Linux Detections

Name	Data Source	Technique	Type	Analytic Story	Date
Linux Account Manipulation Of SSH Config and Keys	Sysmon for Linux EventID 11	Data Destruction File Deletion Indicator Removal	Anomaly	AcidRain	2024-09-30
Linux Add Files In Known Crontab Directories	Sysmon for Linux EventID 11	Cron Scheduled Task/Job	Anomaly	Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks	2024-09-30
Linux Add User Account	Sysmon for Linux EventID 1	Local Account Create Account	Hunting	Linux Persistence Techniques, Linux Privilege Escalation	2024-10-17
Linux Adding Crontab Using List Parameter	Sysmon for Linux EventID 1	Cron Scheduled Task/Job	Hunting	Data Destruction, Gomir, Industroyer2, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks	2024-10-17
Linux apt-get Privilege Escalation	Sysmon for Linux EventID 1	Sudo and Sudo Caching Abuse Elevation Control Mechanism	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2024-09-30
Linux APT Privilege Escalation	Sysmon for Linux EventID 1	Sudo and Sudo Caching Abuse Elevation Control Mechanism	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2024-09-30
Linux At Allow Config File Creation	Sysmon for Linux EventID 11	Cron Scheduled Task/Job	Anomaly	Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks	2024-09-30
Linux At Application Execution	Sysmon for Linux EventID 1	At Scheduled Task/Job	Anomaly	Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks	2024-09-30
Linux Auditd Add User Account	Linux Auditd Proctitle	Local Account Create Account	Anomaly	Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux Auditd Add User Account Type	Linux Auditd Add User	Create Account Local Account	Anomaly	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux Auditd At Application Execution	Linux Auditd Syscall	At Scheduled Task/Job	Anomaly	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks	2024-09-30
Linux Auditd Auditd Service Stop	Linux Auditd Service Stop	Service Stop	Anomaly	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux Auditd Base64 Decode Files	Linux Auditd Execve	Deobfuscate/Decode Files or Information	Anomaly	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux Auditd Change File Owner To Root	Linux Auditd Proctitle	Linux and Mac File and Directory Permissions Modification File and Directory Permissions Modification	TTP	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-10-17
Linux Auditd Clipboard Data Copy	Linux Auditd Execve	Clipboard Data	Anomaly	Compromised Linux Host, Linux Living Off The Land	2024-09-30
Linux Auditd Data Destruction Command	Linux Auditd Execve	Data Destruction	TTP	AwfulShred, Compromised Linux Host, Data Destruction	2024-09-30
Linux Auditd Data Transfer Size Limits Via Split	Linux Auditd Execve	Data Transfer Size Limits	Anomaly	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux Auditd Data Transfer Size Limits Via Split Syscall	Linux Auditd Syscall	Data Transfer Size Limits	Anomaly	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux Auditd Database File And Directory Discovery	Linux Auditd Execve	File and Directory Discovery	Anomaly	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux Auditd Dd File Overwrite	Linux Auditd Proctitle	Data Destruction	TTP	Compromised Linux Host, Data Destruction, Industroyer2	2024-09-30
Linux Auditd Disable Or Modify System Firewall	Linux Auditd Service Stop	Disable or Modify System Firewall Impair Defenses	Anomaly	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux Auditd Doas Conf File Creation	Linux Auditd Path	Sudo and Sudo Caching Abuse Elevation Control Mechanism	TTP	Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux Auditd Doas Tool Execution	Linux Auditd Syscall	Sudo and Sudo Caching Abuse Elevation Control Mechanism	Anomaly	Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux Auditd Edit Cron Table Parameter	Linux Auditd Syscall	Cron Scheduled Task/Job	TTP	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks	2024-09-30
Linux Auditd File And Directory Discovery	Linux Auditd Execve	File and Directory Discovery	Anomaly	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux Auditd File Permission Modification Via Chmod	Linux Auditd Proctitle	Linux and Mac File and Directory Permissions Modification File and Directory Permissions Modification	Anomaly	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux Auditd File Permissions Modification Via Chattr	Linux Auditd Execve	Linux and Mac File and Directory Permissions Modification File and Directory Permissions Modification	TTP	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux Auditd Find Credentials From Password Managers	Linux Auditd Execve	Password Managers Credentials from Password Stores	TTP	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux Auditd Find Credentials From Password Stores	Linux Auditd Execve	Password Managers Credentials from Password Stores	TTP	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux Auditd Find Private Keys	Linux Auditd Execve	Private Keys Unsecured Credentials	TTP	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux Auditd Find Ssh Private Keys	Linux Auditd Execve	Private Keys Unsecured Credentials	Anomaly	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux Auditd Hardware Addition Swapoff	Linux Auditd Execve	Hardware Additions	Anomaly	AwfulShred, Compromised Linux Host, Data Destruction	2024-09-30
Linux Auditd Hidden Files And Directories Creation	Linux Auditd Execve	File and Directory Discovery	TTP	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux Auditd Insert Kernel Module Using Insmod Utility	Linux Auditd Syscall	Kernel Modules and Extensions Boot or Logon Autostart Execution	Anomaly	Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit	2024-09-30
Linux Auditd Install Kernel Module Using Modprobe Utility	Linux Auditd Syscall	Kernel Modules and Extensions Boot or Logon Autostart Execution	Anomaly	Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit	2024-09-30
Linux Auditd Kernel Module Enumeration	Linux Auditd Syscall	System Information Discovery Rootkit	Anomaly	Compromised Linux Host, Linux Rootkit	2024-09-30
Linux Auditd Kernel Module Using Rmmod Utility	Linux Auditd Syscall	Kernel Modules and Extensions Boot or Logon Autostart Execution	TTP	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux Auditd Nopasswd Entry In Sudoers File	Linux Auditd Proctitle	Sudo and Sudo Caching Abuse Elevation Control Mechanism	Anomaly	Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux Auditd Osquery Service Stop	Linux Auditd Service Stop	Service Stop	TTP	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux Auditd Possible Access Or Modification Of Sshd Config File	Linux Auditd Path	SSH Authorized Keys Account Manipulation	Anomaly	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux Auditd Possible Access To Credential Files	Linux Auditd Proctitle	/etc/passwd and /etc/shadow OS Credential Dumping	Anomaly	Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux Auditd Possible Access To Sudoers File	Linux Auditd Path	Sudo and Sudo Caching Abuse Elevation Control Mechanism	Anomaly	Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File	Linux Auditd Path	Cron Scheduled Task/Job	Hunting	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks	2024-10-17
Linux Auditd Preload Hijack Library Calls	Linux Auditd Execve	Dynamic Linker Hijacking Hijack Execution Flow	TTP	Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux Auditd Preload Hijack Via Preload File	Linux Auditd Path	Dynamic Linker Hijacking Hijack Execution Flow	TTP	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux Auditd Service Restarted	Linux Auditd Proctitle	Systemd Timers Scheduled Task/Job	Anomaly	AwfulShred, Compromised Linux Host, Data Destruction, Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks	2024-09-30
Linux Auditd Service Started	Linux Auditd Proctitle	Service Execution System Services	TTP	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux Auditd Setuid Using Chmod Utility	Linux Auditd Proctitle	Setuid and Setgid Abuse Elevation Control Mechanism	Anomaly	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux Auditd Setuid Using Setcap Utility	Linux Auditd Execve	Setuid and Setgid Abuse Elevation Control Mechanism	TTP	Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux Auditd Shred Overwrite Command	Linux Auditd Proctitle	Data Destruction	TTP	AwfulShred, Compromised Linux Host, Data Destruction, Industroyer2, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux Auditd Stop Services	Linux Auditd Service Stop	Service Stop	TTP	AwfulShred, Compromised Linux Host, Data Destruction, Industroyer2	2024-09-30
Linux Auditd Sudo Or Su Execution	Linux Auditd Proctitle	Sudo and Sudo Caching Abuse Elevation Control Mechanism	Anomaly	Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux Auditd Sysmon Service Stop	Linux Auditd Service Stop	Service Stop	TTP	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux Auditd System Network Configuration Discovery	Linux Auditd Syscall	System Network Configuration Discovery	Anomaly	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux Auditd Unix Shell Configuration Modification	Linux Auditd Path	Unix Shell Configuration Modification Event Triggered Execution	TTP	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux Auditd Unload Module Via Modprobe	Linux Auditd Execve	Kernel Modules and Extensions Boot or Logon Autostart Execution	TTP	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux Auditd Virtual Disk File And Directory Discovery	Linux Auditd Execve	File and Directory Discovery	Anomaly	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux Auditd Whoami User Discovery	Linux Auditd Syscall	System Owner/User Discovery	Anomaly	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux AWK Privilege Escalation	Sysmon for Linux EventID 1	Sudo and Sudo Caching Abuse Elevation Control Mechanism	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2024-09-30
Linux Busybox Privilege Escalation	Sysmon for Linux EventID 1	Sudo and Sudo Caching Abuse Elevation Control Mechanism	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2024-09-30
Linux c89 Privilege Escalation	Sysmon for Linux EventID 1	Sudo and Sudo Caching Abuse Elevation Control Mechanism	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2024-09-30
Linux c99 Privilege Escalation	Sysmon for Linux EventID 1	Sudo and Sudo Caching Abuse Elevation Control Mechanism	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2024-09-30
Linux Change File Owner To Root	Sysmon for Linux EventID 1	Linux and Mac File and Directory Permissions Modification File and Directory Permissions Modification	Anomaly	Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux Clipboard Data Copy	Sysmon for Linux EventID 1	Clipboard Data	Anomaly	Linux Living Off The Land	2024-09-30
Linux Common Process For Elevation Control	Sysmon for Linux EventID 1	Setuid and Setgid Abuse Elevation Control Mechanism	Hunting	Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-10-17
Linux Composer Privilege Escalation	Sysmon for Linux EventID 1	Sudo and Sudo Caching Abuse Elevation Control Mechanism	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2024-09-30
Linux Cpulimit Privilege Escalation	Sysmon for Linux EventID 1	Sudo and Sudo Caching Abuse Elevation Control Mechanism	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2024-09-30
Linux Csvtool Privilege Escalation	Sysmon for Linux EventID 1	Sudo and Sudo Caching Abuse Elevation Control Mechanism	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2024-09-30
Linux Curl Upload File	Sysmon for Linux EventID 1	Ingress Tool Transfer	TTP	Data Exfiltration, Ingress Tool Transfer, Linux Living Off The Land	2024-09-30
Linux Data Destruction Command	Sysmon for Linux EventID 1	Data Destruction	TTP	AwfulShred, Data Destruction	2024-09-30
Linux DD File Overwrite	Sysmon for Linux EventID 1	Data Destruction	TTP	Data Destruction, Industroyer2	2024-09-30
Linux Decode Base64 to Shell	Sysmon for Linux EventID 1	Obfuscated Files or Information Unix Shell	TTP	Linux Living Off The Land	2024-09-30
Linux Deleting Critical Directory Using RM Command	Sysmon for Linux EventID 1	Data Destruction	TTP	AwfulShred, Data Destruction, Industroyer2	2024-09-30
Linux Deletion Of Cron Jobs	Sysmon for Linux EventID 11	Data Destruction File Deletion Indicator Removal	Anomaly	AcidPour, AcidRain, Data Destruction	2024-09-30
Linux Deletion Of Init Daemon Script	Sysmon for Linux EventID 11	Data Destruction File Deletion Indicator Removal	TTP	AcidPour, AcidRain, Data Destruction	2024-09-30
Linux Deletion Of Services	Sysmon for Linux EventID 11	Data Destruction File Deletion Indicator Removal	TTP	AcidPour, AcidRain, AwfulShred, Data Destruction	2024-09-30
Linux Deletion of SSL Certificate	Sysmon for Linux EventID 11	Data Destruction File Deletion Indicator Removal	Anomaly	AcidPour, AcidRain	2024-09-30
Linux Disable Services	Sysmon for Linux EventID 1	Service Stop	TTP	AwfulShred, Data Destruction, Industroyer2	2024-09-30
Linux Doas Conf File Creation	Sysmon for Linux EventID 11	Sudo and Sudo Caching Abuse Elevation Control Mechanism	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux Doas Tool Execution	Sysmon for Linux EventID 1	Sudo and Sudo Caching Abuse Elevation Control Mechanism	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux Docker Privilege Escalation	Sysmon for Linux EventID 1	Sudo and Sudo Caching Abuse Elevation Control Mechanism	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2024-09-30
Linux Edit Cron Table Parameter	Sysmon for Linux EventID 1	Cron Scheduled Task/Job	Hunting	Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks	2024-10-17
Linux Emacs Privilege Escalation	Sysmon for Linux EventID 1	Sudo and Sudo Caching Abuse Elevation Control Mechanism	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2024-09-30
Linux File Created In Kernel Driver Directory	Sysmon for Linux EventID 11	Kernel Modules and Extensions Boot or Logon Autostart Execution	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit	2024-09-30
Linux File Creation In Init Boot Directory	Sysmon for Linux EventID 11	RC Scripts Boot or Logon Initialization Scripts	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux File Creation In Profile Directory	Sysmon for Linux EventID 11	Unix Shell Configuration Modification Event Triggered Execution	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux Find Privilege Escalation	Sysmon for Linux EventID 1	Sudo and Sudo Caching Abuse Elevation Control Mechanism	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2024-09-30
Linux GDB Privilege Escalation	Sysmon for Linux EventID 1	Sudo and Sudo Caching Abuse Elevation Control Mechanism	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2024-09-30
Linux Gem Privilege Escalation	Sysmon for Linux EventID 1	Sudo and Sudo Caching Abuse Elevation Control Mechanism	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2024-09-30
Linux GNU Awk Privilege Escalation	Sysmon for Linux EventID 1	Sudo and Sudo Caching Abuse Elevation Control Mechanism	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2024-09-30
Linux Hardware Addition SwapOff	Sysmon for Linux EventID 1	Hardware Additions	Anomaly	AwfulShred, Data Destruction	2024-09-30
Linux High Frequency Of File Deletion In Boot Folder	Sysmon for Linux EventID 11	Data Destruction File Deletion Indicator Removal	TTP	AcidPour, Data Destruction, Industroyer2	2024-09-30
Linux High Frequency Of File Deletion In Etc Folder	Sysmon for Linux EventID 11	Data Destruction File Deletion Indicator Removal	Anomaly	AcidRain, Data Destruction	2024-09-30
Linux Impair Defenses Process Kill	Sysmon for Linux EventID 1	Disable or Modify Tools Impair Defenses	Hunting	AwfulShred, Data Destruction	2024-10-17
Linux Indicator Removal Clear Cache	Sysmon for Linux EventID 1	Indicator Removal	TTP	AwfulShred, Data Destruction	2024-09-30
Linux Indicator Removal Service File Deletion	Sysmon for Linux EventID 1	File Deletion Indicator Removal	Anomaly	AwfulShred, Data Destruction	2024-09-30
Linux Ingress Tool Transfer Hunting	Sysmon for Linux EventID 1	Ingress Tool Transfer	Hunting	Ingress Tool Transfer, Linux Living Off The Land	2024-10-17
Linux Ingress Tool Transfer with Curl	Sysmon for Linux EventID 1	Ingress Tool Transfer	Anomaly	Ingress Tool Transfer, Linux Living Off The Land	2024-09-30
Linux Insert Kernel Module Using Insmod Utility	Sysmon for Linux EventID 1	Kernel Modules and Extensions Boot or Logon Autostart Execution	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit	2024-09-30
Linux Install Kernel Module Using Modprobe Utility	Sysmon for Linux EventID 1	Kernel Modules and Extensions Boot or Logon Autostart Execution	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit	2024-09-30
Linux Iptables Firewall Modification	Sysmon for Linux EventID 1	Disable or Modify System Firewall Impair Defenses	Anomaly	Cyclops Blink, Sandworm Tools	2024-09-30
Linux Java Spawning Shell	Sysmon for Linux EventID 1	Exploit Public-Facing Application External Remote Services	TTP	Data Destruction, Hermetic Wiper, Log4Shell CVE-2021-44228, Spring4Shell CVE-2022-22965	2024-09-30
Linux Kernel Module Enumeration	Sysmon for Linux EventID 1	System Information Discovery Rootkit	Anomaly	Linux Rootkit	2024-09-30
Linux Kworker Process In Writable Process Path	Sysmon for Linux EventID 1	Masquerade Task or Service Masquerading	Hunting	Cyclops Blink, Sandworm Tools	2024-10-17
Linux Make Privilege Escalation	Sysmon for Linux EventID 1	Sudo and Sudo Caching Abuse Elevation Control Mechanism	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2024-09-30
Linux MySQL Privilege Escalation	Sysmon for Linux EventID 1	Sudo and Sudo Caching Abuse Elevation Control Mechanism	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2024-09-30
Linux Ngrok Reverse Proxy Usage	Sysmon for Linux EventID 1	Protocol Tunneling Proxy Web Service	Anomaly	Reverse Network Proxy	2024-09-30
Linux Node Privilege Escalation	Sysmon for Linux EventID 1	Sudo and Sudo Caching Abuse Elevation Control Mechanism	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2024-09-30
Linux NOPASSWD Entry In Sudoers File	Sysmon for Linux EventID 1	Sudo and Sudo Caching Abuse Elevation Control Mechanism	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux Obfuscated Files or Information Base64 Decode	Sysmon for Linux EventID 1	Obfuscated Files or Information	Anomaly	Linux Living Off The Land	2024-09-30
Linux Octave Privilege Escalation	Sysmon for Linux EventID 1	Sudo and Sudo Caching Abuse Elevation Control Mechanism	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2024-09-30
Linux OpenVPN Privilege Escalation	Sysmon for Linux EventID 1	Sudo and Sudo Caching Abuse Elevation Control Mechanism	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2024-09-30
Linux Persistence and Privilege Escalation Risk Behavior		Abuse Elevation Control Mechanism	Correlation	Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux PHP Privilege Escalation	Sysmon for Linux EventID 1	Sudo and Sudo Caching Abuse Elevation Control Mechanism	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2024-09-30
Linux pkexec Privilege Escalation	Sysmon for Linux EventID 1	Exploitation for Privilege Escalation	TTP	Linux Living Off The Land, Linux Privilege Escalation	2024-09-30
Linux Possible Access Or Modification Of sshd Config File	Sysmon for Linux EventID 1	SSH Authorized Keys Account Manipulation	Anomaly	Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux Possible Access To Credential Files	Sysmon for Linux EventID 1	/etc/passwd and /etc/shadow OS Credential Dumping	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux Possible Access To Sudoers File	Sysmon for Linux EventID 1	Sudo and Sudo Caching Abuse Elevation Control Mechanism	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux Possible Append Command To At Allow Config File	Sysmon for Linux EventID 1	At Scheduled Task/Job	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks	2024-09-30
Linux Possible Append Command To Profile Config File	Sysmon for Linux EventID 1	Unix Shell Configuration Modification Event Triggered Execution	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux Possible Append Cronjob Entry on Existing Cronjob File	Sysmon for Linux EventID 1	Cron Scheduled Task/Job	Hunting	Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks	2024-10-17
Linux Possible Cronjob Modification With Editor	Sysmon for Linux EventID 1	Cron Scheduled Task/Job	Hunting	Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks	2024-10-17
Linux Possible Ssh Key File Creation	Sysmon for Linux EventID 11	SSH Authorized Keys Account Manipulation	Anomaly	Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux Preload Hijack Library Calls	Sysmon for Linux EventID 1	Dynamic Linker Hijacking Hijack Execution Flow	TTP	Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux Proxy Socks Curl	Sysmon for Linux EventID 1	Proxy Non-Application Layer Protocol	TTP	Ingress Tool Transfer, Linux Living Off The Land	2024-09-30
Linux Puppet Privilege Escalation	Sysmon for Linux EventID 1	Sudo and Sudo Caching Abuse Elevation Control Mechanism	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2024-09-30
Linux RPM Privilege Escalation	Sysmon for Linux EventID 1	Sudo and Sudo Caching Abuse Elevation Control Mechanism	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2024-09-30
Linux Ruby Privilege Escalation	Sysmon for Linux EventID 1	Sudo and Sudo Caching Abuse Elevation Control Mechanism	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2024-09-30
Linux Service File Created In Systemd Directory	Sysmon for Linux EventID 11	Systemd Timers Scheduled Task/Job	Anomaly	Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks	2024-09-30
Linux Service Restarted	Sysmon for Linux EventID 1	Systemd Timers Scheduled Task/Job	Anomaly	AwfulShred, Data Destruction, Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks	2024-09-30
Linux Service Started Or Enabled	Sysmon for Linux EventID 1	Systemd Timers Scheduled Task/Job	Anomaly	Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks	2024-09-30
Linux Setuid Using Chmod Utility	Sysmon for Linux EventID 1	Setuid and Setgid Abuse Elevation Control Mechanism	Anomaly	Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux Setuid Using Setcap Utility	Sysmon for Linux EventID 1	Setuid and Setgid Abuse Elevation Control Mechanism	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux Shred Overwrite Command	Sysmon for Linux EventID 1	Data Destruction	TTP	AwfulShred, Data Destruction, Industroyer2, Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux Sqlite3 Privilege Escalation	Sysmon for Linux EventID 1	Sudo and Sudo Caching Abuse Elevation Control Mechanism	Anomaly	Linux Living Off The Land, Linux Privilege Escalation	2024-09-30
Linux SSH Authorized Keys Modification	Sysmon for Linux EventID 1	SSH Authorized Keys	Anomaly	Linux Living Off The Land	2024-09-30
Linux SSH Remote Services Script Execute	Sysmon for Linux EventID 1	SSH	TTP	Linux Living Off The Land	2024-09-30
Linux Stdout Redirection To Dev Null File	Sysmon for Linux EventID 1	Disable or Modify System Firewall Impair Defenses	Anomaly	Cyclops Blink, Data Destruction, Industroyer2	2024-10-17
Linux Stop Services	Sysmon for Linux EventID 1	Service Stop	TTP	AwfulShred, Data Destruction, Industroyer2	2024-09-30
Linux Sudo OR Su Execution	Sysmon for Linux EventID 1	Sudo and Sudo Caching Abuse Elevation Control Mechanism	Hunting	Linux Persistence Techniques, Linux Privilege Escalation	2024-10-17
Linux Sudoers Tmp File Creation	Sysmon for Linux EventID 11	Sudo and Sudo Caching Abuse Elevation Control Mechanism	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Linux System Network Discovery	Sysmon for Linux EventID 1	System Network Configuration Discovery	Anomaly	Data Destruction, Industroyer2, Network Discovery	2024-09-30
Linux System Reboot Via System Request Key	Sysmon for Linux EventID 1	System Shutdown/Reboot	TTP	AwfulShred, Data Destruction	2024-09-30
Linux Unix Shell Enable All SysRq Functions	Sysmon for Linux EventID 1	Unix Shell Command and Scripting Interpreter	Anomaly	AwfulShred, Data Destruction	2024-09-30
Linux Visudo Utility Execution	Sysmon for Linux EventID 1	Sudo and Sudo Caching Abuse Elevation Control Mechanism	Anomaly	Linux Persistence Techniques, Linux Privilege Escalation	2024-09-30
Potential password in username	Linux Secure	Local Accounts Credentials In Files	Hunting	Credential Dumping, Insider Threat	2024-10-17
Suspicious Linux Discovery Commands	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Unix Shell	TTP	Linux Post-Exploitation	2024-09-30