From 552cf3cda64a3dc25251275ac88483e6f4dba109 Mon Sep 17 00:00:00 2001 From: taylor_socfortress <111797488+taylorwalton@users.noreply.github.com> Date: Tue, 29 Jul 2025 07:40:03 -0500 Subject: [PATCH] Update 700000-tetragon.xml --- Tetragon/700000-tetragon.xml | 2916 +++++++++++++++++++++++++++++++++- 1 file changed, 2905 insertions(+), 11 deletions(-) diff --git a/Tetragon/700000-tetragon.xml b/Tetragon/700000-tetragon.xml index a805ab2..883af22 100644 --- a/Tetragon/700000-tetragon.xml +++ b/Tetragon/700000-tetragon.xml @@ -1,23 +1,2917 @@ - + json \.* no_full_log process_exec, - Process execution detected. + Process Execution detected - - json - \.* - no_full_log - process_exit, - Process exit detected. - - + json \.* no_full_log process_kprobe, - Kernel probe detected. + Kernel probe detected + + json + /usr/sbin/insmod + Potential rootkit activity: insmod command executed + + T1543 + T1205 + + + + + json + (?i)^/usr/bin/systemd-detect-virt$ + Virtualization detection command executed: systemd-detect-virt + + T1497.001 + + + + json + (?i)^/usr/bin/rm$ + (?i)^/root/\.bash_history$ + Command to remove bash history detected: rm /root/.bash_history command = rm /root/.bash_history + + T1070.003 + + + + + json + (?i)^/usr/bin/cat$ + (?i)^/dev/null$ + Command to read or clear data using /dev/null detected: cat /dev/null command = cat /dev/null + + T1070.003 + + + + + json + (?i)^/usr/bin/ln$ + (?i)-sf\s+/dev/null\s+/root/\.bash_history$ + Command to symlink /root/.bash_history to /dev/null detected: ln -sf command = ln -sf /dev/null /root/.bash_history + + T1070.003 + + + + + json + (?i)^/usr/bin/passwd$ + Execution of passwd detected - potential account access modification + + T1531 + + + + + + json + (?i)^/usr/bin/systemctl$ + (?i)--type=service + System service enumeration using systemctl detected + + T1007 + + + + + json + (?i)^/usr/bin/sudo$ + (?i)\b/usr/sbin/useradd\b + User creation attempt via sudo detected (useradd) + + T1136.001 + + + + + json + (?i)\bbase64\s+-d\b + Base64 decode operation detected - possible obfuscation (T1027) + + T1027 + + + + + + json + (?i)^/usr/bin/cp$ + (?i)^/bin/sh\s+/tmp/[^ ]+$ + Copying system shell to /tmp with new name — potential masquerading (T1036.003) + + T1036.003 + + + + + json + (?i)/ping$ + (?i)-c\s+\d+ + Ping command used with -c option — potential sandbox evasion (T1497.003) command= ping -c 3 8.8.8.8 + + T1497.003 + + + + + json + (?i)/(usr/sbin|usr/bin)/tcpdump$ + Execution of tcpdump detected — potential network sniffing (T1040) + + T1040 + + + + + json + (?i)/(usr/sbin|usr/bin)/tshark$ + Execution of tshark detected — potential network sniffing (T1040) + + T1040 + + + + + json + (?i)^/usr/sbin/ufw$ + (?i)\bdisable\b + UFW firewall disable attempt detected — potential defense evasion (T1562.004) command = ufw disable + + T1562.004 + + + + + + json + (?i)^/usr/sbin/ufw$ + (?i)\blogging\s+off\b + Attempt to disable UFW firewall logging — potential defense evasion (T1562.004) command= ufw logging off + + T1562.004 + + + + + json + (?i)^/usr/bin/tail$ + (?i)/var/log/ufw\.log + Access to UFW firewall log detected — potential reconnaissance before firewall tampering (T1562.004) command= tail /var/log/ufw.log + + T1562.004 + + + + + json + (?i)^/usr/sbin/iptables-save$ + Execution of iptables-save — possible firewall config enumeration or backup (T1562.004) command = iptables-save + + T1562.004 + + + + + json + (?i)^/usr/sbin/iptables$ + (?i)^-F$ + iptables -F executed — firewall rules flushed (T1562.004) command= iptables -F + + T1562.004 + + + + + + json + (?i)\biptables\b\s+-A\s+INPUT\b.*--dport\s+9999 + iptables INPUT rule added — possible firewall rule injection (T1562.004) still need to be fixed , it's not matching yet with the command = iptables -A INPUT -p tcp --dport 9999 -j ACCEPT and sudo iptables -A INPUT -p tcp --dport 9999 -j ACCEPT + + T1562.004 + + + + + + + json + (?i)\buseradd\b.*\b(G|--groups)\s*(sudo|wheel) + Privileged user account creation detected — possible local account persistence (T1136.001) + + T1136.001 + + + + json + (?i)^/usr/sbin/insmod$ + (?i)\.ko\b + Kernel module insertion detected — possible rootkit activity (T1014) + + T1014 + + + + json + (?i)^/sbin/modprobe$ + Kernel module load via modprobe detected — possible rootkit activity (T1014) + + T1014 + + + + + json + (?i)\b/etc/ld\.so\.preload\b + Potential rootkit behavior — modification of ld.so.preload (T1014) + + T1014 + + + + + json + (?i)^/(usr/bin|bin)/python3$ + (?i)/(usr/local|tmp|dev/shm|var/tmp)/.*\.(py|sh|pl)\b + Suspicious script execution from non-standard path — potential user-space rootkit activity (T1014) + + T1014 + + + + + json + (?i)^/usr/bin/(python3|perl|base64|xxd)$ + (?i)(b64decode|base64\.b64decode|base64 -d|xxd -r|-r -p) + Deobfuscation or decoding activity detected — possible adversary behavior (T1140) + + T1140 + + + + + json + (?i)^/usr/bin/(bash|sh)$ + (?i)^/usr/bin/(base64|xxd)$ + Shell launched from decoding utility — suspicious execution chain (T1140) + + T1140 + + + + + json +(?i)^/(usr/bin|bin)/(cp|mv|rsync|tee|echo|sed|cat|rm|shred|unlink)$ + (?i)/var/(spool|mail)/mail/ + Direct mailbox access or tampering attempt (T1070.008) command= sudo cp /var/spool/mail/testuser /var/spool/mail/mail/testuser.bak + + T1070.008 + + + + + json + (?i)^/usr/bin/touch$ + (?i)(\s|^)(-a|-m|-r)\b + Timestamp manipulation detected using 'touch' — possible timestomp activity (T1070.006) + + T1070.006 + + + + + + json + /usr/sbin/insmod + Potential rootkit activity: insmod command executed + + T1543 + T1205 + + + + + json + (?i)^/usr/bin/systemd-detect-virt$ + Virtualization detection command executed: systemd-detect-virt + + T1497.001 + + + + json + (?i)^/usr/bin/rm$ + (?i)^/root/\.bash_history$ + Command to remove bash history detected: rm /root/.bash_history + + T1070.003 + + + + + json + (?i)^/usr/bin/cat$ + (?i)^/dev/null$ + Command to read or clear data using /dev/null detected: cat /dev/null + + T1070.003 + + + + + json + (?i)^/usr/bin/ln$ + (?i)-sf\s+/dev/null\s+/root/\.bash_history$ + Command to symlink /root/.bash_history to /dev/null detected: ln -sf + + T1070.003 + + + + json + (?i)^/usr/sbin/setenforce$ + (?i)^0$ + SELinux disable attempt detected: setenforce 0 command = setenforce 0 + + T1562.001 + + + + + json + (?i)^/usr/bin/systemctl$ + (?i)\bstop\s+(rsyslog|systemd-journald|auditd)\b + Attempt to stop a logging service: systemctl stop rsyslog/systemd-journald/auditd command = systemctl stop rsyslog/systemd-journald/auditd + + T1562.001 + + + + + + json + (?i)^/usr/bin/systemctl$ + (?i)\bstop\s+syslogd\.service\b + (?i)^/usr/sbin/service$ + (?i)\bservice\s+syslogd\s+stop\b + Command to stop syslogd detected via 'service' -> 'systemctl' + + T1562.001 + + + + + json + (?i)^/usr/bin/systemctl$ + (?i)^stop cbdaemon.service$ + Command to stop the cbdaemon service detected: systemctl stop cbdaemon.service + + T1071.001 + + + + json + (?i)^/usr/bin/systemctl$ + (?i)^stop falcon-sensor(\.service)?$ + Command to stop the falcon-sensor service detected: systemctl stop falcon-sensor or systemctl stop falcon-sensor.service + + T1071.001 + + + + json + (?i)^/usr/bin/systemctl$ + (?i)^disable falcon-sensor(\.service)?$ + Command to stop the falcon-sensor service detected: systemctl disable falcon-sensor or systemctl disable falcon-sensor.service + + T1071.001 + + + + + json + (?i)^/usr/bin/(gcc|g\+\+|clang\+\+|clang|go)$ + Compilation tool execution detected (gcc, g++, clang, clang++, go) - potential Compile After Delivery + + T1027.004 + + + + + json + (?i)^/usr/bin/(rm|shred)$ + (?i)^.*(-f|-rf|-u)?\s*(/etc/|/var/log/|/usr/bin/|/boot/).*$ + Potential indicator removal: deletion or shredding of critical files in sensitive Linux paths (/etc, /var/log, /usr/bin, /boot) + + T1070.004 + + + + + json + ^/usr/bin/mkdir$ + /\.[^/]+$ + Suspicious use of mkdir to create a hidden directory (starts with a dot) + + T1564.001 + + + + + + json + (?i)^/usr/sbin/useradd$ + (?i).*--password\s+\$1\$.* + Local account creation detected with password hash (useradd) + + T1078.003 + + + + + json + (?i)^/usr/bin/openssl$ + (?i)^passwd\s+-1\s+.*$ + Password hash generation using openssl (passwd -1) detected — possible account creation preparation + + T1078.003 + + + + + json + (?i)^/usr/sbin/atd$ + Scheduled task execution by at daemon detected (atd) command = echo "echo Hello from Atomic Red Team" | at now + 1 minute + + T1053.002 + + + + + json + (?i)^/usr/sbin/useradd$ + (?i)^.*-c\s+evil_account.*$ + Local user account creation detected via useradd with comment 'evil_account' + + T1136.001 + + + + + json + (?i)^/usr/sbin/useradd$ + (?i).*-g\s*0.* + Root-level user creation detected via useradd -g 0 — possible privilege escalation + + T1136.001 + + + + + json + (?i)^/usr/bin/ldapadd$ + (?i).*ldap://[a-z0-9\.\-]+:389.*-D\s+\S+@[\w\.-]+\s+-w\s+\S+\s+-f\s+.*admin.*\.ldif.* + LDAP domain admin account creation attempt detected (ldapadd targeting admin-related LDIF) + + T1136.002 + + + + + json + (?i)^/usr/bin/ldapadd$ + (?i).*ldap://[a-z0-9\.\-]+:389.*-D\s+\S+@[\w\.-]+\s+-w\s+\S+\s+-f\s+.*\.ldif.* + LDAP domain user account creation attempt detected (ldapadd with any LDIF file) + + T1136.002 + + + + + json + (?i)^/usr/bin/curl$ + (?i)-XPOST\s+[A-Za-z0-9+/=]+\.[\w\-\.]+ + curl POST with base64-like subdomain detected — possible data exfiltration (T1568.003) + + T1132.001 + + + + + + json + (?i)code\s+tunnel\s+--accept-server-license-terms + VSCode Remote Tunnel usage detected (potential protocol tunneling) + + T1572 + + + + + json + (?i)devtunnel\s+host\s+-p\s+\d+ + Microsoft Dev Tunnel usage detected (potential protocol tunneling) + + T1572 + + + + + json + (?i)cloudflared\s+tunnel\s+--url\s+(localhost|127\.0\.0\.1):\d+ + Cloudflared tunnel usage detected (potential protocol tunneling) + + T1572 + + + + + json + (?i)(code|cloudflared|devtunnel).+tunnel + Generic tunneling command detected (possible protocol tunneling) + + T1572 + + + + + json + (?i)(^|\s)(systemctl|service)\s+start\s+tor(\s|$) + Tor proxy service start detected (potential anonymizing proxy usage) + + T1090.003 + + + + + json + (?i)^/usr/bin/telnet$ + (?i)\b(102[5-9]|10[3-9][0-9]|1[1-9][0-9]{2,}|[2-9][0-9]{3,4}|[1-9][0-9]{5,})\b + Telnet connection to an uncommon/high port (MITRE T1571 - Non-Standard Port) + + T1571 + + + + + json + (?i)^/tmp/icmpdoor/icmpdoor$ + ICMP-based reverse shell client execution detected (MITRE T1095 - Non-Application Layer Protocol) + + T1095 + + icmpdoor,reverse_shell, + + + + json + (?i)^/usr/bin/curl$ + (?i)\s+-A\s+("[^"]*"|'[^']*'|[^"\s]+) + Use of curl with custom User-Agent (MITRE T1071.001 - C2 over HTTP) + + T1071.001 + + tetragon,process_exec,network,curl,suspicious + + + + json + (?i)^/usr/bin/curl$ + (?i)\s+-A\s+("[^"]*"|'[^']*'|[^"\s]+) + Use of curl with custom User-Agent (MITRE T1071.001 - C2 over HTTP) - Exit Event + + T1071.001 + + tetragon,process_exit,network,curl,suspicious + + + + json + (?i)^/(usr|bin|sbin)/.*(curl|wget|scp|sftp|ftp|nc|ncat|telnet|timeout|whois)$ + Suspicious network tool execution detected - Possible Ingress Tool Transfer (T1105) + (?i).*(localhost|127\.0\.0\.1|--output|--data|--post|--preserve-status|:[0-9]+).* + + T1105 + + + + + json + /usr/bin/(xargs|xxd|strings|tail|base64|sh) + Suspicious command used in possible steganographic payload delivery (T1001.002) + + T1001.002 + T1027 + T1059.004 + + no_full_log + + + + 700064 + /usr/bin/sh + Script executed from hidden payload likely appended to image (Stego + Execution) + + T1001.002 + T1059.004 + + no_full_log + + + + + + json + /usr/bin/curl + https?:\/\/[a-zA-Z0-9._-]+(:[0-9]+)? + Possible proxy usage with curl detected (MITRE T1090.001) + + T1090.001 + + + + + json + (http|https|ftp)_proxy= + Proxy environment variable set — possible redirection attempt (T1090.001) + + T1090.001 + + + + + + json + (?i)^/usr/bin/zip$ + Archiving with zip detected (T1560.001 - Archive via Utility) + + T1560.001 + + + + + json + (?i)^/usr/bin/gzip$ + File compression with gzip detected (T1560.001 - Archive via Utility) + + T1560.001 + + + + + json + (?i)^/usr/bin/tar$ + Tar archiving detected (T1560.001 - Archive via Utility) + + T1560.001 + + + + + json + (?i)--password + (?i)^/usr/bin/zip$ + Password-protected zip file detected (T1560.001 - Archive via Utility) + + T1560.001 + + + + + json + (?i)^/usr/bin/gpg$ + (?i)--symmetric|-c + GPG symmetric encryption activity (T1560.001 - Archive via Utility) + + T1560.001 + + + + + json + (?i)^/usr/bin/openssl$ + (?i)enc.*-aes + OpenSSL encryption used for data archiving (T1560.001 - Archive via Utility) + + T1560.001 + + + + + json + (?i)^/usr/bin/base64$ + Base64 encoding used on local file (T1560.001 - Archive via Utility) + + T1560.001 + + + + + + json + (?i)^/usr/bin/xwd$ + Suspicious activity: X11 screen capture detected using xwd + + T1113 + + + + + json + (?i)^/usr/bin/xwud$ + Screen capture viewer (xwud) executed - possible X11 data review + + T1113 + + + + + json + /usr/bin/import + (?i)-window\s+root.* + Potential screen capture using ImageMagick import command (T1113) + + T1113 + + + + + json + (?i)^/usr/bin/(tee|echo)$ + (?i)(/etc/pam\.d/(password-auth|system-auth)) + Suspicious PAM modification attempt — Possible keylogging configuration (T1056.001) + + T1056.001 + + + + + + + json + (?i)^/usr/bin/tee$ + (?i)-a\s+/root/\.bash_history + Keylogging attempt detected via PROMPT_COMMAND (tee to .bash_history) + + T1056.001 + + + + + json + (?i)^/usr/bin/logger$ + (?i)-t\s+\"?\w+\[\d+\].*\"? + Keylogging attempt detected via PROMPT_COMMAND (logger with process ID and session info) + + T1056.001 + + + + + + json + /usr/bin/logger + (?i)-t\s+root\s+-f\s+/root/\.sh_history + Keylogging attempt using PS2 with logger to .sh_history (T1056.001) + + T1056.001 + + + + + json + (?i)/tmp/\.keyboard\.log + (?i)^/usr/bin/(cat|tail|less|more|grep)$ + Access to potential keylogger file /tmp/.keyboard.log (T1056.001) + + T1056.001 + + + + + + json + /usr/bin/systemctl + (?i)\brestart\s+(sshd|auditd)\b + Potential activation of PAM TTY keylogging or auditd manipulation (T1056.001 / T1562.001) + + T1056.001 + + + + + json + /usr/sbin/auditctl + (?i)(-S\s+execve).*?(-k\s+CMDS) + Potential auditd keylogger detected via auditctl execve rule with key CMDS + + T1056.001 + + + + + + + json + /usr/bin/xclip + (?i)(-sel\s+clip|-o) + Clipboard activity detected using xclip (T1115) + + T1115 + + + + + json + /usr/bin/xclip + (?i)(-sel\s+clip|-o) + Clipboard access (xclip) detected on process exit (T1115) + + T1115 + + + + + + json + (?i)/usr/bin/(bash|sh) + (?i)(head\s+-c\s+15.*\|\s*strings.*SQLite\s+format\s+3) + Suspicious file scan: SQLite file header inspection and conditional bash execution + + T1005 + + + + + + + json + (?i)^/usr/bin/python[0-9.]*$ + (?i)(gzip\.GzipFile|import\s+gzip) + Suspicious compression via Python GZip — possible data staging + + T1560.002 + + + + + json + (?i)\.gz + File created or manipulated with .gz extension — possible compression + + T1560.002 + + + + + + json + (?i)^/usr/bin/python[0-9.]*$ + (?i)(import\s+gzip|gzip\.GzipFile|import\s+bz2|bz2\.compress|zipfile\.ZipFile|import\s+tarfile|tarfile\.open) + Python-based file compression detected (gzip, bz2, zipfile, tarfile) — possible data staging + + T1560.002 + + + + + json + (?i)^/usr/bin/sudo$ + (?i)^-S whoami$ + Possible sudo brute-force detected: use of 'sudo -S whoami' + + T1110.001 + + + + + + json + (?i)/usr/bin/python3 + (?i)laZagne\.py\s+browsers(\s+-[\w]+)? + Potential credential dumping with LaZagne targeting browser password stores + + T1555.003 + + + + + json + (?i)^/usr/bin/find$ + (?i)(find\s+)?/.*-name\s+id_rsa.*cp\s+ + Possible credential theft attempt: copying private SSH keys using 'find' and 'cp' + + T1552.004 + + + + + json + (?i)^/bin/cp$|^/usr/bin/cp$ + (?i)id_rsa + Suspicious copy of SSH private key file detected (cp id_rsa) + + T1552.004 + + + + + json + (?i)^/usr/bin/rsync$ + (?i)(rsync\s+-R\s+.*id_rsa|id_rsa.*\s+/tmp) + Possible credential theft: rsync used to copy private SSH keys + + T1552.004 + + + + + json + (?i)^/usr/bin/rsync$ + (?i)(?=.*-R)(?=.*id_rsa)(?=.*\/tmp\/art-staging) + Detected rsync used to stage SSH private keys to /tmp/art-staging (T1552.004) + + T1552.004 + + + + + json + (?i)^/usr/bin/rsync$ + (?i)(?=.*\.gnupg)(?=.*-Rr)(?=.*\/tmp\/GnuPG) + Detected rsync used to exfiltrate GnuPG directory to /tmp/GnuPG (T1552.004) + + T1552.004 + + + + + json + (?i)^/usr/bin/find$ + (?i)(\.oci/sessions.*token) + Possible credential discovery attempt: scanning for Oracle Cloud credentials token file + + T1552.001 + + + + + json + (?i)^/usr/bin/find$ + (?i)\.config/gcloud.*(credentials\.db|access_tokens\.db) + Possible GCP credential discovery attempt using find on .config/gcloud (T1552.001) + + T1552.001 + + + + + json + (?i)(msal_token_cache\.json|accessTokens\.json) + Possible Azure token access (T1552.001) + + T1552.001 + + + + + json + (?i)\.netrc + Suspicious access to .netrc file (possible credential discovery or exfiltration) + + T1552.001 + + + + + json + (?i)/usr/bin/(curl|wget) + (?i)@- + Possible credential exfiltration via curl/wget using stdin + + T1552.001 + + + + + json + /usr/bin/sh + (?i)sshpass\s+-p\s+[`"]?echo.*cut.*f2[`"]?\s+ssh.*@localhost + Credential stuffing attempt using sshpass inside shell script (T1110.004) + + T1110.004 + + + + + + json + (?i)^/usr/bin/sh$ + (?i)sshpass\s+-p\s+\S+\s+ssh\s+-o.*@localhost + Brute-force SSH attempt with sshpass targeting localhost (T1110.004 - Credential Stuffing) + + T1110.004 + + + + + + json + (?i)^/usr/bin/(users|w|who|id|logname)$ + System Owner/User Discovery via {{process_exec.process.binary}} (T1033) + + T1033 + + + + + json + (?i)^/usr/bin/ping$ + (?i)(0\.0\.0\.0|8\.8\.8\.8|1\.1\.1\.1|google\.com|localhost) + Internet Connectivity Check using ping (T1016.001) + + T1016.001 + + + + + + + json + (?i)^/usr/bin/ldapsearch$ + LDAP domain account enumeration attempt detected using ldapsearch (T1087.002) + + T1087.002 + + + + + + json + (?i)ldapdomaindump + Possible domain account enumeration using ldapdomaindump + + T1087.002 + + + + + + json + /usr/bin/cat + (?i)^.*\/etc\/passwd.*$ + Account Discovery: Access to /etc/passwd detected (T1087.001) + + T1087.001 + + + + + json + /usr/bin/cat + (?i)/etc/sudoers + Access to sudoers file detected - possible privilege enumeration + + T1087.001 + + + + + + json + /usr/bin/grep + (x:0:|\*:0:) + UID 0 Enumeration Detected in /etc/passwd + + T1087.001 + + + + + + json + /usr/bin/lsof + Enumeration of user open files using lsof + + T1087.001 + + + + + + json + /usr/bin/lastlog + Enumeration of local account login history using lastlog + + T1087.001 + + + + + + json + (?i)^/usr/bin/(id|groups)$ + User account or group enumeration detected (id/groups command) + + T1087.001 + + + + + + json + (?i)^/usr/bin/ldapsearch$ + (?i)objectClass=group + Possible LDAP enumeration of domain groups using ldapsearch + + T1087.002 + + + + + + json + (?i)^/usr/bin/smbstatus$ + (?i)--shares + Network Share Discovery attempt detected via smbstatus + + T1135 + + + + + json + /usr/bin/uname + System information discovered using uname + + T1082 + + + + + json + /usr/bin/uptime + System uptime queried using uptime command + + T1082 + + + + + json + /usr/bin/cat + (?i)/etc/lsb-release + System info file /etc/lsb-release read using cat + + T1082 + + + + + json + /usr/bin/cat + (?i)/etc/os-release + System info file /etc/os-release read using cat + + T1082 + + + + + json + /usr/bin/cat + (?i)/etc/issue + System info file /etc/issue read using cat + + T1082 + + + + + json + (?i)^/usr/sbin/dmidecode$ + System info discovery via dmidecode (T1082) + + T1082 + + + + + json + (?i)^/usr/bin/lspci$ + System info discovery via lspci (T1082) + + T1082 + + + + + json + (?i)^/usr/bin/lscpu$ + System info discovery via lscpu (T1082) + + T1082 + + + + + json + (?i)^/usr/bin/cat$ + (?i)/sys/class/dmi/id/|/proc/scsi/scsi|/proc/ide/|/proc/cmdline + System info discovery via cat on hardware-identifying files (T1082) + + T1082 + + + + + + json + (?i)vboxsf\|vboxguest + /usr/bin/grep + Virtual machine detection: VirtualBox modules grep + + T1082 + + + + + json + (?i)vmw_baloon\|vmxnet + /usr/bin/grep + Virtual machine detection: VMware modules grep + + T1082 + + + + + + json + (?i)xen-vbd\|xen-vnif + /usr/bin/grep + Virtual machine detection: Xen modules grep + + T1082 + + + + + + json + (?i)hv_vmbus\|hv_blkvsc\|hv_netvsc\|hv_utils\|hv_storvsc + /usr/bin/grep + Virtual machine detection: Hyper-V modules grep + + T1082 + + + + + json + (?i)vbox|vmxnet|virtio|xen|hv_ + /usr/bin/grep + Potential VM discovery: grep for virtualization kernel modules + + T1082 + + + + + json + /sbin/kldstat + FreeBSD: Kernel module listing (kldstat) - potential virtualization check + + T1082 + + + + + + json + (?i)vmm + /usr/bin/grep + FreeBSD virtualization detection: grep for vmm after kldstat + + T1082 + + + + + + json + (?i)vbox + /usr/bin/grep + FreeBSD virtualization detection: grep for vbox after kldstat + + T1082 + + + + + json + (?i)kldstat.*\|.*grep.*(vmm|vbox) + FreeBSD VM detection activity via kldstat and grep + + T1082 + + + + + + json + /usr/bin/env + FreeBSD: Suspicious use of 'env' (possible virtualization check using sh or script chain) + + T1082 + + + + + json + ^/usr/bin/find$ + (?i).*places\.sqlite.* + Potential Firefox bookmark database discovery using find - T1217 + + T1217 + + + + + json + /usr/bin/find + (?i)\.config/chromium/.*/Bookmarks + Possible Chromium bookmark discovery using find command (T1217) + + T1217 + + + + + json + (?i)^/(usr/bin|bin)/(find|locate|ls|cat|which|file|du|stat|tree)$ + Possible File and Directory Discovery (MITRE T1083) + + T1083 + + + + + + json + (?i)^/(usr/bin|bin)/(netstat|ss|lsof)$ + Possible system network connection discovery command executed (MITRE T1049) + + T1049 + + + + + json + /usr/bin/ps + Process Discovery attempt: 'ps' command executed + + T1057 + + + + + json + (?i)^/usr/bin/(id|groups|getent|cat)$ + Permission Groups Discovery - Possible local group enumeration activity detected + + T1069.001 + + + + + + json + (?i)^/usr/bin/cat$ + (?i)/etc/pam\.d/common-password + Access to password complexity policy file detected (/etc/pam.d/common-password) + + T1201 + + + + + json + (?i)^/usr/bin/cat$ + (?i)/etc/pam\.d/passwd + Potential credential policy discovery via /etc/pam.d/passwd + + T1201 + + + + + json + /usr/bin/cat + (?i)/etc/security/pwquality\.conf + Attempt to read password policy: /etc/security/pwquality.conf + + T1201 + + + + + json + /usr/bin/cat + (?i)/etc/security/.*\.conf + Read attempt on /etc/security/*.conf - Possible Discovery + + T1201 + + + + + + json + /usr/bin/cat + (?i)/etc/login\.defs + Access to password expiration policy file /etc/login.defs + + T1201 + + + + + json + /usr/bin/locale + System location discovery using locale command (T1614) + + T1614.001 + + + + + + json + /usr/bin/localectl + (?i)\blocalectl\s+status\b + System locale command executed via localectl (Possible reconnaissance) + + T1614.001 + + + + + json + /usr/bin/cat + (?i)(/etc/(default/locale|locale.conf)) + System locale configuration file accessed (T1614.001 - System Language Discovery) + + T1614.001 + + + + + json + ^/usr/bin/(env|printenv)$ + (?i)\bLANG\b + System language discovery attempt via environment variable query (env or printenv). + + T1614.001 + + + + + json + /usr/bin/curl + (?i)ipinfo\.io + Possible IP geolocation lookup with curl (T1592.002) + + T1614 + + + + + + json + /usr/bin/ping + (?i)\b(?:\d{1,3}\.){3}\d{1,3}\b + Remote system discovery attempt via ping (IPv4 address detected) + + T1018 + + + + + json + /usr/sbin/arp + Remote system discovery attempt using ARP command + + T1018 + + + + + + json + /usr/sbin/ip + (?i)neighbour\s+show + Remote system discovery attempt via 'ip neighbour show'. + + T1018 + + + + + + json + /usr/sbin/ip + (?i)\broute\s+show\b + Remote system discovery attempt using 'ip route show'. + + T1018 + + + + + json + /usr/bin/netstat + (?i)\b-r\b + Remote system discovery attempt using netstat -r + + T1018 + + + + + json + /usr/sbin/ip + (?i)\btcp_metrics\b + Remote system discovery attempt using 'ip tcp_metrics show'. + + T1018 + + + + + json + (?i)^/usr/bin/nmap$ + Potential network service discovery activity using nmap + + T1046 + + + + + json + (?i)^/bin/bash$ + (?i)/dev/tcp/\d{1,3}(\.\d{1,3}){3}/\d{1,5} + Suspicious bash port scan using /dev/tcp (T1046 - Network Service Discovery) + + T1046 + + + + + + json + /usr/bin/systemctl + + (?i)\bstop\b.*\b(ssh|sshd|wazuh|wazuh-agent|firewalld|auditd|cron|rsyslog|suricata|fail2ban|clamav|ufw)\b + + Critical service stop attempt detected via systemctl (Possible defense evasion) + + T1562.001 + + + + + json + /usr/bin/killall + (?i)\-(SIGTERM|SIGKILL|SIGSTOP)\s+\w+ + Potential service stop attempt using killall and signal (e.g., SIGTERM). + + T1489 + + + + + + json + /usr/bin/kill + (?i)-SIGTERM\s+\$\((pgrep|pidof)\s+\w+\) + Potential service stop attempt using kill with pgrep/pidof substitution. + + T1489 + + + + + json + /usr/bin/pkill + (?i)-SIGTERM\s+\^?\w+\$? + Potential service stop attempt using pkill with SIGTERM signal. + + T1489 + + + + + json + /usr/bin/passwd + Password change attempt detected (T1531 - Account Access Removal) + + T1531 + + + + + json + /usr/bin/gpg + Suspicious file encryption detected using gpg (T1027.009) + + T1486 + + + + + json + (?i)/7z$ + (?i)(\s|-)p[^ ]+ + Potential file encryption activity using 7z with password (T1022.001) + + T1486 + + + + + json + (?i)^/usr/bin/ccencrypt$ + Suspicious encryption activity detected: use of ccencrypt binary (possible ransomware behavior). + + T1486 + + + + + json + (?i)^/usr/bin/openssl$ + Suspicious OpenSSL encryption or key generation activity detected (MITRE T1486) + + T1486 + + + + + json + (?i)^/usr/bin/yes$ + High CPU usage process detected: /usr/bin/yes may indicate resource hijacking (T1496). + + T1496 + + + + + + json + (?i)^/(usr/)?sbin/shutdown$ + (?i)\-r\s+now + System restart attempt via shutdown -r now (T1529) + + T1529 + + + + + + json + (?i)^/(usr/)?sbin/reboot$ + System reboot command executed via /sbin/reboot or /usr/sbin/reboot (T1529) + + T1529 + + + + + json + (?i)^/(usr/)?sbin/halt$ + (?i)-p + System shutdown command executed via halt -p (T1529) + + T1529 + + + + + + json + (?i)^/(usr/)?sbin/halt$ + (?i)-r + System reboot command executed via halt -r (T1529) + + T1529 + + + + + + json + (?i)^/(usr/)?sbin/halt$ + (?i)--reboot + System reboot attempt via halt --reboot (MITRE T1529) + + T1529 + + + + + + json + (?i)^/(usr/)?sbin/poweroff$ + System shutdown attempt via poweroff command (MITRE T1529) + + T1529 + + + + + + json + (?i)^/(usr/)?sbin/poweroff$ + (?i)(--reboot|-r) + System reboot attempt via poweroff with reboot flag (MITRE T1529) + + T1529 + + + + + json + (?i)^/usr/bin/curl$ + (?i)(file=@|--data-binary|--upload-file) + Potential exfiltration over HTTPS using curl to file.io (T1048.002) + + T1048.002 + + + + + json + /usr/bin/wget + (?i)--post-file= + Data exfiltration attempt using wget --post-file + + T1048.002 + + + + + + json + /usr/bin/split + Potential data staging or splitting operation detected using 'split'. + + T1030 + + + + + json + (?i)^/usr/bin/(sh|bash)$ + (?i)^/usr/bin/(curl|wget)$ + Suspicious script execution via curl or wget piped to shell (Possible T1059.004 or T1074.001) + + T1074.001 + + + + + + json + (?i)virtio_pci\|virtio_net + /usr/bin/grep + Virtual machine detection: VirtIO modules grep + + T1082 + + + + + json + (?i)^/tmp/packed_bin$ + Execution of packed binary from /tmp (Likely obfuscated or staged payload) + + T1027.002 + + + + + json + (?i)(test_upx|test_upx_header_changed)$ + Execution of packed binary (UPX or modified header - software packing detected) + + T1027.002 + + + + + json + (?i)^/usr/bin/(sh|bash)$ + (?i)/tmp/(packed_bin|test_upx|test_upx_header_changed) + Shell executed packed binary from /tmp (Software packing or staging activity) + + T1027.002 + + + + + json + /usr/bin/dd + (?i)(/dev/zero|/dev/random|/dev/urandom).+evil-binary + Binary padding detected via dd on evil-binary (Possible hash evasion) + + T1027.001 + + + + + json + /usr/bin/truncate + (?i)\+1.+evil-binary + Binary padding detected via truncate on evil-binary (Hash modification attempt) + + T1027.001 + + + + + json + /usr/bin/crontab + Modification of crontab detected (Potential persistence mechanism) + + T1053.003 + + + + + json + (?i)/etc/cron\.d/ + (?i)^/usr/bin/(echo|tee|bash|sh)$ + File created or modified in /etc/cron.d using shell or echo/tee + + T1053.003 + + + + + json + (?i)/etc/cron\.(daily|hourly|weekly|monthly)/ + (?i)^/usr/bin/(echo|tee|bash|sh)$ + Script created in /etc/cron.(daily|hourly|weekly|monthly) for persistence + + T1053.003 + + + + + json + (?i)/var/spool/cron/crontabs/ + (?i)^/usr/bin/(echo|tee|bash|sh)$ + Possible persistence: writing cron job to /var/spool/cron/crontabs + + T1053.003 + + + + + json + (?i)^/usr/bin/(sh|bash)$ + (?i)/etc/cron\.(d|daily|hourly|weekly|monthly)/persistevil$ + Suspicious shell execution from cron folder (Possible malicious scheduled task) + + T1053.003 + + + + + json + (?i)^/etc/systemd/system/.*\.(service|timer)$ + Creation or modification of persistent systemd timer or service file (T1053.006) + + T1053.006 + + + + + json + /usr/bin/systemctl + (?i)\b(start|enable)\b + (?i)\.timer\b + Systemd timer activation via systemctl start/enable (T1053.006) + + T1053.006 + + + + + json + /usr/bin/systemd-run + (?i)--user + (?i)--on-calendar + User-level transient timer execution using systemd-run (T1053.006) + + T1053.006 + + + + + json + /usr/bin/systemd-run + (?i)--on-calendar + System-level transient timer execution using systemd-run (T1053.006) + + T1053.006 + + + + + json + (?i)/tmp/(log|art-systemd-timer-marker) + (?i)(echo|touch) + Suspicious payload executed from systemd timer (T1053.006) + + T1053.006 + + + + + json + (?i)(curl|wget)[^|]+?\|\s*(bash|sh) + Suspicious use of curl or wget piped to shell (T1059.004) + T1059.004 + + + + json + (AutoSUID\.sh|LinEnum\.sh) + Execution of privilege escalation scripts (AutoSUID, LinEnum) - T1059.004 + T1059.004 + + + json + (?i)/etc/shells + Shell discovery via reading /etc/shells (T1059.004) + T1059.004 + + + + json + (?i)base64\s+-[^\s]+\s*\|\s*/bin/(bash|sh) + Obfuscated base64-encoded payload piped to shell (T1059.004) + T1059.004 + + + + json + (?i)/usr/bin/chsh + (?i)-s\s+/bin/sh + Change of login shell to /bin/sh (T1059.004) + T1059.004 + + + + json + (?i)pipe-to-shell\.sh + Execution of remote script via pipe-to-shell method (T1059.004) + T1059.004 + + + + json + /usr/bin/awk + (?i)BEGIN\s*{.*system\("/bin/sh.*"\)} + Shell creation using awk system call (T1059.004) + T1059.004 + + + + json + /usr/bin/busybox + Shell spawned via busybox (T1059.004) + T1059.004 + + + + json + /usr/bin/emacs + Shell spawned through emacs term (T1059.004) + T1059.004 + + + + json + /usr/bin/ldapsearch + LDAPSearch execution detected - Possible domain enumeration (T1069.002) + + T1069.002 + + + + + json + (?i)(rm|truncate|shred|unlink|cat|dd|journalctl|srm|echo|osascript|log) + (?i)/var/(log|audit|spool)/ + Suspicious log deletion or truncation attempt (T1070.002) + + T1070.002 + + + + + json + /usr/bin/rm + (?i)/var/(log|audit)/ + Use of rm to delete system logs (T1070.002) + + T1070.002 + + + + + json + /usr/bin/truncate + -s 0\s+/var/log/ + Log truncation detected using truncate (T1070.002) + T1070.002 + + + + json + (?i)(/usr/bin/cat|/usr/bin/dd) + (?i)(/dev/null|/dev/zero).*/var/log/ + Attempt to overwrite or clear logs using cat/dd and /dev/null or /dev/zero (T1070.002) + + T1070.002 + + + + + json + /usr/bin/shred + (?i)/var/log/ + Log shredding detected (T1070.002) + + T1070.002 + + + + + json + /usr/bin/unlink + /var/log/ + Unlink attempt on system log (T1070.002) + + T1070.002 + + + + + json + /usr/bin/echo + ['"]{0,1}\s{0,1}['"]{0,1}\s*>\s*/var/log/ + Echo used to overwrite log files (T1070.002) + + T1070.002 + + + + + json + /usr/bin/cat + (?i)\.ssh/authorized_keys + Suspicious read access to SSH authorized_keys file (T1098.004) + + T1098.004 + + + + + json + /usr/bin/date + System time discovery using the 'date' command (T1124) + + T1124 + + + + + json + /usr/bin/chmod + ^\d{3}\s+/.* + chmod used to change file/folder permissions (numeric mode) - T1222.002 + + T1222.002 + + + + + json + /usr/bin/chmod + (?i)[ugoa]*[+-=][rwxXsStT]+ + chmod used to change file/folder permissions (symbolic mode) - T1222.002 + + T1222.002 + + + + + json + /usr/bin/chmod + -R\s+[a-z0-9+=,-]+\s+/.* + chmod used recursively on directory - T1222.002 + + T1222.002 + + + + + json + /usr/bin/chown + \b(root|[a-z0-9_]+):?(root|[a-z0-9_]+)?\s+/.* + chown used to change file/folder ownership - T1222.002 + + T1222.002 + + + + + json + /usr/bin/chown + -R\s+\S+ + chown used recursively - T1222.002 + + T1222.002 + + + + + json + /usr/bin/chattr + -i\s+/.* + chattr used to remove immutable attribute - T1222.002 + + T1222.002 + + + + + json + chflags\s+(no)?simmutable + chflags used to modify immutable flag - T1222.002 + + T1222.002 + + + + + + json + /usr/bin/dd + (?i)if=\/dev\/(zero|random).*of=\/var\/log\/[^\s]+ + Possible data destruction via dd overwriting log files - T1485 + + T1485 + + + + + json + /usr/bin/dd + (?i)if=\/dev\/(zero|random) + dd command used with /dev/zero or /dev/random (possible wipe) - T1485 + + T1485 + + + + + json + /usr/bin/openssl + (?i)rsautl\s+-encrypt.*-inkey\s+\/tmp\/pub\.pem.*-in\s+\/etc\/passwd.*-out\s+\/tmp\/passwd\.zip + File encryption using OpenSSL rsautl with RSA public key (T1486) + + T1486 + + + + + json + /usr/bin/ccencrypt + (?i)-T\s+-K\s+\S+\s+\/tmp\/passwd + File encryption using ccencrypt and password (T1486) + + T1486 + + + + + json + /usr/bin/7z + (?i)\ba\s+-p\S+\s+\/tmp\/passwd\.zip + File encryption using 7z with password (T1486) + + T1486 + + + + + json + /usr/bin/gpg + (?i)--cipher-algo\s+AES-256.*--passphrase-fd\s+0.*-c\s+\/etc\/passwd + File encryption using GPG and AES-256 (T1486) + + T1486 + + + + + + json + /usr/bin/pgrep + (?i)(bareos-fd|icinga2|cbagentd|wazuh-agent|packetbeat|filebeat|osqueryd) + Attempt to enumerate security software using pgrep (T1518.001) + + T1518.001 + + + + + json + (?i)/usr/bin/(bash|sh) + (?i)(ps\s+aux\s+\|\s+egrep|pgrep\s+-l) + Wrapped shell command for security software discovery (T1518.001) + + T1518.001 + + + + + + json + /usr/bin/sudo + (?i)(-l|cat\s+/etc/sudoers|vim\s+/etc/sudoers) + Privilege escalation via sudo enumeration (T1548.003) + + T1548.003 + + + + + + json + /usr/bin/sudo + (?i)sed.*timestamp_timeout=\-?1 + Sudo configuration change to disable password timeout (T1548.003) + + T1548.003 + + + + + + json + /usr/bin/sudo + (?i)tty_tickets + Sudo configuration modified to disable tty_tickets (T1548.003) + + T1548.003 + + + + + + json + (?i)/usr/sbin/visudo + (?i)(-c\s+-f\s+/etc/sudoers|/usr/local/etc/sudoers) + visudo used to validate modified sudoers file (T1548.003) + + T1548.003 + + + + + json + (?i)/bin/sh + (?i)echo\s+Defaults\s+\!tty_tickets\s*>>\s*(/etc/sudoers|/usr/local/etc/sudoers) + Sudoers file modified via echo (tty_tickets disabled) (T1548.003) + + T1548.003 + + + + + json + (?i)/usr/bin/cat + (?i)\.bash_history + Reading bash history file - possible credential harvesting (T1552.003) + + T1552.003 + + + + + json + (?i)/usr/bin/cat + (?i)\.history + Reading sh history file - possible credential harvesting (T1552.003) + + T1552.003 + + + + + json + (?i)/usr/bin/grep + (?i)(pass|ssh|-p) + Grep used to extract credentials - suspicious search terms (T1552.003) + + T1552.003 + + + + + json + (?i)cat\s+\S*history\s*\|\s*grep\s+.*(pass|ssh|-p) + Pipeline to extract sensitive entries from history files (T1552.003) + + T1552.003 + + + + + json + (?i)kubectl + (?i)get\s+secrets\s+--all-namespaces + Kubernetes: List all secrets from all namespaces (T1552.007) + + T1552.007 + + + + + json + (?i)kubectl + (?i)get\s+secrets\s+-n\s+\w+ + Kubernetes: List secrets from a specific namespace (T1552.007) + + T1552.007 + + + + + json + (?i)kubectl + (?i)exec\s+\S+\s+--\s+cat\s+/run/secrets/kubernetes\.io/serviceaccount/token + Kubernetes: Attempt to read service account token via exec (T1552.007) + + T1552.007 + + + + + + json + (?i)/bin/bash$|/usr/bin/bash$ + (?i)trap\s+['"][^'"]+['"]\s+EXIT + Potential persistence via bash trap on EXIT signal (T1546.005) + + T1546.005 + + + + + json + (?i)/bin/bash$|/usr/bin/bash$ + (?i)trap\s+['"][^'"]+['"]\s+SIGINT + Potential persistence via bash trap on SIGINT (CTRL+C) (T1546.005) + + T1546.005 + + + + + json + (?i)/bin/bash$|/usr/bin/bash$ + (?i)trap\s+['"][^'"]+['"]\s+(SIGINT|EXIT|SIGTERM|SIGHUP|SIGUSR1|SIGUSR2) + Generic detection of bash trap command with signal and script (T1546.005) + + T1546.005 + + + + + json + (?i)^/sbin/(insmod|modprobe)$ + Kernel module loading detected via insmod or modprobe (T1547.006) + + T1547.006 + + + + + json + \.ko(\s|$) + Potential malicious kernel module (.ko) being inserted (T1547.006) + + T1547.006 + + + + + json + (?i)^/sbin/(insmod|modprobe)$ + (?i)/tmp/|/var/tmp/|/dev/shm/ + Kernel module loaded from suspicious path (tmp, shm) - T1547.006 + + T1547.006 + + + + + json + (?i)^/usr/bin/chmod$ + (?i)(\+s|[0-9]*[4-6]000) + Setuid or Setgid permission set via chmod (T1548.001) + + T1548.001 + + + + + + json + (?i)^/usr/bin/find$ + (?i)-perm\s+-?[42]000 + Reconnaissance for SUID/SGID binaries via find (T1548.001) + + T1548.001 + + + + + json + (?i)^/usr/sbin/setcap$ + (?i)cap_setuid + Setuid capability added to binary using setcap (T1548.001) + + T1548.001 + + + + + + json + (?i)^/usr/bin/chown$ + (?i)\sroot\s+/tmp/ + Ownership of file in /tmp changed to root (T1548.001) + + T1548.001 + + + + + json + (?i)^/usr/bin/openssl$ + (?i)(genrsa|req\s+-x509) + OpenSSL used to generate root certificate and key (T1553.004) + + T1553.004 + + + + + json + (?i)^/usr/bin/cp$ + (?i)/etc/pki/ca-trust/source/anchors/ + Certificate copied to /etc/pki/ca-trust/source/anchors/ (T1553.004) + + T1553.004 + + + + + json + (?i)^/usr/bin/(cp|mv)$ + (?i)/usr/local/share/ca-certificates/ + Certificate moved to /usr/local/share/ca-certificates/ (T1553.004) + + T1553.004 + + + + + json + (?i)/usr/local/share/certs/ + Certificate copied to /usr/local/share/certs (T1553.004) + + T1553.004 + + + + + json + (?i)^/usr/bin/(update-ca-certificates|update-ca-trust|certctl)$ + CA trust database updated (T1553.004) + + T1553.004 + + + + + json + /usr/bin/sed + (?i)/etc/pam\.d/ + (?i)(auth|account|session|password)\s+sufficient\s+.*\.so + Possible PAM backdoor rule inserted (T1556.003) + + T1556.003 + + + + + json + /usr/bin/gcc + -o\s+.*pam.*\.so + Possible compilation of custom PAM module (T1556.003) + + T1556.003 + + + + + + json + (?i)(/tmp/|/dev/shm/|/var/tmp/).+\.so + Suspicious PAM module path used from temp directory (T1556.003) + + T1556.003 + + + + + json + (?i)^/etc/pam\.d/.+ + (?i)write + Write to PAM configuration file (T1556.003) + + T1556.003 + + + + + json + pam_succeed_if\.so + Use of pam_succeed_if.so may indicate PAM rule bypass attempt (T1556.003) + + T1556.003 + + + + + json + (?i)export\s+HISTFILE\s*=\s*/dev/null + HISTFILE redirected to /dev/null (T1562.003) + + T1562.003 + + + + + json + (?i)unset\s+HISTFILE + HISTFILE variable unset (T1562.003) + + T1562.003 + + + + + json + (?i)export\s+HIST(FILE)?SIZE\s*=\s*0 + HISTFILESIZE or HISTSIZE set to 0 (T1562.003) + + T1562.003 + + + + + json + (?i)export\s+HISTCONTROL\s*=\s*(ignoreboth|ignorespace|erasedups) + HISTCONTROL set to ignore logging behavior (T1562.003) + + T1562.003 + + + + + json + (?i)export\s+HISTIGNORE\s*=\s*.* + HISTIGNORE variable modified to ignore commands (T1562.003) + + T1562.003 + + + + + json + history -c + Bash history cleared via history -c (T1562.003) + + T1562.003 + + + + + json + (?i)echo\s+.*\s+>\s+\$?HISTFILE + Command history file cleared (T1562.003) + + T1562.003 + + + + + json + /usr/bin/sed + (?i)(auditd\.conf|audispd\.conf|rsyslog\.conf|syslog-ng\.conf) + Possible tampering using sed on log/audit configuration files (T1562.006) + + T1562.006 + + + + + json + (?i)^/usr/bin/(echo|tee)$ + (?i)/etc/(auditd\.conf|audispd\.conf|rsyslog\.conf|syslog-ng\.conf) + Suspicious echo or tee command modifying log configs (T1562.006) + + T1562.006 + + + + + json + (?i)^/usr/bin/(vi|nano)$ + (?i)/etc/(auditd\.conf|audispd\.conf|rsyslog\.conf|syslog-ng\.conf) + Manual editing of logging or audit configuration files (T1562.006) + + T1562.006 + + + + + json + (?i)esxcli system syslog config set + Modification of ESXi syslog configuration (T1562.006) + + T1562.006 + + + + + json + (?i)\.software\.acceptance\.set\.Invoke\s*\(\s*@\{\s*level\s*=\s*"CommunitySupported"\s*\}\s*\) + PowerCLI downgrade attack – Set ESXi VIB acceptance to CommunitySupported (T1562.010) + + T1562.010 + + + + + json + (?i)(/usr)?/sbin/auditctl + (?i)\bauditctl\s+-D\b + Auditd rules deleted using auditctl -D (T1562.012) + + T1562.012 + + + + + + json + (?i)(/usr)?/sbin/auditctl + (?i)\bauditctl\s+-e\s+0\b + Audit system disabled using auditctl -e 0 (T1562.012) + + T1562.012 + + + + + json + (?i)^(/usr)?/bin/systemctl$ + (?i)\bsystemctl\s+stop\s+systemd-journald\b + Attempt to disable journal logging using systemctl (T1562) + + T1562 + + + + + json + (?i)^(/usr)?/bin/sed$ + (?i)Storage=none.*journald\.conf + Modification of journald.conf to disable persistent journal logging (T1562) + + T1562 + + + + + + json + (?i)psexec\.py\b + Use of Impacket's psexec.py tool (T1569.002) + + T1569.002 + + + + + json + (?i)\bLD_PRELOAD= + Potential LD_PRELOAD hijack detected (T1574.006) + + T1574.006 + + + + + json + (?i)/etc/ld\.so\.preload + Write attempt to /etc/ld.so.preload (T1574.006) + + T1574.006 + + + + + json + (?i)/stratus$ + (?i)\b(det[o]nate|warmup|cleanup)\s+aws\.discovery\.ec2-enumerate-from-instance\b + Execution of Stratus Red Team EC2 discovery technique (T1580 - Cloud Infrastructure Discovery) + + T1580 + + + + + json + (?i)^.*(dirb|gobuster|ffuf|dirbuster).*$ + Wordlist scanning tool execution detected (T1595.003) + + T1595.003 + + + + + json + (?i)(wordlist|wordlists|common\.txt|dirb\.txt|directories\.txt|directory-list|raft-large-directories) + Possible wordlist scanning based on known filename patterns (T1595.003) + + T1595.003 + + + + + json + (?i)totally_legit + Process name masquerading via prctl - renamed to 'totally_legit' (T1036.004) + + T1036.004 + + + + + json + (?i)mount\s+-B\s+/proc/ + Masquerading via bind mount of /proc (T1036.004) + + T1036.004 + + + + + json + (?i)mount.*-B.*\/proc\/[0-9]+ + Potential process hiding by bind-mounting into another PID's /proc entry (T1036.004) + + T1036.004 + + + + + json + (?i)/\.\.\./ + Execution from a suspicious '...' directory (Masquerading - T1036.005) + + T1036.005 + + + + + json + (?i)/\.\.\./sh + Suspicious shell launched from a masquerading '...' directory (T1036.005) + + T1036.005 + + + + + json + (?i)(python3?|python3\.9)(\s+-m)?\s+http\.server\s+(1337|9090) + Python HTTP server launched on suspicious port (T1048.003 - Exfiltration Over Alt Protocol) + + T1048.003 + + + + + json + (?i)http://[0-9\.]+:1337/ + File download from HTTP server on port 1337 (Potential Exfiltration - T1048.003) + + T1048.003 + + + + + json + (?i)dig\s+[a-f0-9]{8,}\.[a-z0-9\-]+\.[a-z]+ + Possible DNS-based data exfiltration using hex-encoded subdomain (T1048.003) + + T1048.003 + + + + + json + (?i)python(\d(\.\d)?)?\s+-c\s+.*(requests|get|os\.system|linpeas|sh) + Suspicious inline Python execution with download or system call (T1059.006) + + T1059.006 + + + + + json + (?i)(https:\/\/github\.com\/.*\/linpeas\.sh|requests\.get\(.*\)) + Python script downloading external payload (e.g., linpeas.sh) – T1059.006 + + T1059.006 + + + + + json + (?i)python(\d(\.\d)?)? + (?i)\.pyc + Execution of compiled Python bytecode file (.pyc) (T1059.006) + + T1059.006 + + + + + json + (?i)pty\.spawn\(['"]\/bin\/(sh|bash)['"]\) + Python pty spawn used to escalate shell (T1059.006) + + T1059.006 + + + + json + /usr/bin/ps + (?i)aux + Discovery of security software using ps aux (T1518.001) + + T1518.001 + + + + + json + /usr/bin/egrep + (?i)(falcond|nessusd|cbagentd|td-agent|packetbeat|filebeat|auditbeat|osqueryd) + Attempt to enumerate security software using egrep (T1518.001) + + T1518.001 + +