rules/linux/process_creation/proc_creation_lnx_hack_tools.yml

title: Linux HackTool Execution
id: a015e032-146d-4717-8944-7a1884122111
status: experimental
description: Detects known hacktool execution based on image name
references:
    - Internal Research
    - https://github.com/Gui774ume/ebpfkit
    - https://github.com/pathtofile/bad-bpf
    - https://github.com/carlospolop/PEASS-ng
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023/01/03
modified: 2023/01/31
tags:
    - attack.execution
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        - Image|endswith:
            # Add more as you see fit
            - '/sqlmap'
            - '/teamserver'
            - '/aircrack-ng'
            - '/john'
            - '/setoolkit'
            - '/wpscan'
            - '/hydra'
            - '/nikto'
            # eBPF related malicious tools/poc's
            - '/ebpfkit'
            - '/bpfdos'
            - '/exechijack'
            - '/pidhide'
            - '/writeblocker'
        - Image|contains: '/linpeas'
    condition: selection
falsepositives:
    - Unlikely
level: high
feat: add bpf related rules 2023-01-25 01:14:49 +01:00			`title: Linux HackTool Execution`
feat: updates and enhancements 2023-01-04 17:49:32 +01:00			`id: a015e032-146d-4717-8944-7a1884122111`
			`status: experimental`
			`description: Detects known hacktool execution based on image name`
			`references:`
			`- Internal Research`
feat: add bpf related rules 2023-01-25 01:14:49 +01:00			`- https://github.com/Gui774ume/ebpfkit`
			`- https://github.com/pathtofile/bad-bpf`
fix: update selection 2023-01-31 17:15:49 +01:00			`- https://github.com/carlospolop/PEASS-ng`
chore: add nextron authors tag 2023-02-01 11:14:59 +01:00			`author: Nasreddine Bencherchali (Nextron Systems)`
feat: updates and enhancements 2023-01-04 17:49:32 +01:00			`date: 2023/01/03`
fix: update modified date 2023-01-31 17:12:20 +01:00			`modified: 2023/01/31`
feat: updates and enhancements 2023-01-04 17:49:32 +01:00			`tags:`
			`- attack.execution`
			`logsource:`
			`product: linux`
			`category: process_creation`
			`detection:`
			`selection:`
fix: update selection 2023-01-31 17:15:49 +01:00			`- Image\|endswith:`
feat: updates and enhancements 2023-01-04 17:49:32 +01:00			`# Add more as you see fit`
			`- '/sqlmap'`
			`- '/teamserver'`
			`- '/aircrack-ng'`
			`- '/john'`
			`- '/setoolkit'`
			`- '/wpscan'`
			`- '/hydra'`
			`- '/nikto'`
feat: add bpf related rules 2023-01-25 01:14:49 +01:00			`# eBPF related malicious tools/poc's`
			`- '/ebpfkit'`
			`- '/bpfdos'`
			`- '/exechijack'`
			`- '/pidhide'`
			`- '/writeblocker'`
fix: update selection 2023-01-31 17:15:49 +01:00			`- Image\|contains: '/linpeas'`
feat: updates and enhancements 2023-01-04 17:49:32 +01:00			`condition: selection`
			`falsepositives:`
feat: add bpf related rules 2023-01-25 01:14:49 +01:00			`- Unlikely`
feat: updates and enhancements 2023-01-04 17:49:32 +01:00			`level: high`