Product
Potential Persistence via Linux File Modification
3 rules 6 TTPsThis rule detects potential persistence attempts on Linux systems by monitoring file modifications of files commonly used for persistence, such as cron jobs, systemd services, message-of-the-day (MOTD), SSH configurations, shell configurations, runtime control, init daemon, passwd/sudoers/shadow files, Systemd udevd, and XDG/KDE autostart entries.
Potential Credential Discovery via Recursive Grep
2 rules 2 TTPsAdversaries may use recursive grep commands on Linux or macOS to discover credentials, secrets, keys, or tokens within files, indicating potential credential access and data exfiltration attempts.
Potential Data Exfiltration via Wget on Linux Systems
2 rules 1 TTPThis rule detects the use of wget on Linux systems to upload files to an external server, a tactic commonly used for data exfiltration.
Linux Clipboard Activity Monitoring
3 rules 1 TTPThis brief provides detection strategies for monitoring clipboard activity on Linux systems, potentially identifying malicious data exfiltration or command execution attempts.
Linux SSH Persistence via Backdoored System User
3 rules 2 TTPsAttackers can maintain unauthorized access to Linux systems by backdooring system user accounts with SSH keys, allowing persistent access even after password changes.
Linux Shell History Clearing via Environment Variables
2 rules 1 TTPAttackers may clear shell history on Linux systems to evade detection by manipulating environment variables related to shell history, such as HISTSIZE and HISTFILE, to prevent command logging.
Suspicious SUID Binary Execution on Linux
3 rules 2 TTPsThis rule detects the execution of privilege escalation helpers under the root effective user, when initiated by a non-root user with a suspicious parent process, indicating potential privilege escalation attempts.
Suspicious mkfifo Execution on Linux
2 rules 2 TTPsThis brief covers the suspicious execution of commands following the use of 'mkfifo' on Linux systems, often indicating malicious activity such as establishing named pipes for command and control or data exfiltration.
Linux System Network Discovery via Multiple Utilities
2 rules 1 TTPAdversaries may attempt to enumerate local network configurations on Linux systems using common utilities like arp, ifconfig, ip, netstat, firewall-cmd, ufw, iptables, ss, and route to gather information for reconnaissance and subsequent attacks, leading to network mapping and vulnerability identification.
Linux Privilege Escalation via LD_PRELOAD Shared Object Modification
2 rules 1 TTPAttackers can exploit the LD_PRELOAD environment variable on Linux systems to inject malicious shared objects into privileged processes, leading to arbitrary code execution and privilege escalation.
Potential Data Exfiltration Through Curl
2 rules 1 TTPThis rule detects potential data exfiltration attempts on Linux systems using the curl command-line tool to upload files to external servers, potentially indicating unauthorized data transfer.
Linux Credential Access via Sensitive File Monitoring
2 rules 1 TTPThis rule detects potential credential access attempts on Linux systems by monitoring access to sensitive files commonly containing credentials or configuration information.