy web applications
creation of legitimate files in sudoers.d folder part of administrator work
directories /dev/shm and /run/shm are temporary file storage directories in linux. they are intended to appear as a mounted file system, but uses virtual memory instead of a persistent storage device and thus are used for mounting file systems in legitimate purposes.
false-positives (fp) can appear if the pid file is legitimate and holding a process id as intended. to differentiate, if the pid file is an executable or larger than 10 bytes, it should be ruled suspicious.
false-positives (fp) should be at a minimum with this detection as pid files are meant to hold process ids, not inherently be executables that spawn processes.
installation of legitimate service.
legitimate activities
legitimate activity of system administrators
legitimate admin activity
legitimate administration activities
legitimate administrative activities
legitimate administrator activities
legitimate administrator or user uses network sniffing tool for legitimate reasons.
legitimate downloads of files in the tmp folder.
legitimate modification of crontab
legitimate overwrite of files.
legitimate ports redirect
legitimate reconfiguration of service.
legitimate shell scripts in the \"profile.d\" directory could be common in your environment. apply additional filter accordingly via \"image\", by adding specific filenames you \"trust\" or by correlating it with other events.
legitimate software that uses these patterns
legitimate software, cleaning hist file
legitimate system administrator usage of these commands
legitimate usage of teamviewer
legitimate usage of the unsafe option
legitimate usage of wget utility to post a file
legitimate usage of xclip tools.
legitimate use of archiving tools by legitimate user.
legitimate use of crontab
legitimate use of crypto miners
legitimate use of ngrok
legitimate use of screenshot utility
legitimate use of scx runasprovider executescript.
legitimate use of scx runasprovider invoke_executeshellcommand.
legitimate user shell modification activity.
likely
log rotation.
netcat is a dual-use tool that can be used for benign or malicious activity. netcat is included in some linux distributions so its presence is not necessarily suspicious. some normal use of this program, while uncommon, may originate from scripts, automation tools, and frameworks.
network administrators
network monitoring or management products may have a web server component that runs shell commands as part of normal behavior.
normal use of hping is uncommon apart from security testing and research. use by non-security engineers is very uncommon.
other tools that use a --cpu-priority flag
rare temporary workaround for library misconfiguration
regular file creation during system update or software installation by the package manager
scripts created by developers and admins
security tools and device drivers may run these programs in order to enumerate kernel modules. use of these programs by ordinary users is uncommon. these can be exempted by process name or username.
some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered
some false positives are to be expected on user or administrator machines. apply additional filters as needed.
some normal use of this command may originate from security engineers and network or server administrators, but this is usually not routine or unannounced. use of `nping` by non-engineers or ordinary users is uncommon.
telnet can be used for both benign or malicious purposes. telnet is included by default in some linux distributions, so its presence is not inherently suspicious. the use of telnet to manage devices remotely has declined in recent years in favor of more secure protocols such as ssh. telnet usage by non-automated tools or frameworks may be suspicious.
there is usually no reason to remove modules, but some buggy modules require it. these can be exempted by username. note that some linux distributions are not built to support the removal of modules at all.
trusted openssh executable updates. it's recommended to verify the integrity of openssh binary changes.
typos
unlikely
updates to approved and trusted ssh executables can trigger this rule.
user interacting with files permissions (normal/daily behaviour).
web applications that invoke linux command line tools