security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update lnx_auditd_susp_C2_commands.yml

Browse Source
This commit is contained in:
Florian Roth
2020-05-23 16:49:03 +02:00
committed by GitHub
parent 71c507d8a9
commit e1a05dfc1c
1 changed files with 1 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/auditd/lnx_auditd_susp_C2_commands.yml
+1 -6
View File
@@ -1,12 +1,7 @@
title: Suspicious C2 Activities
id: f7158a64-6204-4d6d-868a-6e6378b467e0
status: experimental
description: Detects suspicious activities as declared by Florian Roth in its 'Best Practice Auditd Configuration'.
This includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap
These commands match a few techniques from the tactics "Command and Control", including not exhaustively the following;
Application Layer Protocol (T1071)
Non-Application Layer Protocol (T1095)
Data Encoding (T1132)
description: Detects suspicious activities as declared by Florian Roth in its 'Best Practice Auditd Configuration'. This includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap. These commands match a few techniques from the tactics "Command and Control", including not exhaustively the following; Application Layer Protocol (T1071), Non-Application Layer Protocol (T1095), Data Encoding (T1132)
references:
- 'https://github.com/Neo23x0/auditd'
date: 2020/05/18