unless an administrator is using these commands to troubleshoot or audit a system, the execution of these commands should be monitored.

Techniques

T1059.004

Sample rules

Suspicious Linux Discovery Commands

source: splunk
technicques:
- T1059.004

Description

This search, detects execution of suspicious bash commands from various commonly leveraged bash scripts like (AutoSUID, LinEnum, LinPeas) to perform discovery of possible paths of privilege execution, password files, vulnerable directories, executables and file permissions on a Linux host. The search logic specifically looks for high number of distinct commands run in a short period of time.

Detection logic


| tstats `security_content_summariesonly` count values(Processes.process) values(Processes.process_name) values(Processes.parent_process_name) dc(Processes.process) as distinct_commands dc(Processes.process_name) as distinct_process_names min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where [
|inputlookup linux_tool_discovery_process.csv 
| rename process as Processes.process 
|table Processes.process] by _time span=5m Processes.user Processes.dest 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
| where distinct_commands > 40 AND distinct_process_names > 3
| `suspicious_linux_discovery_commands_filter`