Techniques
Sample rules
Suspicious Linux Discovery Commands
- source: splunk
- technicques:
- T1059.004
Description
The following analytic detects the execution of suspicious bash commands commonly used in scripts like AutoSUID, LinEnum, and LinPeas for system discovery on a Linux host. It leverages Endpoint Detection and Response (EDR) data, specifically looking for a high number of distinct commands executed within a short time frame. This activity is significant as it often precedes privilege escalation or other malicious actions. If confirmed malicious, an attacker could gain detailed system information, identify vulnerabilities, and potentially escalate privileges, posing a severe threat to the environment.
Detection logic
| tstats `security_content_summariesonly` count values(Processes.process) values(Processes.process_name) values(Processes.parent_process_name) dc(Processes.process) as distinct_commands dc(Processes.process_name) as distinct_process_names min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where [
|inputlookup linux_tool_discovery_process.csv
| rename process as Processes.process
|table Processes.process] by _time span=5m Processes.user Processes.dest
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| where distinct_commands > 40 AND distinct_process_names > 3
| `suspicious_linux_discovery_commands_filter`