Skip to content
Threat Feed

Product

Linux

12 briefs RSS
medium advisory

Potential Persistence via Linux File Modification

This rule detects potential persistence attempts on Linux systems by monitoring file modifications of files commonly used for persistence, such as cron jobs, systemd services, message-of-the-day (MOTD), SSH configurations, shell configurations, runtime control, init daemon, passwd/sudoers/shadow files, Systemd udevd, and XDG/KDE autostart entries.

Linux persistence file_integrity_monitoring
3r 6t
high advisory

Potential Credential Discovery via Recursive Grep

Adversaries may use recursive grep commands on Linux or macOS to discover credentials, secrets, keys, or tokens within files, indicating potential credential access and data exfiltration attempts.

macOS +1 credential-access discovery linux
2r 2t
medium advisory

Potential Data Exfiltration via Wget on Linux Systems

This rule detects the use of wget on Linux systems to upload files to an external server, a tactic commonly used for data exfiltration.

Linux exfiltration wget data-theft
2r 1t
medium advisory

Linux Clipboard Activity Monitoring

This brief provides detection strategies for monitoring clipboard activity on Linux systems, potentially identifying malicious data exfiltration or command execution attempts.

Linux clipboard data exfiltration collection
3r 1t
high advisory

Linux SSH Persistence via Backdoored System User

Attackers can maintain unauthorized access to Linux systems by backdooring system user accounts with SSH keys, allowing persistent access even after password changes.

Linux +1 persistence ssh
3r 2t
high advisory

Linux Shell History Clearing via Environment Variables

Attackers may clear shell history on Linux systems to evade detection by manipulating environment variables related to shell history, such as HISTSIZE and HISTFILE, to prevent command logging.

Linux defense-evasion shell-history
2r 1t
high advisory

Suspicious SUID Binary Execution on Linux

This rule detects the execution of privilege escalation helpers under the root effective user, when initiated by a non-root user with a suspicious parent process, indicating potential privilege escalation attempts.

Linux privilege-escalation suid
3r 2t
high advisory

Suspicious mkfifo Execution on Linux

This brief covers the suspicious execution of commands following the use of 'mkfifo' on Linux systems, often indicating malicious activity such as establishing named pipes for command and control or data exfiltration.

Linux mkfifo named_pipe command_execution lateral_movement
2r 2t
medium advisory

Linux System Network Discovery via Multiple Utilities

Adversaries may attempt to enumerate local network configurations on Linux systems using common utilities like arp, ifconfig, ip, netstat, firewall-cmd, ufw, iptables, ss, and route to gather information for reconnaissance and subsequent attacks, leading to network mapping and vulnerability identification.

Linux network-discovery reconnaissance
2r 1t
high advisory

Linux Privilege Escalation via LD_PRELOAD Shared Object Modification

Attackers can exploit the LD_PRELOAD environment variable on Linux systems to inject malicious shared objects into privileged processes, leading to arbitrary code execution and privilege escalation.

Linux privilege-escalation ld_preload
2r 1t
medium advisory

Potential Data Exfiltration Through Curl

This rule detects potential data exfiltration attempts on Linux systems using the curl command-line tool to upload files to external servers, potentially indicating unauthorized data transfer.

curl +1 data-exfiltration linux
2r 1t
high advisory

Linux Credential Access via Sensitive File Monitoring

This rule detects potential credential access attempts on Linux systems by monitoring access to sensitive files commonly containing credentials or configuration information.

Linux credential_access file_monitoring
2r 1t