Techniques
Sample rules
Webshell Remote Command Execution
- source: sigma
- technicques:
- t1505
- t1505.003
Description
Detects possible command execution by web application/web shell
Detection logic
condition: selection
selection:
key: detect_execve_www
syscall: execve
type: SYSCALL
Program Executions in Suspicious Folders
- source: sigma
- technicques:
- t1584
- t1587
Description
Detects program executions in suspicious non-program folders related to malware or hacking activity
Detection logic
condition: selection
selection:
exe|startswith:
- /tmp/
- /var/www/
- /home/*/public_html/
- /usr/local/apache2/
- /usr/local/httpd/
- /var/apache/
- /srv/www/
- /home/httpd/html/
- /srv/http/
- /usr/share/nginx/html/
- /var/lib/pgsql/data/
- /usr/local/mysql/data/
- /var/lib/mysql/
- /var/vsftpd/
- /etc/bind/
- /var/named/
type: SYSCALL