2020-01-30 17:26:09 +01:00
|
|
|
title: Suspicious Commands Linux
|
2019-11-12 23:12:27 +01:00
|
|
|
id: 1543ae20-cbdf-4ec1-8d12-7664d667a825
|
2021-11-27 11:33:14 +01:00
|
|
|
status: test
|
2018-01-23 11:12:39 +01:00
|
|
|
description: Detects relevant commands often related to malware or hacking activity
|
2020-09-13 22:03:04 -06:00
|
|
|
author: Florian Roth
|
2018-01-28 02:24:16 +03:00
|
|
|
references:
|
2021-11-27 11:33:14 +01:00
|
|
|
- Internal Research - mostly derived from exploit code including code in MSF
|
|
|
|
|
date: 2017/12/12
|
|
|
|
|
modified: 2021/11/27
|
2018-01-23 11:12:39 +01:00
|
|
|
logsource:
|
2021-11-27 11:33:14 +01:00
|
|
|
product: linux
|
|
|
|
|
service: auditd
|
2018-01-23 11:12:39 +01:00
|
|
|
detection:
|
2021-11-27 11:33:14 +01:00
|
|
|
cmd1:
|
|
|
|
|
type: 'EXECVE'
|
|
|
|
|
a0: 'chmod'
|
|
|
|
|
a1: '777'
|
|
|
|
|
cmd2:
|
|
|
|
|
type: 'EXECVE'
|
|
|
|
|
a0: 'chmod'
|
|
|
|
|
a1: 'u+s'
|
|
|
|
|
cmd3:
|
|
|
|
|
type: 'EXECVE'
|
|
|
|
|
a0: 'cp'
|
|
|
|
|
a1: '/bin/ksh'
|
|
|
|
|
cmd4:
|
|
|
|
|
type: 'EXECVE'
|
|
|
|
|
a0: 'cp'
|
|
|
|
|
a1: '/bin/sh'
|
2022-01-11 10:59:57 +01:00
|
|
|
condition: 1 of cmd*
|
2018-01-23 11:12:39 +01:00
|
|
|
falsepositives:
|
2021-11-27 11:33:14 +01:00
|
|
|
- Admin activity
|
2020-01-30 17:26:09 +01:00
|
|
|
level: medium
|
2020-09-13 22:03:04 -06:00
|
|
|
tags:
|
2021-11-27 11:33:14 +01:00
|
|
|
- attack.execution
|
|
|
|
|
- attack.t1059.004
|
