security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 45 Packages Projects Releases Wiki Activity
Files
95793d73bd34b27653bc2f55cb80db402655ea01
blue-team-tools/rules/linux/process_creation/proc_creation_lnx_hack_tools.yml
T
Nasreddine Bencherchali 95793d73bd Merge PR #4482 From @nasbench - Add New Automation Workflows 
chore: update workflows and add quality of life updates and automation to the repository

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
2023-10-18 11:53:44 +02:00

41 lines
1.1 KiB
YAML
Raw Blame History

title: Linux HackTool Execution
id: a015e032-146d-4717-8944-7a1884122111
status: experimental
description: Detects known hacktool execution based on image name
references:
- Internal Research
- https://github.com/Gui774ume/ebpfkit
- https://github.com/pathtofile/bad-bpf
- https://github.com/carlospolop/PEASS-ng
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023/01/03
modified: 2023/01/31
tags:
- attack.execution
logsource:
product: linux
category: process_creation
detection:
selection:
- Image|endswith:
# Add more as you see fit
- '/sqlmap'
- '/teamserver'
- '/aircrack-ng'
- '/john'
- '/setoolkit'
- '/wpscan'
- '/hydra'
- '/nikto'
# eBPF related malicious tools/poc's
- '/ebpfkit'
- '/bpfdos'
- '/exechijack'
- '/pidhide'
- '/writeblocker'
- Image|contains: '/linpeas'
condition: selection
falsepositives:
- Unlikely
level: high
Reference in New Issue View Git Blame Copy Permalink