LoFP LoFP / administrator or network operator can execute this command. please update the filter macros to remove false positives.

Techniques

Sample rules

Linux Common Process For Elevation Control

Description

The following analytic identifies the execution of common Linux processes used for elevation control, such as chmod, chown, and setuid. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because these processes are often abused by adversaries to gain persistence or escalate privileges on compromised hosts. If confirmed malicious, this behavior could allow attackers to modify file attributes, change file ownership, or set user IDs, potentially leading to unauthorized access and control over critical system resources.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("chmod", "chown", "fchmod", "fchmodat", "fchown", "fchownat", "fremovexattr", "fsetxattr", "lchown", "lremovexattr", "lsetxattr", "removexattr", "setuid", "setgid", "setreuid", "setregid", "chattr") OR Processes.process IN ("*chmod *", "*chown *", "*fchmod *", "*fchmodat *", "*fchown *", "*fchownat *", "*fremovexattr *", "*fsetxattr *", "*lchown *", "*lremovexattr *", "*lsetxattr *", "*removexattr *", "*setuid *", "*setgid *", "*setreuid *", "*setregid *", "*setcap *", "*chattr *") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `linux_common_process_for_elevation_control_filter`

Linux Setuid Using Setcap Utility

Description

The following analytic detects the execution of the ‘setcap’ utility to enable the SUID bit on Linux systems. It leverages Endpoint Detection and Response (EDR) data, focusing on process names and command-line arguments that indicate the use of ‘setcap’ with specific capabilities. This activity is significant because setting the SUID bit allows a user to temporarily gain root access, posing a substantial security risk. If confirmed malicious, an attacker could escalate privileges, execute arbitrary commands with elevated permissions, and potentially compromise the entire system.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = setcap OR Processes.process = "*setcap *") AND Processes.process IN ("* cap_setuid=ep *", "* cap_setuid+ep *", "* cap_net_bind_service+p *", "* cap_net_raw+ep *", "* cap_dac_read_search+ep *") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `linux_setuid_using_setcap_utility_filter`

Linux Doas Conf File Creation

Description

The following analytic detects the creation of the doas.conf file on a Linux host. This file is used by the doas utility to allow standard users to perform tasks as root, similar to sudo. The detection leverages filesystem data from the Endpoint data model, focusing on the creation of the doas.conf file. This activity is significant because it can indicate an attempt to gain elevated privileges, potentially by an adversary. If confirmed malicious, this could allow an attacker to execute commands with root privileges, leading to full system compromise.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*/etc/doas.conf") by Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid Filesystem.file_path 
| `drop_dm_object_name(Filesystem)` 
| `security_content_ctime(lastTime)` 
| `security_content_ctime(firstTime)` 
| `linux_doas_conf_file_creation_filter`

Linux Auditd Possible Access To Credential Files

Description

The following analytic detects attempts to access or dump the contents of /etc/passwd and /etc/shadow files on Linux systems. It leverages data from Linux Auditd, focusing on processes like ‘cat’, ’nano’, ‘vim’, and ‘vi’ accessing these files. This activity is significant as it may indicate credential dumping, a technique used by adversaries to gain persistence or escalate privileges. If confirmed malicious, privileges. If confirmed malicious, attackers could obtain hashed passwords for offline cracking, leading to unauthorized access and potential system compromise.

Detection logic

`linux_auditd` `linux_auditd_normalized_proctitle_process` 
| rename host as dest 
| where (LIKE (process_exec, "%shadow%") OR LIKE (process_exec, "%passwd%")) AND (LIKE (process_exec, "%cat %") OR LIKE (process_exec, "%nano %")OR LIKE (process_exec, "%vim %") OR LIKE (process_exec, "%vi %")) 
| stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
| `linux_auditd_possible_access_to_credential_files_filter`

Linux Auditd Doas Conf File Creation

Description

The following analytic detects the creation of the doas.conf file on a Linux host. This file is used by the doas utility to allow standard users to perform tasks as root, similar to sudo. The detection leverages Linux Auditd data, focusing on the creation of the doas.conf file. This activity is significant because it can indicate an attempt to gain elevated privileges, potentially by an adversary. If confirmed malicious, this could allow an attacker to execute commands with root commands with root privileges, leading to full system compromise.

Detection logic

`linux_auditd` type=PATH name ="/etc/doas.conf*" 
| rename host as dest 
| stats count min(_time) as firstTime max(_time) as lastTime by name nametype OGID type dest 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_doas_conf_file_creation_filter`

Linux Install Kernel Module Using Modprobe Utility

Description

The following analytic detects the installation of a Linux kernel module using the modprobe utility. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because installing a kernel module can indicate an attempt to deploy a rootkit or other malicious kernel-level code, potentially leading to elevated privileges and bypassing security detections. If confirmed malicious, this could allow an attacker to gain persistent, high-level access to the system, compromising its integrity and security.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN("kmod", "sudo") AND Processes.process = *modprobe* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `linux_install_kernel_module_using_modprobe_utility_filter`

Linux Auditd Possible Access To Sudoers File

Description

The following analytic detects potential access or modification of the /etc/sudoers file on a Linux system. It leverages data from Linux Auditd, focusing on processes like “cat,” “nano,” “vim,” and “vi” accessing the /etc/sudoers file. This activity is significant because the sudoers file controls user permissions for executing commands with elevated privileges. If confirmed malicious, an attacker could gain persistence or escalate privileges, compromising the security of the targeted host.

Detection logic

`linux_auditd` type=PATH name="/etc/sudoers*" 
| rename host as dest 
| stats count min(_time) as firstTime max(_time) as lastTime by name nametype OGID type dest 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_possible_access_to_sudoers_file_filter`

Linux Setuid Using Chmod Utility

Description

The following analytic detects the execution of the chmod utility to set the SUID or SGID bit on files, which can allow users to temporarily gain root or group-level access. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments related to chmod. This activity is significant as it can indicate an attempt to escalate privileges or maintain persistence on a system. If confirmed malicious, an attacker could gain elevated access, potentially compromising sensitive data or critical system functions.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes WHERE (Processes.process_name = chmod OR Processes.process = "*chmod *") AND Processes.process IN("* g+s *", "* u+s *", "* 4777 *", "* 4577 *") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `linux_setuid_using_chmod_utility_filter`

Linux System Network Discovery

Description

The following analytic identifies potential enumeration of local network configuration on Linux systems. It detects this activity by monitoring processes such as “arp,” “ifconfig,” “ip,” “netstat,” “firewall-cmd,” “ufw,” “iptables,” “ss,” and “route” within a 30-minute window. This behavior is significant as it often indicates reconnaissance efforts by adversaries to gather network information for subsequent attacks. If confirmed malicious, this activity could enable attackers to map the network, identify vulnerabilities, and plan further exploitation or lateral movement within the environment.

Detection logic


| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name_list values(Processes.process) as process_list values(Processes.process_id) as process_id_list values(Processes.parent_process_id) as parent_process_id_list values(Processes.process_guid) as process_guid_list dc(Processes.process_name) as process_name_count from datamodel=Endpoint.Processes where Processes.process_name IN ("arp", "ifconfig", "ip", "netstat", "firewall-cmd", "ufw", "iptables", "ss", "route") by _time span=30m Processes.dest Processes.user 
| where process_name_count >=4 
| `drop_dm_object_name(Processes)`
| `linux_system_network_discovery_filter`

Linux Doas Tool Execution

Description

The following analytic detects the execution of the ‘doas’ tool on a Linux host. This tool allows standard users to perform tasks with root privileges, similar to ‘sudo’. The detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as ‘doas’ can be exploited by adversaries to gain elevated privileges on a compromised host. If confirmed malicious, this could lead to unauthorized administrative access, potentially compromising the entire system.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "doas" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `linux_doas_tool_execution_filter`

Linux Auditd Doas Tool Execution

Description

The following analytic detects the execution of the ‘doas’ tool on a Linux host. This tool allows standard users to perform tasks with root privileges, similar to ‘sudo’. The detection leverages data from Linux Auditd, focusing on process names and command-line executions. This activity is significant as ‘doas’ can be exploited by adversaries to gain elevated privileges on a compromised host. If confirmed malicious, this could lead to unauthorized administrative access, potentially compromising the entire system.

Detection logic

`linux_auditd` type=SYSCALL comm=doas 
| rename host as dest 
| stats count min(_time) as firstTime max(_time) as lastTime by comm exe  SYSCALL UID ppid pid success dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
| `linux_auditd_doas_tool_execution_filter`

Linux Add User Account

Description

The following analytic detects the creation of new user accounts on Linux systems using commands like “useradd” or “adduser.” It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as adversaries often create new user accounts to establish persistence on compromised hosts. If confirmed malicious, this could allow attackers to maintain access, escalate privileges, and further compromise the system, posing a severe security risk.

Detection logic


| tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes where Processes.process_name IN ("useradd", "adduser") OR Processes.process IN ("*useradd *", "*adduser *") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `linux_add_user_account_filter`

Linux Auditd Setuid Using Chmod Utility

Description

The following analytic detects the execution of the chmod utility to set the SUID or SGID bit on files, which can allow users to temporarily gain root or group-level access. This detection leverages data from Linux Auditd, focusing on process names and command-line arguments related to chmod. This activity is significant as it can indicate an attempt to escalate privileges or maintain persistence on a system. If confirmed malicious, an attacker could gain elevated access, potentially compromising sensitive data or critical system functions.

Detection logic

`linux_auditd` `linux_auditd_normalized_proctitle_process` 
| rename host as dest 
| where LIKE (process_exec, "%chmod %") AND (LIKE (process_exec, "% u+s %") OR LIKE (process_exec, "% g+s %") OR LIKE (process_exec, "% 4777 %") OR LIKE (process_exec, "% 4577 %")) 
| stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
| `linux_auditd_setuid_using_chmod_utility_filter`

Linux Possible Access To Sudoers File

Description

The following analytic detects potential access or modification of the /etc/sudoers file on a Linux system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on processes like “cat,” “nano,” “vim,” and “vi” accessing the /etc/sudoers file. This activity is significant because the sudoers file controls user permissions for executing commands with elevated privileges. If confirmed malicious, an attacker could gain persistence or escalate privileges, compromising the security of the targeted host.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN("cat", "nano*","vim*", "vi*")  AND Processes.process IN("*/etc/sudoers*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `linux_possible_access_to_sudoers_file_filter`

Linux Auditd Change File Owner To Root

Description

The following analytic detects the use of the ‘chown’ command to change a file owner to ‘root’ on a Linux system. It leverages Linux Auditd telemetry, specifically monitoring command-line executions and process details. This activity is significant as it may indicate an attempt to escalate privileges by adversaries, malware, or red teamers. If confirmed malicious, this action could allow an attacker to gain root-level access, leading to full control over the compromised host and potential persistence within the environment.

Detection logic

`linux_auditd` `linux_auditd_normalized_proctitle_process`
| rename host as dest 
| where LIKE (process_exec, "%chown %root%") 
| stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
| `linux_auditd_change_file_owner_to_root_filter`

Linux Auditd Preload Hijack Library Calls

Description

The following analytic detects the use of the LD_PRELOAD environment variable to hijack or hook library functions on a Linux platform. It leverages data from Linux Auditd, focusing on process execution logs that include command-line details. This activity is significant because adversaries, malware authors, and red teamers commonly use this technique to gain elevated privileges and establish persistence on a compromised machine. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, and maintain long-term access to the system.

Detection logic

`linux_auditd` `linux_auditd_normalized_execve_process` 
| rename host as dest 
| where LIKE (process_exec, "%LD_PRELOAD%")
| stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_preload_hijack_library_calls_filter`

Linux Account Manipulation Of SSH Config and Keys

Description

The following analytic detects the deletion of SSH keys on a Linux machine. It leverages filesystem event logs to identify when files within “/etc/ssh/” or “~/.ssh/” are deleted. This activity is significant because attackers may delete or modify SSH keys to evade security measures or as part of a destructive payload, similar to the AcidRain malware. If confirmed malicious, this behavior could lead to impaired security features, hindered forensic investigations, or further unauthorized access, necessitating immediate investigation to identify the responsible process and user.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted AND Filesystem.file_path IN ("/etc/ssh/*", "~/.ssh/*") by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action 
| `drop_dm_object_name(Filesystem)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
| `linux_account_manipulation_of_ssh_config_and_keys_filter`

Linux Preload Hijack Library Calls

Description

The following analytic detects the use of the LD_PRELOAD environment variable to hijack or hook library functions on a Linux platform. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because adversaries, malware authors, and red teamers commonly use this technique to gain elevated privileges and establish persistence on a compromised machine. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, and maintain long-term access to the system.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "*LD_PRELOAD*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `linux_preload_hijack_library_calls_filter`

Linux Deletion Of Services

Description

The following analytic detects the deletion of services on a Linux machine. It leverages filesystem event logs to identify when service files within system directories (e.g., /etc/systemd/, /lib/systemd/, /run/systemd/) are deleted. This activity is significant because attackers may delete or modify services to disable security features or evade defenses. If confirmed malicious, this behavior could indicate an attempt to impair system functionality or execute a destructive payload, potentially leading to system instability or data loss. Immediate investigation is required to determine the responsible process and user.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path IN ( "/etc/systemd/*", "*/lib/systemd/*", "*/run/systemd/*") Filesystem.file_path = "*.service" by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action 
| `drop_dm_object_name(Filesystem)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
| `linux_deletion_of_services_filter`

Linux Auditd Setuid Using Setcap Utility

Description

The following analytic detects the execution of the ‘setcap’ utility to enable the SUID bit on Linux systems. It leverages Linux Auditd data, focusing on process names and command-line arguments that indicate the use of ‘setcap’ with specific capabilities. This activity is significant because setting the SUID bit allows a user to temporarily gain root access, posing a substantial security risk. If confirmed malicious, an attacker could escalate privileges, execute arbitrary commands with elevated permissions, and potentially compromise the entire system.

Detection logic

`linux_auditd` `linux_auditd_normalized_execve_process` 
| rename host as dest 
| where LIKE (process_exec, "%setcap %") AND (LIKE (process_exec, "% cap_setuid+ep %") OR LIKE (process_exec, "% cap_setuid=ep %") OR LIKE (process_exec, "% cap_net_bind_service+p %") OR LIKE (process_exec, "% cap_net_raw+ep %") OR LIKE (process_exec, "% cap_dac_read_search+ep %")) 
| stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_setuid_using_setcap_utility_filter`

Linux NOPASSWD Entry In Sudoers File

Description

The following analytic detects the addition of NOPASSWD entries to the /etc/sudoers file on Linux systems. It leverages Endpoint Detection and Response (EDR) telemetry to identify command lines containing “NOPASSWD:”. This activity is significant because it allows users to execute commands with elevated privileges without requiring a password, which can be exploited by adversaries to maintain persistent, privileged access. If confirmed malicious, this could lead to unauthorized privilege escalation, persistent access, and potential compromise of sensitive data and system integrity.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "*NOPASSWD:*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `linux_nopasswd_entry_in_sudoers_file_filter`

Linux Visudo Utility Execution

Description

The following analytic detects the execution of the ‘visudo’ utility to modify the /etc/sudoers file on a Linux system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant because unauthorized changes to the /etc/sudoers file can grant elevated privileges to users, potentially allowing adversaries to execute commands as root. If confirmed malicious, this could lead to full system compromise, privilege escalation, and persistent unauthorized access, severely impacting the security posture of the affected host.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = visudo by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `linux_visudo_utility_execution_filter`

Linux Deletion Of Cron Jobs

Description

The following analytic detects the deletion of cron jobs on a Linux machine. It leverages filesystem event logs to identify when files within the “/etc/cron.*” directory are deleted. This activity is significant because attackers or malware may delete cron jobs to disable scheduled security tasks or evade detection mechanisms. If confirmed malicious, this action could allow an attacker to disrupt system operations, evade security measures, or facilitate further malicious activities such as data wiping, as seen with the acidrain malware.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path="/etc/cron.*" by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action 
| `drop_dm_object_name(Filesystem)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
| `linux_deletion_of_cron_jobs_filter`

Linux Deletion of SSL Certificate

Description

The following analytic detects the deletion of SSL certificates on a Linux machine. It leverages filesystem event logs to identify when files with extensions .pem or .crt are deleted from the /etc/ssl/certs/ directory. This activity is significant because attackers may delete or modify SSL certificates to disable security features or evade defenses on a compromised system. If confirmed malicious, this behavior could indicate an attempt to disrupt secure communications, evade detection, or execute a destructive payload, potentially leading to significant security breaches and data loss.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path = "/etc/ssl/certs/*" Filesystem.file_path IN ("*.pem", "*.crt") by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action 
| `drop_dm_object_name(Filesystem)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
| `linux_deletion_of_ssl_certificate_filter`

Linux Change File Owner To Root

Description

The following analytic detects the use of the ‘chown’ command to change a file owner to ‘root’ on a Linux system. It leverages Endpoint Detection and Response (EDR) telemetry, specifically monitoring command-line executions and process details. This activity is significant as it may indicate an attempt to escalate privileges by adversaries, malware, or red teamers. If confirmed malicious, this action could allow an attacker to gain root-level access, leading to full control over the compromised host and potential persistence within the environment.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = chown OR Processes.process = "*chown *") AND Processes.process = "* root *" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `linux_change_file_owner_to_root_filter`

Linux Insert Kernel Module Using Insmod Utility

Description

The following analytic detects the insertion of a Linux kernel module using the insmod utility. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include process names and command-line details. This activity is significant as it may indicate the installation of a rootkit or malicious kernel module, potentially allowing an attacker to gain elevated privileges and bypass security detections. If confirmed malicious, this could lead to unauthorized code execution, persistent access, and severe compromise of the affected system.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN("kmod", "sudo") AND Processes.process = *insmod* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `linux_insert_kernel_module_using_insmod_utility_filter`

Linux Auditd Dd File Overwrite

Description

The following analytic detects the use of the ‘dd’ command to overwrite files on a Linux system. It leverages data from Linux Auditd telemetry, focusing on process execution logs that include command-line details. This activity is significant because adversaries often use the ‘dd’ command to destroy or irreversibly overwrite files, disrupting system availability and services. If confirmed malicious, this behavior could lead to data destruction, making recovery difficult and potentially causing significant operational disruptions.

Detection logic

`linux_auditd` `linux_auditd_normalized_proctitle_process` 
| rename host as dest 
| where LIKE(process_exec, "%dd %") AND LIKE(process_exec, "% of=%") 
| stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_dd_file_overwrite_filter`

Linux Possible Access To Credential Files

Description

The following analytic detects attempts to access or dump the contents of /etc/passwd and /etc/shadow files on Linux systems. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on processes like ‘cat’, ’nano’, ‘vim’, and ‘vi’ accessing these files. This activity is significant as it may indicate credential dumping, a technique used by adversaries to gain persistence or escalate privileges. If confirmed malicious, attackers could obtain hashed passwords for offline cracking, leading to unauthorized access and potential system compromise.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN("cat", "nano*","vim*", "vi*")  AND Processes.process IN("*/etc/shadow*", "*/etc/passwd*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `linux_possible_access_to_credential_files_filter`

Linux Auditd Sudo Or Su Execution

Description

The following analytic detects the execution of the “sudo” or “su” command on a Linux operating system. It leverages data from Linux Auditd, focusing on process names and parent process names. This activity is significant because “sudo” and “su” commands are commonly used by adversaries to elevate privileges, potentially leading to unauthorized access or control over the system. If confirmed malicious, this activity could allow attackers to execute commands with root privileges, leading to severe security breaches, data exfiltration, or further system compromise.

Detection logic

`linux_auditd` `linux_auditd_normalized_proctitle_process` 
| rename host as dest 
| where LIKE(process_exec, "%sudo %") OR LIKE(process_exec, "%su %") 
| stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
| `linux_auditd_sudo_or_su_execution_filter`

Linux Auditd Nopasswd Entry In Sudoers File

Description

The following analytic detects the addition of NOPASSWD entries to the /etc/sudoers file on Linux systems. It leverages Linux Auditd data to identify command lines containing “NOPASSWD:”. This activity is significant because it allows users to execute commands with elevated privileges without requiring a password, which can be exploited by adversaries to maintain persistent, privileged access. If confirmed malicious, this could lead to unauthorized privilege escalation, persistent access, and potential compromise of sensitive data and system integrity.

Detection logic

`linux_auditd` `linux_auditd_normalized_proctitle_process` 
| rename host as dest 
| where LIKE (process_exec, "%NOPASSWD%") 
| stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_nopasswd_entry_in_sudoers_file_filter`

Linux Auditd Add User Account

Description

The following analytic detects the creation of new user accounts on Linux systems using commands like “useradd” or “adduser.” It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as adversaries often create new user accounts to establish persistence on compromised hosts. If confirmed malicious, this could allow attackers to maintain access, escalate privileges, and further compromise the system, posing a severe security risk.

Detection logic

`linux_auditd` `linux_auditd_normalized_proctitle_process`
| rename host as dest 
| where LIKE (process_exec, "%useradd%") OR LIKE (process_exec, "%adduser%") 
| stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle dest  
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_add_user_account_filter`

Linux Auditd Insert Kernel Module Using Insmod Utility

Description

The following analytic detects the insertion of a Linux kernel module using the insmod utility. It leverages data from Linux Auditd, focusing on process execution logs that include process names and command-line details. This activity is significant as it may indicate the installation of a rootkit or malicious kernel module, potentially allowing an attacker to gain elevated privileges and bypass security detections. If confirmed malicious, this could lead to unauthorized code execution, persistent access, and severe compromise of the affected system.

Detection logic

`linux_auditd` type=SYSCALL comm=insmod 
| rename host as dest 
| stats count min(_time) as firstTime max(_time) as lastTime by comm exe  SYSCALL UID ppid pid success dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
| `linux_auditd_insert_kernel_module_using_insmod_utility_filter`

Linux Sudoers Tmp File Creation

Description

The following analytic detects the creation of the “sudoers.tmp” file, which occurs when editing the /etc/sudoers file using visudo or another editor on a Linux platform. This detection leverages filesystem data to identify the presence of “sudoers.tmp” files. Monitoring this activity is crucial as adversaries may exploit it to gain elevated privileges on a compromised host. If confirmed malicious, this activity could allow attackers to modify sudoers configurations, potentially granting them unauthorized access to execute commands as other users, including root, thereby compromising the system’s security.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*sudoers.tmp*") by Filesystem.dest Filesystem.file_name Filesystem.process_guid Filesystem.file_path 
| `drop_dm_object_name(Filesystem)` 
| `security_content_ctime(lastTime)` 
| `security_content_ctime(firstTime)` 
| `linux_sudoers_tmp_file_creation_filter`

Linux DD File Overwrite

Description

The following analytic detects the use of the ‘dd’ command to overwrite files on a Linux system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because adversaries often use the ‘dd’ command to destroy or irreversibly overwrite files, disrupting system availability and services. If confirmed malicious, this behavior could lead to data destruction, making recovery difficult and potentially causing significant operational disruptions.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "dd" AND Processes.process = "*of=*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `linux_dd_file_overwrite_filter`

Linux Sudo OR Su Execution

Description

The following analytic detects the execution of the “sudo” or “su” command on a Linux operating system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and parent process names. This activity is significant because “sudo” and “su” commands are commonly used by adversaries to elevate privileges, potentially leading to unauthorized access or control over the system. If confirmed malicious, this activity could allow attackers to execute commands with root privileges, leading to severe security breaches, data exfiltration, or further system compromise.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("sudo", "su") OR Processes.parent_process_name IN ("sudo", "su") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `linux_sudo_or_su_execution_filter`

Linux Deletion Of Init Daemon Script

Description

The following analytic detects the deletion of init daemon scripts on a Linux machine. It leverages filesystem event logs to identify when files within the /etc/init.d/ directory are deleted. This activity is significant because init daemon scripts control the start and stop of critical services, and their deletion can indicate an attempt to impair security features or evade defenses. If confirmed malicious, this behavior could allow an attacker to disrupt essential services, execute destructive payloads, or persist undetected in the environment.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path IN ( "/etc/init.d/*") by _time span=1h Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.process_guid Filesystem.action 
| `drop_dm_object_name(Filesystem)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
| `linux_deletion_of_init_daemon_script_filter`

Linux Auditd Install Kernel Module Using Modprobe Utility

Description

The following analytic detects the installation of a Linux kernel module using the modprobe utility. It leverages data from Linux Auditd, focusing on process names and command-line executions. This activity is significant because installing a kernel module can indicate an attempt to deploy a rootkit or other malicious kernel-level code, potentially leading to elevated privileges and bypassing security detections. If confirmed malicious, this could allow an attacker to gain persistent, high-level access to the system, compromising its integrity and security.

Detection logic

`linux_auditd` type=SYSCALL comm=modprobe 
| rename host as dest 
| stats count min(_time) as firstTime max(_time) as lastTime by comm exe  SYSCALL UID ppid pid success dest 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_install_kernel_module_using_modprobe_utility_filter`