security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
77cd0bf6c0a250877244f7a07e1ad2edc19fa196
blue-team-tools/rules/linux/auditd/lnx_auditd_hidden_binary_execution.yml
T
signalblur 73f56c2f0e Hidden Linux Binary Execution (#3108) 
Co-authored-by: Florian Roth <venom14@gmail.com>
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
2022-12-31 08:27:32 +01:00

32 lines
877 B
YAML
Raw Blame History

title: Use Of Hidden Paths Or Files
id: 9e1bef8d-0fff-46f6-8465-9aa54e128c1e
related:
- id: d08722cd-3d09-449a-80b4-83ea2d9d4616
type: similar
status: experimental
description: Detects calls to hidden files or files located in hidden directories in NIX systems.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md
author: David Burkett, @signalblur
date: 2022/12/30
tags:
- attack.defense_evasion
- attack.t1574.001
logsource:
product: linux
service: auditd
detection:
selection:
type: 'PATH'
name|contains: '/.'
filter:
name|contains:
- '/.cache/'
- '/.config/'
- '/.pyenv/'
- '/.rustup/toolchains'
condition: selection and not filter
falsepositives:
- Unknown
level: low
Reference in New Issue View Git Blame Copy Permalink