Skip to content

Latest commit

 

History

History
801 lines (496 loc) · 38.4 KB

references_l.md

File metadata and controls

801 lines (496 loc) · 38.4 KB

Sigma rule references as PDF

lnx_apt_equationgroup_lnx

Title : Equation Group Indicators

Rule id : 41e5c73d-9983-4b69-bd03-e13b67e9623c

Url Pdf
https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 pdf/fbc23cf7bdb7d8008b1bfee9a092047593ddb804ccd640576a72fd3289725226.pdf

lnx_auditd_audio_capture

Title : Audio Capture

Rule id : a7af2487-9c2f-42e4-9bb9-ff961f0561d5

Url Pdf
https://linux.die.net/man/1/arecord pdf/08280d8b9c445448cf24d92db1d316bc354c91ca2d236738d34d5a0f2736e943.pdf
https://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa pdf/b530358678197d97fcaad003085be3a486f87b722d94be821cac6a8b7156e030.pdf

lnx_auditd_auditing_config_change

Title : Auditing Configuration Changes on Linux Host

Rule id : 977ef627-4539-4875-adf4-ed8f780c4922

Url Pdf
https://github.com/Neo23x0/auditd/blob/master/audit.rules pdf/d6593fa1148ff6aed550d6fc70d6949e591c28948e6f95571384a21363675f5a.pdf

lnx_auditd_binary_padding

Title : Binary Padding - Linux

Rule id : c52a914f-3d8b-4b2a-bb75-b3991e75f8ba

Url Pdf
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md pdf/40b1c78325c90f634c521101467e0fdb02b5a754c69920bc365a08a69d674b3b.pdf

lnx_auditd_bpfdoor_file_accessed

Title : BPFDoor Abnormal Process ID or Lock File Accessed

Rule id : 808146b2-9332-4d78-9416-d7e47012d83d

Url Pdf
https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ pdf/a55431cef17ba59fccdffba7365dabc9d31d406e6d8ece9a4c66fec5b9f7db25.pdf
https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor pdf/57c3faffddefccb78d1f3032e6eb478ec0411ca53233596cc670e3aba25f0f3f.pdf

lnx_auditd_bpfdoor_port_redirect

Title : Bpfdoor TCP Ports Redirect

Rule id : 70b4156e-50fc-4523-aa50-c9dddf1993fc

Url Pdf
https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ pdf/a55431cef17ba59fccdffba7365dabc9d31d406e6d8ece9a4c66fec5b9f7db25.pdf
https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor pdf/57c3faffddefccb78d1f3032e6eb478ec0411ca53233596cc670e3aba25f0f3f.pdf

lnx_auditd_capabilities_discovery

Title : Linux Capabilities Discovery

Rule id : fe10751f-1995-40a5-aaa2-c97ccb4123fe

Url Pdf
https://man7.org/linux/man-pages/man8/getcap.8.html pdf/6327b4e68f1c0e6a00c99285570b76d299561ad22a315fb32798c943fd3d7c26.pdf
https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/ pdf/b697217d7ba021ee6205e7fa40f208e14b86936a13453ff8e626befd75ae4d27.pdf
https://mn3m.info/posts/suid-vs-capabilities/ pdf/2f3b0cef92776916eb42bbc2e6fc9fdf37d1ca8485b28f4524c845755dd0b10e.pdf
https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099 pdf/5900b6197cccf21abc7e1a613935ea20808bb25fcba12f24d9f0fbdc6fac29da.pdf

lnx_auditd_change_file_time_attr

Title : File Time Attribute Change - Linux

Rule id : b3cec4e7-6901-4b0d-a02d-8ab2d8eb818b

Url Pdf
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md pdf/6e67a5b54ffd3741826e988541b6488515797bf3171d7749a61544d51b9e68c5.pdf

lnx_auditd_chattr_immutable_removal

Title : Remove Immutable File Attribute - Auditd

Rule id : a5b977d6-8a81-4475-91b9-49dbfcd941f7

Url Pdf
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md pdf/c3f501462f0468bc44fbc9239f99b61a7f4b93200f3297a566937e6882153534.pdf

lnx_auditd_clipboard_collection

Title : Clipboard Collection with Xclip Tool - Auditd

Rule id : 214e7e6c-f21b-47ff-bb6f-551b2d143fcf

Url Pdf
https://linux.die.net/man/1/xclip pdf/23be3ac537b25fcde2767b6df6a41027c24f3a49b1aa170447d5cc66a0e1e672.pdf
https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/ pdf/1a44fad7f1b4ff02da343ffa9f9de0a990ec7c1d6e774b2c2ccdc031c58f4940.pdf

lnx_auditd_clipboard_image_collection

Title : Clipboard Collection of Image Data with Xclip Tool

Rule id : f200dc3f-b219-425d-a17e-c38467364816

Url Pdf
https://linux.die.net/man/1/xclip pdf/23be3ac537b25fcde2767b6df6a41027c24f3a49b1aa170447d5cc66a0e1e672.pdf

lnx_auditd_coinminer

Title : Possible Coin Miner CPU Priority Param

Rule id : 071d5e5a-9cef-47ec-bc4e-a42e34d8d0ed

Url Pdf
https://xmrig.com/docs/miner/command-line-options pdf/d3c9b29a4189c35d246a2bc7341789d20040d86743d980f6bcc2d27d34e1321c.pdf

lnx_auditd_create_account

Title : Creation Of An User Account

Rule id : 759d0d51-bc99-4b5e-9add-8f5b2c8e7512

Url Pdf
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files pdf/c03ffcb6c96965e1bc1e43c8a6fda169ed064dc7f86ac5fe4c10ddff258b1c6b.pdf
https://access.redhat.com/articles/4409591#audit-record-types-2 pdf/2e4806ba36406495f2487b407b1fe7155144a69d30121abad3ccb66e6f198eb1.pdf
https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07 pdf/d8f14a2da5c0801250b1446b8b462b861fee20c7f740e4e740f6844a5741645d.pdf

lnx_auditd_data_compressed

Title : Data Compressed

Rule id : a3b5e3e9-1b49-4119-8b8e-0344a01f21ee

Url Pdf
https://github.com/redcanaryco/atomic-red-team/blob/a78b9ed805ab9ea2e422e1aa7741e9407d82d7b1/atomics/T1560.001/T1560.001.md pdf/fefdbf60fa3482478217c8927045be8f6103aedfe44654311008269638795fd2.pdf

lnx_auditd_data_exfil_wget

Title : Data Exfiltration with Wget

Rule id : cb39d16b-b3b6-4a7a-8222-1cf24b686ffc

Url Pdf
https://linux.die.net/man/1/wget pdf/958e0e9e7cd62eba8155e4780d9e27ce70a36805c50f29c246914f6468fb5edf.pdf
https://gtfobins.github.io/gtfobins/wget/ pdf/44cf8d3e3eb53996ed5369f9a50609288ab058f4ea9c316a6257a6925486d02a.pdf

lnx_auditd_dd_delete_file

Title : Overwriting the File with Dev Zero or Null

Rule id : 37222991-11e9-4b6d-8bdf-60fbe48f753e

Url Pdf
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md pdf/30ba54dacc6c710e5d0139037ac2dc6e616374e17b0318b650d46f0f1365d780.pdf

lnx_auditd_disable_system_firewall

Title : Disable System Firewall

Rule id : 53059bc0-1472-438b-956a-7508a94a91f0

Url Pdf
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md pdf/542853677a5d683b0ae455c7a034789b66b48b63639c1c7a60220c2467ee23f9.pdf
https://firewalld.org/documentation/man-pages/firewall-cmd.html pdf/a1a1385129f116d812d1af2911195563ae54ad987c71245eb2ef7205517bf9a6.pdf

lnx_auditd_file_or_folder_permissions

Title : File or Folder Permissions Change

Rule id : 74c01ace-0152-4094-8ae2-6fd776dd43e5

Url Pdf
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md pdf/c3f501462f0468bc44fbc9239f99b61a7f4b93200f3297a566937e6882153534.pdf

lnx_auditd_find_cred_in_files

Title : Credentials In Files - Linux

Rule id : df3fcaea-2715-4214-99c5-0056ea59eb35

Url Pdf
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md pdf/ff65506377546c9577ed85eb800594ab5a3c5d4b0bc690310875e0a56a8795b9.pdf

lnx_auditd_hidden_binary_execution

Title : Use Of Hidden Paths Or Files

Rule id : 9e1bef8d-0fff-46f6-8465-9aa54e128c1e

Url Pdf
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md pdf/953481fc84663548e6213e601e0b2bdd9b62b911cba1d10a79dc8008c89b12c0.pdf

lnx_auditd_hidden_files_directories

Title : Hidden Files and Directories

Rule id : d08722cd-3d09-449a-80b4-83ea2d9d4616

Url Pdf
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md pdf/953481fc84663548e6213e601e0b2bdd9b62b911cba1d10a79dc8008c89b12c0.pdf

lnx_auditd_hidden_zip_files_steganography

Title : Steganography Hide Zip Information in Picture File

Rule id : 45810b50-7edc-42ca-813b-bdac02fb946b

Url Pdf
https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/ pdf/ebd6f5e3db9d03134c97362882acefa982e449fc03ec40d2d177096dd3541201.pdf

lnx_auditd_keylogging_with_pam_d

Title : Linux Keylogging with Pam.d

Rule id : 49aae26c-450e-448b-911d-b3c13d178dfc

Url Pdf
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md pdf/8fff36310e1b3ea29342badc90661523f02af611281f4a764d9d46dcc0c37395.pdf
https://linux.die.net/man/8/pam_tty_audit pdf/d1af021d6b13936cb50fe3c1d24f455ff5c77b1ec41ad7049ec1c1f48d689280.pdf
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing pdf/608bace31f86c1cbfdbfcd5d42e66cf6133ece0b7a01d1941a42207b42dd8c40.pdf
https://access.redhat.com/articles/4409591#audit-record-types-2 pdf/2e4806ba36406495f2487b407b1fe7155144a69d30121abad3ccb66e6f198eb1.pdf

lnx_auditd_ld_so_preload_mod

Title : Modification of ld.so.preload

Rule id : 4b3cb710-5e83-4715-8c45-8b2b5b3e5751

Url Pdf
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.006/T1574.006.md pdf/12dec3b558f5877df6f8947706ba2e204758e32903ed73a636c57bdfd484bb3a.pdf
https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html pdf/97812a54dba1e1ad4117be7ee03acee5215dc18bda4edbabbcf93a022e000eb6.pdf

lnx_auditd_load_module_insmod

Title : Loading of Kernel Module via Insmod

Rule id : 106d7cbd-80ff-4985-b682-a7043e5acb72

Url Pdf
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md pdf/cd1f0396f4dabbc8239d47bcd092fb846110049dc4b6892386b0344ecbbc44b1.pdf
https://linux.die.net/man/8/insmod pdf/c7034c6fedc1df4d441ea29bc0ef1201657ba7b6f77b77df9dbe44bf1ddfee2c.pdf
https://man7.org/linux/man-pages/man8/kmod.8.html pdf/1657de0ea8452352203b2f7dcaf2d7f2582b9e5a2983fbf0868cc151264134ef.pdf

lnx_auditd_logging_config_change

Title : Logging Configuration Changes on Linux Host

Rule id : c830f15d-6f6e-430f-8074-6f73d6807841

Url Pdf

lnx_auditd_masquerading_crond

Title : Masquerading as Linux Crond Process

Rule id : 9d4548fa-bba0-4e88-bd66-5d5bf516cda0

Url Pdf
https://github.com/redcanaryco/atomic-red-team/blob/8a82e9b66a5b4f4bc5b91089e9f24e0544f20ad7/atomics/T1036.003/T1036.003.md#atomic-test-2---masquerading-as-linux-crond-process pdf/254b483eb9d7949282537c7a68037743b60d775e99938de718cb8613d7ac865d.pdf

lnx_auditd_modify_system_firewall

Title : Modify System Firewall

Rule id : 323ff3f5-0013-4847-bbd4-250b5edb62cc

Url Pdf
https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html pdf/50ea1f9ffe0aff5f00c8c6b9cff15ddde1cfdd70015fa1d53adff56a4f5f18a7.pdf
https://blog.aquasec.com/container-security-tnt-container-attack pdf/6fa25c4975b02baa072a88483159535fd3e0136e0dd8ac9d67b5e5e04d968533.pdf

lnx_auditd_network_service_scanning

Title : Linux Network Service Scanning - Auditd

Rule id : 3761e026-f259-44e6-8826-719ed8079408

Url Pdf
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md pdf/0e300490f9b9e519900fb52a9a7c25b4cfbda5229df3ed3f93a968fd752cc2d4.pdf

lnx_auditd_network_sniffing

Title : Network Sniffing - Linux

Rule id : f4d3748a-65d1-4806-bd23-e25728081d01

Url Pdf
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md pdf/d7c15ee67fa9d7580361e733b0e154bffbd6957e43ca231e534a24b98c5c5daf.pdf

lnx_auditd_password_policy_discovery

Title : Password Policy Discovery

Rule id : ca94a6db-8106-4737-9ed2-3e3bb826af0a

Url Pdf
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md pdf/9d798d3d13619178976dfe36bf696069d15f9ace4f9b2dc9f0512d5bcaa0629d.pdf
https://linux.die.net/man/1/chage pdf/de647f142c96880a85a25cd2945ebd2e4be2f24b63c8d81e3b160a39e27a7e74.pdf
https://man7.org/linux/man-pages/man1/passwd.1.html pdf/d7f8b84b24092dd8845ff29ec503796fd34d6f58cb46a96f1a24cf02f98117b2.pdf
https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu pdf/391f74eaad9769fc6154ca129283808bfd2ddc5e5e9a7153dc3a17d0237140bb.pdf

lnx_auditd_pers_systemd_reload

Title : Systemd Service Reload or Start

Rule id : 2625cc59-0634-40d0-821e-cb67382a3dd7

Url Pdf
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.002/T1543.002.md pdf/057adfb7814cc45a77a9d35457330b4f4fd5991cc1681789f04d79a1047301e4.pdf

lnx_auditd_screencapture_import

Title : Screen Capture with Import Tool

Rule id : dbe4b9c5-c254-4258-9688-d6af0b7967fd

Url Pdf
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md pdf/6a9e344bcc30cdecc9a7e7f1a54b79f47fe9cf0b55d37811fc13251bb1b63d80.pdf
https://linux.die.net/man/1/import pdf/ab9039ea21147ea1a2f4c7d815f7d4ad0b57c5545b50b5c60dc868e572a1ca00.pdf
https://imagemagick.org/ pdf/102d43ebb8529001e4d006d838b2a0651f33238553462efae0f3e4337c18c3e3.pdf

lnx_auditd_screencaputre_xwd

Title : Screen Capture with Xwd

Rule id : e2f17c5d-b02a-442b-9052-6eb89c9fec9c

Url Pdf
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-3---x-windows-capture pdf/082fe378651238b0262b7327a35b6ab02c36f278fcfa00d5195b558fb0b29439.pdf
https://linux.die.net/man/1/xwd pdf/39468db5d7718c1286ff650901b48206d505f00b4260cd2654183c7bc38b317d.pdf

lnx_auditd_split_file_into_pieces

Title : Split A File Into Pieces - Linux

Rule id : 2dad0cba-c62a-4a4f-949f-5f6ecd619769

Url Pdf
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1030/T1030.md pdf/df1251e080b6409bae9e3adec03ae86734d2e7a792b309943c6505c79cc59f2e.pdf

lnx_auditd_steghide_embed_steganography

Title : Steganography Hide Files with Steghide

Rule id : ce446a9e-30b9-4483-8e38-d2c9ad0a2280

Url Pdf
https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/ pdf/966769b10a3ab68fadd1aa80e34bcb0225358b04eb3c5c21b1c78397a6e91647.pdf

lnx_auditd_steghide_extract_steganography

Title : Steganography Extract Files with Steghide

Rule id : a5a827d9-1bbe-4952-9293-c59d897eb41b

Url Pdf
https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/ pdf/966769b10a3ab68fadd1aa80e34bcb0225358b04eb3c5c21b1c78397a6e91647.pdf

lnx_auditd_susp_c2_commands

Title : Suspicious C2 Activities

Rule id : f7158a64-6204-4d6d-868a-6e6378b467e0

Url Pdf
https://github.com/Neo23x0/auditd pdf/f5c1907c75d7afa927a6df6becee7d453d9237f8d2e5c642750fa818f56270be.pdf

lnx_auditd_susp_cmds

Title : Suspicious Commands Linux

Rule id : 1543ae20-cbdf-4ec1-8d12-7664d667a825

Url Pdf

lnx_auditd_susp_exe_folders

Title : Program Executions in Suspicious Folders

Rule id : a39d7fa7-3fbd-4dc2-97e1-d87f546b1bbc

Url Pdf

lnx_auditd_susp_histfile_operations

Title : Suspicious History File Operations - Linux

Rule id : eae8ce9f-bde9-47a6-8e79-f20d18419910

Url Pdf
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md pdf/4e4f1f6405e59b27c2314dee26a852f7b7f41e63a149a1871f3d2c0cb8588ec4.pdf

lnx_auditd_system_info_discovery

Title : System Information Discovery - Auditd

Rule id : f34047d9-20d3-4e8b-8672-0a35cc50dc71

Url Pdf
https://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1082/T1082.md pdf/de03ff30bbf8bd4d33d32d51baf6ba7f056a6790112680e0c65dffca386cdb2e.pdf

lnx_auditd_system_info_discovery2

Title : System and Hardware Information Discovery

Rule id : 1f358e2e-cb63-43c3-b575-dfb072a6814f

Url Pdf
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-4---linux-vm-check-via-hardware pdf/28ed269c0bc6eb01ac167284da70dc896bc95c501bbd80598a8725647125dac5.pdf

lnx_auditd_system_shutdown_reboot

Title : System Shutdown/Reboot - Linux

Rule id : 4cb57c2f-1f29-41f8-893d-8bed8e1c1d2f

Url Pdf
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md pdf/98fa7e30ea06cd75aef7b63534dffb0afea17fbc26d4693250c93052ebec7fc4.pdf

lnx_auditd_systemd_service_creation

Title : Systemd Service Creation

Rule id : 1bac86ba-41aa-4f62-9d6b-405eac99b485

Url Pdf
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.002/T1543.002.md pdf/057adfb7814cc45a77a9d35457330b4f4fd5991cc1681789f04d79a1047301e4.pdf

lnx_auditd_unix_shell_configuration_modification

Title : Unix Shell Configuration Modification

Rule id : a94cdd87-6c54-4678-a6cc-2814ffe5a13d

Url Pdf
https://objective-see.org/blog/blog_0x68.html pdf/2f9cd3025162df33a8954d523e01a8e6c9a5b0bdf2621c841e9193818541318e.pdf
https://web.archive.org/web/20221204161143/https://www.glitch-cat.com/p/green-lambert-and-attack pdf/9a4be26c2c0a416f46d30afb88b284269f38f8da34e450ec6835e6f56c54550e.pdf
https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat pdf/3a6c2573b6b258fccaaa3d4d933ab235773e2fac0ef1ef95bad612c5ae569eb3.pdf

lnx_auditd_unzip_hidden_zip_files_steganography

Title : Steganography Unzip Hidden Information From Picture File

Rule id : edd595d7-7895-4fa7-acb3-85a18a8772ca

Url Pdf
https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/ pdf/ebd6f5e3db9d03134c97362882acefa982e449fc03ec40d2d177096dd3541201.pdf

lnx_auditd_user_discovery

Title : System Owner or User Discovery

Rule id : 9a0d8ca0-2385-4020-b6c6-cb6153ca56f3

Url Pdf
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md pdf/b309f0ce7f7a95fc90176adbed4fda9687f1f478eb5970ca4777207036ff9eea.pdf

lnx_auditd_web_rce

Title : Webshell Remote Command Execution

Rule id : c0d3734d-330f-4a03-aae2-65dacc6a8222

Url Pdf

lnx_auth_pwnkit_local_privilege_escalation

Title : PwnKit Local Privilege Escalation

Rule id : 0506a799-698b-43b4-85a1-ac4c84c720e9

Url Pdf
https://twitter.com/wdormann/status/1486161836961579020 pdf/9af4fc08c3571dc59315bb5468bbaf9f2cfab3f3357c1e876ec09e21707992b9.pdf

lnx_buffer_overflows

Title : Buffer Overflow Attempts

Rule id : 18b042f0-2ecd-4b6e-9f8d-aa7a7e7de781

Url Pdf
https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/attack_rules.xml pdf/9325232d6354399b7c2f7dd5f8cbcb2069a61c78212612c9558cba27fd0328e3.pdf

lnx_clamav_relevant_message

Title : Relevant ClamAV Message

Rule id : 36aa86ca-fd9d-4456-814e-d3b1b8e1e0bb

Url Pdf
https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/clam_av_rules.xml pdf/4fb4c04620ce47f9a6adc26b7ccd0e7b42a72d046f6bf3368a2c2610dc11e9f0.pdf

lnx_clear_syslog

Title : Commands to Clear or Remove the Syslog - Builtin

Rule id : e09eb557-96d2-4de9-ba2d-30f712a5afd3

Url Pdf
https://www.virustotal.com/gui/file/fc614fb4bda24ae8ca2c44e812d12c0fab6dd7a097472a35dd12ded053ab8474 pdf/2ce1f45fc21dbe58f76244cf6f1fd4ac0f3741899270fee2bc67f5afa017bf92.pdf

lnx_cron_crontab_file_modification

Title : Modifying Crontab

Rule id : af202fd3-7bff-4212-a25a-fb34606cfcbe

Url Pdf
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md pdf/ad063199accd191f6a3d5b0ddc955e5741da8d0be006a5affacd852cd5e32758.pdf

lnx_file_copy

Title : Remote File Copy

Rule id : 7a14080d-a048-4de8-ae58-604ce58a795b

Url Pdf
https://attack.mitre.org/techniques/T1105/ pdf/222c98238fe419c0318c9110e552407434be067baaf7a6b6bad5b30bfff15bee.pdf

lnx_guacamole_susp_guacamole

Title : Guacamole Two Users Sharing Session Anomaly

Rule id : 1edd77db-0669-4fef-9598-165bda82826d

Url Pdf
https://research.checkpoint.com/2020/apache-guacamole-rce/ pdf/4c50178ddf1fe3675c1aef339ad56620430a9aaf4299e29f850aedb8057329b6.pdf

lnx_ldso_preload_injection

Title : Code Injection by ld.so Preload

Rule id : 7e3c4651-c347-40c4-b1d4-d48590fdf684

Url Pdf
https://man7.org/linux/man-pages/man8/ld.so.8.html pdf/646c1683964273954a58a088137a8c7a5b4ca652b488d8527c6e002acdfbbd54.pdf

lnx_nimbuspwn_privilege_escalation_exploit

Title : Nimbuspwn Exploitation

Rule id : 7ba05b43-adad-4c02-b5e9-c8c35cdf9fa8

Url Pdf
https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/ pdf/8091984a1644cff513110fb49ef6daefefc850bb65f75c1debc85683994550e5.pdf
https://github.com/Immersive-Labs-Sec/nimbuspwn pdf/9c223ab4fdb6912bb3893aef3cd0669844038b454ab8541796c869d4bffb2cc8.pdf

lnx_potential_susp_ebpf_activity

Title : Potential Suspicious BPF Activity - Linux

Rule id : 0fadd880-6af3-4610-b1e5-008dc3a11b8a

Url Pdf
https://redcanary.com/blog/ebpf-malware/ pdf/8802ce3cc183cbd7dabff7825c4583f701998f52907d52c4572b7c44713c2372.pdf
https://man7.org/linux/man-pages/man7/bpf-helpers.7.html pdf/362717ebb5c9a3c32baa0ea09cf993a605e95ffab10b33ce7e9503d64568da27.pdf

lnx_privileged_user_creation

Title : Privileged User Has Been Created

Rule id : 0ac15ec3-d24f-4246-aa2a-3077bb1cf90e

Url Pdf
https://digital.nhs.uk/cyber-alerts/2018/cc-2825 pdf/6694951404c41af98b799400724302136cfd0af20c6e59cc3eb860299577333a.pdf
https://linux.die.net/man/8/useradd pdf/7d317ed1f609c980862fe116ee6331c31d6a46ffba8156b8b13093db1b9be92a.pdf
https://github.com/redcanaryco/atomic-red-team/blob/25acadc0b43a07125a8a5b599b28bbc1a91ffb06/atomics/T1136.001/T1136.001.md#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid pdf/9ca352558f8ab4fe7093ea860d331a30bd4b15799631677b2b3e8fd777a265f0.pdf

lnx_shell_clear_cmd_history

Title : Linux Command History Tampering

Rule id : fdc88d25-96fb-4b7c-9633-c0e417fdbd4e

Url Pdf
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.003/T1070.003.md pdf/90c94873eea0bf88dbedfd04f67594227bf90b1d9d0761ebff2046d3c6accbcb.pdf
https://www.hackers-arise.com/post/2016/06/20/covering-your-bash-shell-tracks-antiforensics pdf/7a90b6dffd42c6dab6da85a36ec315a91d3ba84f0d0b993b580131fa20fa276f.pdf
https://www.cadosecurity.com/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence/ pdf/72afe6f2a0e84295fcf4da21f9ed4297438b8b420dde74f1294eae5089467949.pdf

lnx_shell_susp_commands

Title : Suspicious Activity in Shell Commands

Rule id : 2aa1440c-9ae9-4d92-84a7-a9e5f5e31695

Url Pdf
https://web.archive.org/web/20170319121015/http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html pdf/0f07305c33a04e5ed5a8808bab452bdfc20ef1dc10ea1901aa7fa32bc7e9a53f.pdf
https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb pdf/ebf7692a236b2aa3cce1c64ae18bfd15718d67ef858ec18cb4fcd0dfc32e5204.pdf
http://pastebin.com/FtygZ1cg pdf/0276c6128ea663ed9b7757a267767f698a6ef509f543d167cb267d9b2017ba23.pdf
https://artkond.com/2017/03/23/pivoting-guide/ pdf/2ab64127150389492ef03d9c5c35b6ff05ac20cfc8312c633d124605505c297a.pdf

lnx_shell_susp_log_entries

Title : Suspicious Log Entries

Rule id : f64b6e9a-5d9d-48a5-8289-e1dd2b3876e1

Url Pdf
https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml pdf/dbc9075ad22adc01a46b41e5b9c6c72c3933a0a38b8a3757400a80c9f1873057.pdf

lnx_shell_susp_rev_shells

Title : Suspicious Reverse Shell Command Line

Rule id : 738d9bcf-6999-4fdb-b4ac-3033037db8ab

Url Pdf
https://alamot.github.io/reverse_shells/ pdf/f7626de58c8694b5e22f444f8d2b076bbb7f4042218723f3e935c8fd85148afa.pdf

lnx_shellshock

Title : Shellshock Expression

Rule id : c67e0c98-4d39-46ee-8f6b-437ebf6b950e

Url Pdf

lnx_space_after_filename_

Title : Space After Filename

Rule id : 879c3015-c88b-4782-93d7-07adf92dbcb7

Url Pdf
https://attack.mitre.org/techniques/T1064 pdf/d5e3cdd408876aabc2c224dcabd433cf9e1bc461112130e802c01356a35a83a8.pdf

lnx_sshd_exploit_cve_2023_2283_libssh_authentication_bypass

Title : Potential CVE-2023-2283 Exploitation

Rule id : 8b244735-5833-4517-a45b-28d8c63924c0

Url Pdf
https://twitter.com/kevin_backhouse/status/1666459308941357056?s=20 pdf/6dbe32d3519ddd32e2ebfb1b0bd2a1fe4ead2d0030363e187f117181b23a4922.pdf
https://git.libssh.org/projects/libssh.git/tree/src/curve25519.c#n420 pdf/d4d1ede02c50a47fefd45e34c8190837f34fe6d1cc8aafc3401b7df3d9aa9b67.pdf
https://nvd.nist.gov/vuln/detail/CVE-2023-2283 pdf/753f513ece0a92df2078fe261852d346b2a500d63bf07918659063c76e98f11e.pdf
https://www.blumira.com/cve-2023-2283/ pdf/b92142b996c628d2b2a8e3abe4b63fcfb2c10326cb78514bb6c901ca08961554.pdf
https://github.com/github/securitylab/tree/1786eaae7f90d87ce633c46bbaa0691d2f9bf449/SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283 pdf/23d42d85b3466e9003c45d6f3baf8ef9ab8f66ef1ac6c20d186193bcf8622a3c.pdf

lnx_sshd_ssh_cve_2018_15473

Title : SSHD Error Message CVE-2018-15473

Rule id : 4c9d903d-4939-4094-ade0-3cb748f4d7da

Url Pdf
https://github.com/Rhynorater/CVE-2018-15473-Exploit pdf/424daa7508c2c52e5514e32ab3e395e0eb087dabbcda8ff1285c115292641e35.pdf

lnx_sshd_susp_ssh

Title : Suspicious OpenSSH Daemon Error

Rule id : e76b413a-83d0-4b94-8e4c-85db4a5b8bdc

Url Pdf
https://github.com/openssh/openssh-portable/blob/c483a5c0fb8e8b8915fad85c5f6113386a4341ca/ssherr.c pdf/60b995a2df0b8069fcad0d2ff505daf5805e59628ba6dd0b80ddfe81b2cbcba1.pdf
https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/sshd_rules.xml pdf/bba03895e9dffda587de8f1ba7b24a9518154b92ebb6d30f479b54c241b6a25e.pdf

lnx_sudo_cve_2019_14287_user

Title : Sudo Privilege Escalation CVE-2019-14287 - Builtin

Rule id : 7fcc54cb-f27d-4684-84b7-436af096f858

Url Pdf
https://www.openwall.com/lists/oss-security/2019/10/14/1 pdf/c68018e452e795264223712a408d6ad494307bdc35059305e548c7eb08578614.pdf
https://access.redhat.com/security/cve/cve-2019-14287 pdf/e2997976de990518aadb9c8c8b1006687c8747477efabe6ce6d8cafb67caf95e.pdf
https://twitter.com/matthieugarin/status/1183970598210412546 pdf/3c75ad5340d66f8c704e65b8a92ce039c21a6d40a8b226f88bf700675a49b603.pdf

lnx_susp_dev_tcp

Title : Suspicious Use of /dev/tcp

Rule id : 6cc5fceb-9a71-4c23-aeeb-963abe0b279c

Url Pdf
https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/ pdf/e7b97b76a1b69896660c4cb9f7966f975a0c1ab533475677df32d655d39905c0.pdf
https://book.hacktricks.xyz/shells/shells/linux pdf/0638f750706612f5d8415aaa4d6cfde5747a6d4390959a50b11558e8879aa377.pdf
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan pdf/bd2b8405bd7c7077ee84161114fc21d4f46294791f230ae6656bdba4ef7569f4.pdf

lnx_susp_jexboss

Title : JexBoss Command Sequence

Rule id : 8ec2c8b4-557a-4121-b87c-5dfb3a602fae

Url Pdf
https://www.us-cert.gov/ncas/analysis-reports/AR18-312A pdf/0e5b3b0ba446db91a2f950ff326631254c072aa3c9cd7818de58bade53bd727d.pdf

lnx_symlink_etc_passwd

Title : Symlink Etc Passwd

Rule id : c67fc22a-0be5-4b4f-aad5-2b32c4b69523

Url Pdf
https://www.qualys.com/2021/05/04/21nails/21nails.txt pdf/4b68ec2aee571fece036aab06e40a422625e844b7fe32e39d325c04f87fbb0f7.pdf

lnx_syslog_security_tools_disabling_syslog

Title : Disabling Security Tools - Builtin

Rule id : 49f5dfc1-f92e-4d34-96fa-feba3f6acf36

Url Pdf
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md pdf/542853677a5d683b0ae455c7a034789b66b48b63639c1c7a60220c2467ee23f9.pdf

lnx_syslog_susp_named

Title : Suspicious Named Error

Rule id : c8e35e96-19ce-4f16-aeb6-fd5588dc5365

Url Pdf
https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/named_rules.xml pdf/094485d628a8d0f55f03e5f15d33dcdf36fced45a6c3fa48ca5b87405d7017bc.pdf

lnx_vsftpd_susp_error_messages

Title : Suspicious VSFTPD Error Messages

Rule id : 377f33a1-4b36-4ee1-acee-1dbe4b43cfbe

Url Pdf
https://github.com/dagwieers/vsftpd/ pdf/b0035cd64b62d0414d1835337ed9308463684507c6e4f3d9cb5ad20b2d5e1e2d.pdf