LoFP LoFP / administrator or network operator can use this application for automation purposes. please update the filter macros to remove false positives.

Techniques

Sample rules

Linux Auditd Hidden Files And Directories Creation

Description

The following analytic detects suspicious creation of hidden files and directories, which may indicate an attacker’s attempt to conceal malicious activities or unauthorized data. Hidden files and directories are often used to evade detection by security tools and administrators, providing a stealthy means for storing malware, logs, or sensitive information. By monitoring for unusual or unauthorized creation of hidden files and directories, this analytic helps identify potential attempts to hide or unauthorized creation of hidden files and directories, this analytic helps identify potential attempts to hide malicious operations, enabling security teams to uncover and address hidden threats effectively.

Detection logic

`linux_auditd` `linux_auditd_normalized_execve_process` 
| rename host as dest 
| where (LIKE (process_exec,"%touch %") OR LIKE (process_exec,"%mkdir %")OR LIKE (process_exec,"%vim %") OR LIKE (process_exec,"%vi %") OR LIKE (process_exec,"%nano %")) AND (LIKE (process_exec,"% ./.%")  OR LIKE (process_exec," .%")OR LIKE (process_exec," /.%")) 
| stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
| `linux_auditd_hidden_files_and_directories_creation_filter`

Linux Auditd Find Ssh Private Keys

Description

The following analytic detects suspicious attempts to find SSH private keys, which may indicate an attacker’s effort to compromise secure access to systems. SSH private keys are essential for secure authentication, and unauthorized access to these keys can enable attackers to gain unauthorized access to servers and other critical infrastructure. By monitoring for unusual or unauthorized searches for SSH private keys, this analytic helps identify potential threats to network security, allowing security teams to quickly respond and safeguard against unauthorized access and potential breaches.

Detection logic

`linux_auditd` `linux_auditd_normalized_execve_process` 
| rename host as dest 
| where  (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%id_rsa%") OR LIKE (process_exec, "%id_dsa%")OR LIKE (process_exec, "%.key%") OR LIKE (process_exec, "%ssh_key%")OR LIKE (process_exec, "%authorized_keys%")) 
| stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
| `linux_auditd_find_ssh_private_keys_filter`

Linux Deleting Critical Directory Using RM Command

Description

The following analytic detects the deletion of critical directories on a Linux machine using the rm command with argument rf. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions targeting directories like /boot, /var/log, /etc, and /dev. This activity is significant because deleting these directories can severely disrupt system operations and is often associated with destructive campaigns like Industroyer2. If confirmed malicious, this action could lead to system instability, data loss, and potential downtime, making it crucial for immediate investigation and response.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name =rm AND Processes.process= "* -rf *" AND Processes.process IN ("*/boot/*", "*/var/log/*", "*/etc/*", "*/dev/*") by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `linux_deleting_critical_directory_using_rm_command_filter`

Linux Shred Overwrite Command

Description

The following analytic detects the execution of the ‘shred’ command on a Linux machine, which is used to overwrite files to make them unrecoverable. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because the ‘shred’ command can be used in destructive attacks, such as those seen in the Industroyer2 malware targeting energy facilities. If confirmed malicious, this activity could lead to the permanent destruction of critical files, severely impacting system integrity and data availability.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name =shred AND Processes.process IN ("*-n*", "*-u*", "*-z*", "*-s*") by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `linux_shred_overwrite_command_filter`

Linux Auditd Find Credentials From Password Stores

Description

The following analytic detects suspicious attempts to find credentials stored in password stores, indicating a potential attacker’s effort to access sensitive login information. Password stores are critical repositories that contain valuable credentials, and unauthorized access to them can lead to significant security breaches. By monitoring for unusual or unauthorized activities related to password store access, this analytic helps identify potential credential theft attempts, allowing security teams to respond promptly and prevent unauthorized access to critical systems and data.

Detection logic

`linux_auditd` `linux_auditd_normalized_execve_process` 
| rename host as dest 
| where  (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%password%") OR LIKE (process_exec, "%pass %") OR LIKE (process_exec, "%credential%")OR LIKE (process_exec, "%creds%")) 
| stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
| `linux_auditd_find_credentials_from_password_stores_filter`

Linux Disable Services

Description

The following analytic detects attempts to disable a service on a Linux system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on processes like “systemctl,” “service,” and “svcadm” with commands containing “disable.” This activity is significant as adversaries may disable security or critical services to evade detection and facilitate further malicious actions, such as deploying destructive payloads. If confirmed malicious, this could lead to the termination of essential security services, allowing attackers to persist undetected and potentially cause significant damage to the system.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("systemctl", "service", "svcadm")  Processes.process = "* disable*" by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `linux_disable_services_filter`

Linux Auditd Sysmon Service Stop

Description

The following analytic detects the suspicious sysmon service stop. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents.

Detection logic

`linux_auditd` type=SERVICE_STOP unit IN ("sysmon") 
| rename host as dest 
| stats count min(_time) as firstTime max(_time) as lastTime by type pid UID comm exe unit dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
| `linux_auditd_sysmon_service_stop_filter`

Linux Auditd Data Transfer Size Limits Via Split Syscall

Description

The following analytic detects suspicious data transfer activities that involve the use of the split syscall, potentially indicating an attempt to evade detection by breaking large files into smaller parts. Attackers may use this technique to bypass size-based security controls, facilitating the covert exfiltration of sensitive data. By monitoring for unusual or unauthorized use of the split syscall, this analytic helps identify potential data exfiltration attempts, allowing security teams to intervene and prevent the unauthorized transfer of critical information from the network.

Detection logic

`linux_auditd` type=SYSCALL comm=split OR exe= "*/split" 
| rename host as dest 
| stats count min(_time) as firstTime max(_time) as lastTime by comm exe  SYSCALL UID ppid pid success dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
| `linux_auditd_data_transfer_size_limits_via_split_syscall_filter`

Linux Auditd Shred Overwrite Command

Description

The following analytic detects the execution of the ‘shred’ command on a Linux machine, which is used to overwrite files to make them unrecoverable. It leverages data from Linux Auditd, focusing on process names and command-line arguments. This activity is significant because the ‘shred’ command can be used in destructive attacks, such as those seen in the Industroyer2 malware targeting energy facilities. If confirmed malicious, this activity could lead to the permanent destruction of critical files, severely impacting system integrity and data availability.

Detection logic

`linux_auditd` `linux_auditd_normalized_proctitle_process` 
| rename host as dest 
| where LIKE (process_exec, "%shred%") AND (LIKE (process_exec, "%-n%") OR LIKE (process_exec, "%-z%") OR LIKE (process_exec, "%-u%") OR LIKE (process_exec, "%-s%")) 
| stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_shred_overwrite_command_filter`

Linux Auditd File Permissions Modification Via Chattr

Description

The following analytic detects suspicious file permissions modifications using the chattr command, which may indicate an attacker attempting to manipulate file attributes to evade detection or prevent alteration. The chattr command can be used to make files immutable or restrict deletion, which can be leveraged to protect malicious files or disrupt system operations. By monitoring for unusual or unauthorized chattr usage, this analytic helps identify potential tampering with critical files, enabling security teams to quickly respond to and mitigate threats associated with unauthorized file attribute changes.

Detection logic

`linux_auditd` `linux_auditd_normalized_proctitle_process` 
| rename host as dest 
|  where LIKE(process_exec, "%chattr %") AND LIKE(process_exec, "% -i%") 
| stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
| `linux_auditd_file_permissions_modification_via_chattr_filter`

Linux At Application Execution

Description

The following analytic detects the execution of the “At” application in Linux, which can be used by attackers to create persistence entries on a compromised host. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and parent process names associated with “at” or “atd”. This activity is significant because the “At” application can be exploited to maintain unauthorized access or deliver additional malicious payloads. If confirmed malicious, this behavior could lead to data theft, ransomware attacks, or other severe consequences. Immediate investigation is required to determine the legitimacy of the execution and mitigate potential risks.

Detection logic


| tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes where  Processes.process_name IN ("at", "atd") OR Processes.parent_process_name IN ("at", "atd") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `linux_at_application_execution_filter`

Linux Auditd File Permission Modification Via Chmod

Description

The following analytic detects suspicious file permission modifications using the chmod command, which may indicate an attacker attempting to alter access controls on critical files or directories. Such modifications can be used to grant unauthorized users elevated privileges or to conceal malicious activities by restricting legitimate access. By monitoring for unusual or unauthorized chmod usage, this analytic helps identify potential security breaches, allowing security teams to respond promptly to prevent privilege escalation, data tampering, or other unauthorized actions on the system.

Detection logic

`linux_auditd` `linux_auditd_normalized_proctitle_process` 
| rename host as dest  
| where LIKE(process_exec, "%chmod%") AND (LIKE(process_exec, "% 777 %") OR LIKE(process_exec, "% 755 %") OR LIKE(process_exec, "%+%x%") OR LIKE(process_exec, "% 754 %") OR LIKE(process_exec, "% 700 %")) 
| stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
| `linux_auditd_file_permission_modification_via_chmod_filter`

Linux Auditd Stop Services

Description

The following analytic detects attempts to stop or clear a service on Linux systems. It leverages data from Linux Auditd, focusing on processes like “systemctl,” “service,” and “svcadm” executing stop commands. This activity is significant as adversaries often terminate security or critical services to disable defenses or disrupt operations, as seen in malware like Industroyer2. If confirmed malicious, this could lead to the disabling of security mechanisms, allowing attackers to persist, escalate privileges, or deploy destructive payloads, severely impacting system integrity and availability.

Detection logic

`linux_auditd` type=SERVICE_STOP 
| rename host as dest 
| stats count min(_time) as firstTime max(_time) as lastTime by type pid UID comm exe dest 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_stop_services_filter`

Linux Auditd Disable Or Modify System Firewall

Description

The following analytic detects the suspicious disable or modify system firewall. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents.

Detection logic

`linux_auditd` type=SERVICE_STOP unit IN ("firewalld", "ufw") 
| rename host as dest 
| stats count min(_time) as firstTime max(_time) as lastTime by type pid UID comm exe unit dest 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_disable_or_modify_system_firewall_filter`

Linux Auditd Edit Cron Table Parameter

Description

The following analytic detects the suspicious editing of cron jobs in Linux using the crontab command-line parameter (-e). It identifies this activity by monitoring command-line executions involving ‘crontab’ and the edit parameter. This behavior is significant for a SOC as cron job manipulations can indicate unauthorized persistence attempts or scheduled malicious actions. If confirmed malicious, this activity could lead to system compromise, unauthorized access, or broader network compromise.

Detection logic

`linux_auditd` type=SYSCALL SYSCALL=rename (comm IN ("crontab") OR exe IN ("*/crontab")) success=yes AND NOT (UID IN("daemon")) 
| rename host as dest 
| stats count min(_time) as firstTime max(_time) as lastTime by comm exe  SYSCALL UID ppid pid dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
| `linux_auditd_edit_cron_table_parameter_filter`

Linux Auditd Data Transfer Size Limits Via Split

Description

The following analytic detects suspicious data transfer activities that involve the use of the split syscall, potentially indicating an attempt to evade detection by breaking large files into smaller parts. Attackers may use this technique to bypass size-based security controls, facilitating the covert exfiltration of sensitive data. By monitoring for unusual or unauthorized use of the split syscall, this analytic helps identify potential data exfiltration attempts, allowing security teams to intervene and prevent the unauthorized transfer of critical information from the network.

Detection logic

`linux_auditd` `linux_auditd_normalized_execve_process` 
| rename host as dest 
| where LIKE(process_exec, "%split %") AND LIKE(process_exec, "% -b %") 
| stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
| `linux_auditd_data_transfer_size_limits_via_split_filter`

Linux Auditd System Network Configuration Discovery

Description

The following analytic detects suspicious system network configuration discovery activities, which may indicate an adversary’s attempt to gather information about the network environment. Such actions typically involve commands or tools used to identify network interfaces, routing tables, and active connections. Detecting these activities is crucial, as they often precede more targeted attacks like lateral movement or data exfiltration. By identifying unusual or unauthorized network discovery efforts, this analytic helps security teams to swiftly detect and respond to potential reconnaissance operations, mitigating the risk of further compromise.

Detection logic

`linux_auditd` type=SYSCALL comm IN ("arp", "ifconfig", "ip", "netstat", "firewall-cmd", "ufw", "iptables", "ss", "route") 
| bucket _time span=15m 
| rename host as dest 
| stats dc(comm) as unique_commands, values(comm) as comm, values(exe) as exe, values(SYSCALL) as SYSCALL, values(UID) as UID, values(ppid) as ppid, values(pid) as pid, count, min(_time) as firstTime, max(_time) as lastTime by success dest 
| where unique_commands >= 4 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `linux_auditd_system_network_configuration_discovery_filter`

Linux Auditd Find Credentials From Password Managers

Description

The following analytic detects suspicious attempts to find credentials stored in password managers, which may indicate an attacker’s effort to retrieve sensitive login information. Password managers are often targeted by adversaries seeking to access stored passwords for further compromise or lateral movement within a network. By monitoring for unusual or unauthorized access to password manager files or processes, this analytic helps identify potential credential theft attempts, enabling security teams to respond quickly to protect critical accounts and prevent further unauthorized access.

Detection logic

`linux_auditd` `linux_auditd_normalized_execve_process` 
| rename host as dest 
| where  (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%.kdbx%") OR LIKE (process_exec, "%KeePass%") OR LIKE (process_exec, "%KeePass\.enforced%") OR LIKE (process_exec, "%.lpdb%")OR LIKE (process_exec, "%.opvault%")OR LIKE (process_exec, "%.agilekeychain%")OR LIKE (process_exec, "%.dashlane%")OR LIKE (process_exec, "%.rfx%")OR LIKE (process_exec, "%passbolt%")OR LIKE (process_exec, "%.spdb%")OR LIKE (process_exec, "%StickyPassword%")OR LIKE (process_exec, "%.walletx%")OR LIKE (process_exec, "%enpass%")OR LIKE (process_exec, "%vault%")OR LIKE (process_exec, "%.kdb%")) 
| stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
| `linux_auditd_find_credentials_from_password_managers_filter`

Linux Auditd Unix Shell Configuration Modification

Description

The following analytic detects suspicious modifications to Unix shell configuration files, which may indicate an attempt to alter system behavior or gain unauthorized access. Unix shell configuration files, such as .bashrc or .profile, control user environment settings and command execution. Unauthorized changes to these files can be used to execute malicious commands, escalate privileges, or hide malicious activities. By monitoring for unusual or unauthorized modifications to shell configuration files, this analytic helps identify potential security threats, allowing security teams to respond quickly and mitigate risks.

Detection logic

`linux_auditd` type=PATH name IN ("/etc/profile", "/etc/shells", "/etc/profile.d", "/etc/bash.bashrc", "/etc/bashrc", "/etc/zsh/zprofile", "/etc/zsh/zshrc", "/etc/zsh/zlogin", "/etc/zsh/zlogout", "/etc/csh.cshrc", "/etc/csh.login", "/root/.bashrc", "/root/.bash_profile", "root/.profile", "/root/.zshrc", "/root/.zprofile", "/home/*/.bashrc", "/home/*/.zshrc", "/home/*/.bash_profile", "/home/*/.zprofile", "/home/*/.profile", "/home/*/.bash_login", "/home/*/.bash_logout", "/home/*/.zlogin", "/home/*/.zlogout") 
| rename host as dest 
| stats count min(_time) as firstTime max(_time) as lastTime by name nametype OGID type dest 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_unix_shell_configuration_modification_filter`

Linux Auditd Database File And Directory Discovery

Description

The following analytic detects suspicious database file and directory discovery activities, which may signal an attacker attempt to locate and assess critical database assets on a compromised system. This behavior is often a precursor to data theft, unauthorized access, or privilege escalation, as attackers seek to identify valuable information stored in databases. By monitoring for unusual or unauthorized attempts to locate database files and directories, this analytic aids in early detection of potential reconnaissance or data breach efforts, enabling security teams to respond swiftly and mitigate the risk of further compromise.

Detection logic

`linux_auditd` `linux_auditd_normalized_execve_process` 
| rename host as dest 
| where  (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%.db%") OR LIKE (process_exec, "%.sql%") OR LIKE (process_exec, "%.sqlite%") OR LIKE (process_exec, "%.mdb%")OR LIKE (process_exec, "%.accdb%")OR LIKE (process_exec, "%.mdf%")OR LIKE (process_exec, "%.ndf%")OR LIKE (process_exec, "%.ldf%")OR LIKE (process_exec, "%.frm%")OR LIKE (process_exec, "%.idb%")OR LIKE (process_exec, "%.myd%")OR LIKE (process_exec, "%.myi%")OR LIKE (process_exec, "%.dbf%")OR LIKE (process_exec, "%.db2%")OR LIKE (process_exec, "%.dbc%")OR LIKE (process_exec, "%.fpt%")OR LIKE (process_exec, "%.ora%")) 
| stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
| `linux_auditd_database_file_and_directory_discovery_filter`

Linux Auditd File And Directory Discovery

Description

The following analytic detects suspicious file and directory discovery activities, which may indicate an attacker’s effort to locate sensitive documents and files on a compromised system. This behavior often precedes data exfiltration, as adversaries seek to identify valuable or confidential information for theft. By identifying unusual or unauthorized attempts to browse or enumerate files and directories, this analytic helps security teams detect potential reconnaissance or preparatory actions by an attacker, enabling timely intervention to prevent data breaches or unauthorized access.

Detection logic

`linux_auditd` `linux_auditd_normalized_execve_process` 
| rename host as dest 
| where  (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%.tif%") OR LIKE (process_exec, "%.tiff%") OR LIKE (process_exec, "%.gif%") OR LIKE (process_exec, "%.jpeg%")OR LIKE (process_exec, "%.jpg%")OR LIKE (process_exec, "%.jif%")OR LIKE (process_exec, "%.jfif%")OR LIKE (process_exec, "%.jp2%")OR LIKE (process_exec, "%.jpx%")OR LIKE (process_exec, "%.j2k%")OR LIKE (process_exec, "%.j2c%")OR LIKE (process_exec, "%.fpx%")OR LIKE (process_exec, "%.pcd%")OR LIKE (process_exec, "%.png%")OR LIKE (process_exec, "%.flv%") OR LIKE (process_exec, "%.pdf%")OR LIKE (process_exec, "%.mp4%")OR LIKE (process_exec, "%.mp3%")OR LIKE (process_exec, "%.gifv%")OR LIKE (process_exec, "%.avi%")OR LIKE (process_exec, "%.mov%")OR LIKE (process_exec, "%.mpeg%")OR LIKE (process_exec, "%.wav%")OR LIKE (process_exec, "%.doc%")OR LIKE (process_exec, "%.docx%")OR LIKE (process_exec, "%.xls%")OR LIKE (process_exec, "%.xlsx%")OR LIKE (process_exec, "%.svg%")) 
| stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
| `linux_auditd_file_and_directory_discovery_filter`

Linux Auditd At Application Execution

Description

The following analytic detects the execution of the “At” application in Linux, which can be used by attackers to create persistence entries on a compromised host. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and parent process names associated with “at” or “atd”. This activity is significant because the “At” application can be exploited to maintain unauthorized access or deliver additional malicious payloads. If confirmed malicious, this behavior could lead to data theft, ransomware attacks, or other severe consequences. Immediate investigation is required to determine the legitimacy of the execution and mitigate potential risks.

Detection logic

`linux_auditd` type=SYSCALL comm IN ("at", "atd") OR exe IN ("/usr/bin/at","/usr/bin/atd") AND NOT (UID IN("daemon")) 
| rename host as dest 
| stats count min(_time) as firstTime max(_time) as lastTime by comm exe  SYSCALL UID ppid pid dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
| `linux_auditd_at_application_execution_filter`

Linux Edit Cron Table Parameter

Description

The following analytic detects the suspicious editing of cron jobs in Linux using the crontab command-line parameter (-e). It identifies this activity by monitoring command-line executions involving ‘crontab’ and the edit parameter. This behavior is significant for a SOC as cron job manipulations can indicate unauthorized persistence attempts or scheduled malicious actions. If confirmed malicious, this activity could lead to system compromise, unauthorized access, or broader network compromise.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = crontab Processes.process = "*crontab *" Processes.process = "* -e*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `linux_edit_cron_table_parameter_filter`

Linux Adding Crontab Using List Parameter

Description

The following analytic detects suspicious modifications to cron jobs on Linux systems using the crontab command with list parameters. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it may indicate an attempt to establish persistence or execute malicious code on a schedule. If confirmed malicious, the impact could include unauthorized code execution, data destruction, or other damaging outcomes. Further investigation should analyze the added cron job, its associated command, and any related processes.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "crontab" Processes.process= "* -l*" by  Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.dest Processes.user 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `linux_adding_crontab_using_list_parameter_filter`

Linux Auditd Preload Hijack Via Preload File

Description

The following analytic detects suspicious preload hijacking via the preload file, which may indicate an attacker’s attempt to intercept or manipulate library loading processes. The preload file can be used to force the loading of specific libraries before others, potentially allowing malicious code to execute or alter application behavior. By monitoring for unusual or unauthorized modifications to the preload file, this analytic helps identify attempts to hijack preload mechanisms, enabling security teams to investigate and address potential threats to system integrity and security.

Detection logic

`linux_auditd` type=PATH name="/etc/ld.so.preload*" 
| rename host as dest 
| stats count min(_time) as firstTime max(_time) as lastTime by name nametype OGID type dest 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_preload_hijack_via_preload_file_filter`

Linux Auditd Service Started

Description

The following analytic detects the suspicious service started. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents.

Detection logic

`linux_auditd` `linux_auditd_normalized_proctitle_process` 
| rename host as dest 
| where (LIKE(process_exec, "%systemctl %") OR LIKE(process_exec, "%service %") ) AND(LIKE(process_exec, "% start %") OR LIKE(process_exec, "% enable %")) 
| stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
| `linux_auditd_service_started_filter`

Linux Auditd Whoami User Discovery

Description

The following analytic detects the suspicious use of the whoami command, which may indicate an attacker trying to gather information about the current user account on a compromised system. The whoami command is commonly used to verify user privileges and identity, especially during initial stages of an attack to assess the level of access. By monitoring for unusual or unauthorized executions of whoami, this analytic helps in identifying potential reconnaissance activities, enabling security teams to take action before the attacker escalates privileges or conducts further malicious operations.

Detection logic

`linux_auditd` type=SYSCALL comm=whoami OR exe= "*/whoami" 
| rename host as dest 
| stats count min(_time) as firstTime max(_time) as lastTime by comm exe  SYSCALL UID ppid pid dest success 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
| `linux_auditd_whoami_user_discovery_filter`

Linux Auditd Unload Module Via Modprobe

Description

The following analytic detects suspicious use of the modprobe command to unload kernel modules, which may indicate an attempt to disable critical system components or evade detection. The modprobe utility manages kernel modules, and unauthorized unloading of modules can disrupt system security features, remove logging capabilities, or conceal malicious activities. By monitoring for unusual or unauthorized modprobe operations involving module unloading, this analytic helps identify potential tampering with kernel functionality, enabling security teams to investigate and address possible threats to system integrity.

Detection logic

`linux_auditd` `linux_auditd_normalized_execve_process` 
| rename host as dest 
| where LIKE (process_exec, "%modprobe%") AND  LIKE (process_exec, "%-r %") 
| stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_unload_module_via_modprobe_filter`

Linux Auditd Osquery Service Stop

Description

The following analytic detects suspicious stopping of the osquery service, which may indicate an attempt to disable monitoring and evade detection. Osquery is a powerful tool used for querying system information and detecting anomalies, and stopping its service can be a sign that an attacker is trying to disrupt security monitoring or hide malicious activities. By monitoring for unusual or unauthorized stops of the osquery service, this analytic helps identify potential efforts to bypass security controls, enabling security teams to investigate and respond to possible threats effectively.

Detection logic

`linux_auditd` type=SERVICE_STOP unit IN ("osqueryd") 
| rename host as dest 
| stats count min(_time) as firstTime max(_time) as lastTime by type pid UID comm exe unit dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
| `linux_auditd_osquery_service_stop_filter`

Linux Auditd Base64 Decode Files

Description

The following analytic detects suspicious Base64 decode operations that may indicate malicious activity, such as data exfiltration or execution of encoded commands. Base64 is commonly used to encode data for safe transmission, but attackers may abuse it to conceal malicious payloads. This detection focuses on identifying unusual or unexpected Base64 decoding processes, particularly when associated with critical files or directories. By monitoring these activities, the analytic helps uncover potential threats, enabling security teams to respond promptly and mitigate risks associated with encoded malware or unauthorized data access.

Detection logic

`linux_auditd` `linux_auditd_normalized_execve_process` 
| rename host as dest 
| where LIKE(process_exec, "%base64%") AND (LIKE(process_exec, "%-d %") OR LIKE(process_exec, "% --d%")) 
| stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_base64_decode_files_filter`

Linux Auditd Kernel Module Using Rmmod Utility

Description

The following analytic detects suspicious use of the rmmod utility for kernel module removal, which may indicate an attacker attempt to unload critical or security-related kernel modules. The rmmod command is used to remove modules from the Linux kernel, and unauthorized use can be a tactic to disable security features, conceal malicious activities, or disrupt system operations. By monitoring for unusual or unauthorized rmmod activity, this analytic helps identify potential tampering with kernel modules, enabling security teams to take proactive measures to protect system integrity and security.

Detection logic

`linux_auditd` type=SYSCALL comm=rmmod 
| rename host as dest  
| stats count min(_time) as firstTime max(_time) as lastTime by comm exe  SYSCALL UID ppid pid success dest 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_kernel_module_using_rmmod_utility_filter`

Linux Auditd Find Private Keys

Description

The following analytic detects suspicious attempts to find private keys, which may indicate an attacker’s effort to access sensitive cryptographic information. Private keys are crucial for securing encrypted communications and data, and unauthorized access to them can lead to severe security breaches, including data decryption and identity theft. By monitoring for unusual or unauthorized searches for private keys, this analytic helps identify potential threats to cryptographic security, enabling security teams to take swift action to protect the integrity and confidentiality of encrypted information.

Detection logic

`linux_auditd` `linux_auditd_normalized_execve_process` 
| rename host as dest 
| where  (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%.pem%") OR LIKE (process_exec, "%.cer%") OR LIKE (process_exec, "%.crt%") OR LIKE (process_exec, "%.pgp%") OR LIKE (process_exec, "%.key%") OR LIKE (process_exec, "%.gpg%")OR LIKE (process_exec, "%.ppk%") OR LIKE (process_exec, "%.p12%")OR LIKE (process_exec, "%.pfx%")OR LIKE (process_exec, "%.p7b%")) 
| stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
| `linux_auditd_find_private_keys_filter`

Linux Auditd Virtual Disk File And Directory Discovery

Description

The following analytic detects suspicious discovery of virtual disk files and directories, which may indicate an attacker’s attempt to locate and access virtualized storage environments. Virtual disks can contain sensitive data or critical system configurations, and unauthorized discovery attempts could signify preparatory actions for data exfiltration or further compromise. By monitoring for unusual or unauthorized searches for virtual disk files and directories, this analytic helps identify potential reconnaissance activities, enabling security teams to respond promptly and safeguard against unauthorized access and data breaches.

Detection logic

`linux_auditd` `linux_auditd_normalized_execve_process` 
| rename host as dest 
| where  (LIKE (process_exec, "%find%") OR LIKE (process_exec, "%grep%")) AND (LIKE (process_exec, "%.vhd%") OR LIKE (process_exec, "%.vhdx%") OR LIKE (process_exec, "%.vmdk%")) 
| stats count min(_time) as firstTime max(_time) as lastTime by argc process_exec dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
| `linux_auditd_virtual_disk_file_and_directory_discovery_filter`

Linux Stop Services

Description

The following analytic detects attempts to stop or clear a service on Linux systems. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on processes like “systemctl,” “service,” and “svcadm” executing stop commands. This activity is significant as adversaries often terminate security or critical services to disable defenses or disrupt operations, as seen in malware like Industroyer2. If confirmed malicious, this could lead to the disabling of security mechanisms, allowing attackers to persist, escalate privileges, or deploy destructive payloads, severely impacting system integrity and availability.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("systemctl", "service", "svcadm")  Processes.process ="*stop*" by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `linux_stop_services_filter`

Linux Auditd Add User Account Type

Description

The following analytic detects the suspicious add user account type. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents.

Detection logic

`linux_auditd` type=ADD_USER 
| rename hostname as dest
| stats count min(_time) as firstTime max(_time) as lastTime by exe pid dest res UID type 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
| `linux_auditd_add_user_account_type_filter`

Linux Auditd Auditd Service Stop

Description

The following analytic detects the suspicious auditd service stop. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents.

Detection logic

`linux_auditd` type=SERVICE_STOP unit IN ("auditd") 
| rename host as dest 
| stats count min(_time) as firstTime max(_time) as lastTime by type pid UID comm exe unit dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
| `linux_auditd_auditd_service_stop_filter`