security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Rule: extended suspicious command lines

Browse Source
This commit is contained in:
Florian Roth
2019-02-05 15:58:15 +01:00
parent 8f684ddd06
commit 32c098294f
1 changed files with 28 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/lnx_shell_susp_commands.yml
+28 -18
View File
@@ -6,6 +6,8 @@ references:
- http://pastebin.com/FtygZ1cg
- https://artkond.com/2017/03/23/pivoting-guide/
author: Florian Roth
date: 2017/08/21
modified: 2019/02/05
logsource:
product: linux
detection:
@@ -15,30 +17,38 @@ detection:
- 'wget * - http* | sh'
- 'wget * - http* | bash'
- 'python -m SimpleHTTPServer'
- 'import pty; pty.spawn'
- '-m http.server' # Python 3
- 'import pty; pty.spawn*'
- 'socat exec:*'
- 'socat -O /tmp/*'
- 'socat tcp-connect*'
- '*echo binary >>*'
# Malware
- '*wget *; chmod +x*'
- '*wget *; chmod 777 *'
- '*cd /tmp || cd /var/run || cd /mnt*'
# Apache Struts in-the-wild exploit codes
- 'stop;service iptables stop;'
- 'stop;SuSEfirewall2 stop;'
- 'chmod 777 2020'
- '">>/etc/rc.local;'
- 'wget -c *;chmod 777'
- '*stop;service iptables stop;*'
- '*stop;SuSEfirewall2 stop;*'
- 'chmod 777 2020*'
- '*>>/etc/rc.local'
- '*wget -c *;chmod 777*'
# Metasploit framework exploit codes
- 'base64 -d /tmp/'
- ' | base64 -d'
- '/bin/chmod u+s'
- 'chmod +s /tmp/'
- 'chmod u+s /tmp/'
- '/tmp/haxhax'
- '/tmp/ns_sploit'
- 'nc -l -p '
- 'cp /bin/ksh '
- 'cp /bin/sh '
- ' /tmp/*.b64 '
- '/tmp/ysocereal.jar'
- '*base64 -d /tmp/*'
- '* | base64 -d *'
- '*/chmod u+s *'
- '*chmod +s /tmp/*'
- '*chmod u+s /tmp/*'
- '* /tmp/haxhax*'
- '* /tmp/ns_sploit*'
- 'nc -l -p *'
- 'cp /bin/ksh *'
- 'cp /bin/sh *'
- '* /tmp/*.b64 *'
- '*/tmp/ysocereal.jar*'
- '*/tmp/x *'
- '*; chmod +x /tmp/*'
- '*;chmod +x /tmp/*'
condition: keywords
falsepositives:
- Unknown