title: HackTool Execution
id: a015e032-146d-4717-8944-7a1884122111
status: experimental
description: Detects known hacktool execution based on image name
references:
    - Internal Research
author: Nasreddine Bencherchali
date: 2023/01/03
tags:
    - attack.execution
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        Image|endswith:
            # Add more as you see fit
            - '/sqlmap'
            - '/teamserver'
            - '/aircrack-ng'
            - '/john'
            - '/setoolkit'
            - '/wpscan'
            - '/hydra'
            - '/nikto'
    condition: selection
falsepositives:
    - Unknown
level: high