Linux Account Manipulation Of SSH Config and Keys
|
Sysmon for Linux EventID 11
|
Data Destruction
File Deletion
Indicator Removal
|
Anomaly
|
AcidRain
|
2024-09-30
|
Linux Add Files In Known Crontab Directories
|
Sysmon for Linux EventID 11
|
Cron
Scheduled Task/Job
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-09-30
|
Linux Add User Account
|
Sysmon for Linux EventID 1
|
Local Account
Create Account
|
Hunting
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-10-17
|
Linux Adding Crontab Using List Parameter
|
Sysmon for Linux EventID 1
|
Cron
Scheduled Task/Job
|
Hunting
|
Data Destruction, Gomir, Industroyer2, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-10-17
|
Linux apt-get Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
Linux APT Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
Linux At Allow Config File Creation
|
Sysmon for Linux EventID 11
|
Cron
Scheduled Task/Job
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-09-30
|
Linux At Application Execution
|
Sysmon for Linux EventID 1
|
At
Scheduled Task/Job
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-09-30
|
Linux Auditd Add User Account
|
Linux Auditd Proctitle
|
Local Account
Create Account
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Auditd Add User Account Type
|
Linux Auditd Add User
|
Create Account
Local Account
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Auditd At Application Execution
|
Linux Auditd Syscall
|
At
Scheduled Task/Job
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-09-30
|
Linux Auditd Auditd Service Stop
|
Linux Auditd Service Stop
|
Service Stop
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Auditd Base64 Decode Files
|
Linux Auditd Execve
|
Deobfuscate/Decode Files or Information
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Auditd Change File Owner To Root
|
Linux Auditd Proctitle
|
Linux and Mac File and Directory Permissions Modification
File and Directory Permissions Modification
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-10-17
|
Linux Auditd Clipboard Data Copy
|
Linux Auditd Execve
|
Clipboard Data
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land
|
2024-09-30
|
Linux Auditd Data Destruction Command
|
Linux Auditd Execve
|
Data Destruction
|
TTP
|
AwfulShred, Compromised Linux Host, Data Destruction
|
2024-09-30
|
Linux Auditd Data Transfer Size Limits Via Split
|
Linux Auditd Execve
|
Data Transfer Size Limits
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Auditd Data Transfer Size Limits Via Split Syscall
|
Linux Auditd Syscall
|
Data Transfer Size Limits
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Auditd Database File And Directory Discovery
|
Linux Auditd Execve
|
File and Directory Discovery
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Auditd Dd File Overwrite
|
Linux Auditd Proctitle
|
Data Destruction
|
TTP
|
Compromised Linux Host, Data Destruction, Industroyer2
|
2024-09-30
|
Linux Auditd Disable Or Modify System Firewall
|
Linux Auditd Service Stop
|
Disable or Modify System Firewall
Impair Defenses
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Auditd Doas Conf File Creation
|
Linux Auditd Path
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
TTP
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Auditd Doas Tool Execution
|
Linux Auditd Syscall
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Auditd Edit Cron Table Parameter
|
Linux Auditd Syscall
|
Cron
Scheduled Task/Job
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-09-30
|
Linux Auditd File And Directory Discovery
|
Linux Auditd Execve
|
File and Directory Discovery
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Auditd File Permission Modification Via Chmod
|
Linux Auditd Proctitle
|
Linux and Mac File and Directory Permissions Modification
File and Directory Permissions Modification
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-12-02
|
Linux Auditd File Permissions Modification Via Chattr
|
Linux Auditd Execve
|
Linux and Mac File and Directory Permissions Modification
File and Directory Permissions Modification
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Auditd Find Credentials From Password Managers
|
Linux Auditd Execve
|
Password Managers
Credentials from Password Stores
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Auditd Find Credentials From Password Stores
|
Linux Auditd Execve
|
Password Managers
Credentials from Password Stores
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Auditd Find Private Keys
|
Linux Auditd Execve
|
Private Keys
Unsecured Credentials
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Auditd Find Ssh Private Keys
|
Linux Auditd Execve
|
Private Keys
Unsecured Credentials
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Auditd Hardware Addition Swapoff
|
Linux Auditd Execve
|
Hardware Additions
|
Anomaly
|
AwfulShred, Compromised Linux Host, Data Destruction
|
2024-09-30
|
Linux Auditd Hidden Files And Directories Creation
|
Linux Auditd Execve
|
File and Directory Discovery
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Auditd Insert Kernel Module Using Insmod Utility
|
Linux Auditd Syscall
|
Kernel Modules and Extensions
Boot or Logon Autostart Execution
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit
|
2024-09-30
|
Linux Auditd Install Kernel Module Using Modprobe Utility
|
Linux Auditd Syscall
|
Kernel Modules and Extensions
Boot or Logon Autostart Execution
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit
|
2024-09-30
|
Linux Auditd Kernel Module Enumeration
|
Linux Auditd Syscall
|
System Information Discovery
Rootkit
|
Anomaly
|
Compromised Linux Host, Linux Rootkit
|
2024-09-30
|
Linux Auditd Kernel Module Using Rmmod Utility
|
Linux Auditd Syscall
|
Kernel Modules and Extensions
Boot or Logon Autostart Execution
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Auditd Nopasswd Entry In Sudoers File
|
Linux Auditd Proctitle
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Auditd Osquery Service Stop
|
Linux Auditd Service Stop
|
Service Stop
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Auditd Possible Access Or Modification Of Sshd Config File
|
Linux Auditd Path
|
SSH Authorized Keys
Account Manipulation
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Auditd Possible Access To Credential Files
|
Linux Auditd Proctitle
|
/etc/passwd and /etc/shadow
OS Credential Dumping
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Auditd Possible Access To Sudoers File
|
Linux Auditd Path
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File
|
Linux Auditd Path
|
Cron
Scheduled Task/Job
|
Hunting
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-10-17
|
Linux Auditd Preload Hijack Library Calls
|
Linux Auditd Execve
|
Dynamic Linker Hijacking
Hijack Execution Flow
|
TTP
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Auditd Preload Hijack Via Preload File
|
Linux Auditd Path
|
Dynamic Linker Hijacking
Hijack Execution Flow
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Auditd Service Restarted
|
Linux Auditd Proctitle
|
Systemd Timers
Scheduled Task/Job
|
Anomaly
|
AwfulShred, Compromised Linux Host, Data Destruction, Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-09-30
|
Linux Auditd Service Started
|
Linux Auditd Proctitle
|
Service Execution
System Services
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Auditd Setuid Using Chmod Utility
|
Linux Auditd Proctitle
|
Setuid and Setgid
Abuse Elevation Control Mechanism
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Auditd Setuid Using Setcap Utility
|
Linux Auditd Execve
|
Setuid and Setgid
Abuse Elevation Control Mechanism
|
TTP
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Auditd Shred Overwrite Command
|
Linux Auditd Proctitle
|
Data Destruction
|
TTP
|
AwfulShred, Compromised Linux Host, Data Destruction, Industroyer2, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Auditd Stop Services
|
Linux Auditd Service Stop
|
Service Stop
|
TTP
|
AwfulShred, Compromised Linux Host, Data Destruction, Industroyer2
|
2024-09-30
|
Linux Auditd Sudo Or Su Execution
|
Linux Auditd Proctitle
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Auditd Sysmon Service Stop
|
Linux Auditd Service Stop
|
Service Stop
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Auditd System Network Configuration Discovery
|
Linux Auditd Syscall
|
System Network Configuration Discovery
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Auditd Unix Shell Configuration Modification
|
Linux Auditd Path
|
Unix Shell Configuration Modification
Event Triggered Execution
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Auditd Unload Module Via Modprobe
|
Linux Auditd Execve
|
Kernel Modules and Extensions
Boot or Logon Autostart Execution
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Auditd Virtual Disk File And Directory Discovery
|
Linux Auditd Execve
|
File and Directory Discovery
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Auditd Whoami User Discovery
|
Linux Auditd Syscall
|
System Owner/User Discovery
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux AWK Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
Linux Busybox Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
Linux c89 Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
Linux c99 Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
Linux Change File Owner To Root
|
Sysmon for Linux EventID 1
|
Linux and Mac File and Directory Permissions Modification
File and Directory Permissions Modification
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Clipboard Data Copy
|
Sysmon for Linux EventID 1
|
Clipboard Data
|
Anomaly
|
Linux Living Off The Land
|
2024-09-30
|
Linux Common Process For Elevation Control
|
Sysmon for Linux EventID 1
|
Setuid and Setgid
Abuse Elevation Control Mechanism
|
Hunting
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-10-17
|
Linux Composer Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
Linux Cpulimit Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
Linux Csvtool Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
Linux Curl Upload File
|
Sysmon for Linux EventID 1
|
Ingress Tool Transfer
|
TTP
|
Data Exfiltration, Ingress Tool Transfer, Linux Living Off The Land
|
2024-09-30
|
Linux Data Destruction Command
|
Sysmon for Linux EventID 1
|
Data Destruction
|
TTP
|
AwfulShred, Data Destruction
|
2024-09-30
|
Linux DD File Overwrite
|
Sysmon for Linux EventID 1
|
Data Destruction
|
TTP
|
Data Destruction, Industroyer2
|
2024-09-30
|
Linux Decode Base64 to Shell
|
Sysmon for Linux EventID 1
|
Obfuscated Files or Information
Unix Shell
|
TTP
|
Linux Living Off The Land
|
2024-09-30
|
Linux Deleting Critical Directory Using RM Command
|
Sysmon for Linux EventID 1
|
Data Destruction
|
TTP
|
AwfulShred, Data Destruction, Industroyer2
|
2024-09-30
|
Linux Deletion Of Cron Jobs
|
Sysmon for Linux EventID 11
|
Data Destruction
File Deletion
Indicator Removal
|
Anomaly
|
AcidPour, AcidRain, Data Destruction
|
2024-09-30
|
Linux Deletion Of Init Daemon Script
|
Sysmon for Linux EventID 11
|
Data Destruction
File Deletion
Indicator Removal
|
TTP
|
AcidPour, AcidRain, Data Destruction
|
2024-09-30
|
Linux Deletion Of Services
|
Sysmon for Linux EventID 11
|
Data Destruction
File Deletion
Indicator Removal
|
TTP
|
AcidPour, AcidRain, AwfulShred, Data Destruction
|
2024-09-30
|
Linux Deletion of SSL Certificate
|
Sysmon for Linux EventID 11
|
Data Destruction
File Deletion
Indicator Removal
|
Anomaly
|
AcidPour, AcidRain
|
2024-09-30
|
Linux Disable Services
|
Sysmon for Linux EventID 1
|
Service Stop
|
TTP
|
AwfulShred, Data Destruction, Industroyer2
|
2024-09-30
|
Linux Doas Conf File Creation
|
Sysmon for Linux EventID 11
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Doas Tool Execution
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Docker Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
Linux Edit Cron Table Parameter
|
Sysmon for Linux EventID 1
|
Cron
Scheduled Task/Job
|
Hunting
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-10-17
|
Linux Emacs Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
Linux File Created In Kernel Driver Directory
|
Sysmon for Linux EventID 11
|
Kernel Modules and Extensions
Boot or Logon Autostart Execution
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit
|
2024-09-30
|
Linux File Creation In Init Boot Directory
|
Sysmon for Linux EventID 11
|
RC Scripts
Boot or Logon Initialization Scripts
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux File Creation In Profile Directory
|
Sysmon for Linux EventID 11
|
Unix Shell Configuration Modification
Event Triggered Execution
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Find Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
Linux GDB Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
Linux Gem Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
Linux GNU Awk Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
Linux Hardware Addition SwapOff
|
Sysmon for Linux EventID 1
|
Hardware Additions
|
Anomaly
|
AwfulShred, Data Destruction
|
2024-09-30
|
Linux High Frequency Of File Deletion In Boot Folder
|
Sysmon for Linux EventID 11
|
Data Destruction
File Deletion
Indicator Removal
|
TTP
|
AcidPour, Data Destruction, Industroyer2
|
2024-09-30
|
Linux High Frequency Of File Deletion In Etc Folder
|
Sysmon for Linux EventID 11
|
Data Destruction
File Deletion
Indicator Removal
|
Anomaly
|
AcidRain, Data Destruction
|
2024-09-30
|
Linux Impair Defenses Process Kill
|
Sysmon for Linux EventID 1
|
Disable or Modify Tools
Impair Defenses
|
Hunting
|
AwfulShred, Data Destruction
|
2024-10-17
|
Linux Indicator Removal Clear Cache
|
Sysmon for Linux EventID 1
|
Indicator Removal
|
TTP
|
AwfulShred, Data Destruction
|
2024-09-30
|
Linux Indicator Removal Service File Deletion
|
Sysmon for Linux EventID 1
|
File Deletion
Indicator Removal
|
Anomaly
|
AwfulShred, Data Destruction
|
2024-09-30
|
Linux Ingress Tool Transfer Hunting
|
Sysmon for Linux EventID 1
|
Ingress Tool Transfer
|
Hunting
|
Ingress Tool Transfer, Linux Living Off The Land
|
2024-10-17
|
Linux Ingress Tool Transfer with Curl
|
Sysmon for Linux EventID 1
|
Ingress Tool Transfer
|
Anomaly
|
Ingress Tool Transfer, Linux Living Off The Land
|
2024-09-30
|
Linux Insert Kernel Module Using Insmod Utility
|
Sysmon for Linux EventID 1
|
Kernel Modules and Extensions
Boot or Logon Autostart Execution
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit
|
2024-09-30
|
Linux Install Kernel Module Using Modprobe Utility
|
Sysmon for Linux EventID 1
|
Kernel Modules and Extensions
Boot or Logon Autostart Execution
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit
|
2024-09-30
|
Linux Iptables Firewall Modification
|
Sysmon for Linux EventID 1
|
Disable or Modify System Firewall
Impair Defenses
|
Anomaly
|
Cyclops Blink, Sandworm Tools
|
2024-09-30
|
Linux Java Spawning Shell
|
Sysmon for Linux EventID 1
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
Data Destruction, Hermetic Wiper, Log4Shell CVE-2021-44228, Spring4Shell CVE-2022-22965
|
2024-09-30
|
Linux Kernel Module Enumeration
|
Sysmon for Linux EventID 1
|
System Information Discovery
Rootkit
|
Anomaly
|
Linux Rootkit
|
2024-09-30
|
Linux Kworker Process In Writable Process Path
|
Sysmon for Linux EventID 1
|
Masquerade Task or Service
Masquerading
|
Hunting
|
Cyclops Blink, Sandworm Tools
|
2024-10-17
|
Linux Make Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
Linux MySQL Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
Linux Ngrok Reverse Proxy Usage
|
Sysmon for Linux EventID 1
|
Protocol Tunneling
Proxy
Web Service
|
Anomaly
|
Reverse Network Proxy
|
2024-09-30
|
Linux Node Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
Linux NOPASSWD Entry In Sudoers File
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Obfuscated Files or Information Base64 Decode
|
Sysmon for Linux EventID 1
|
Obfuscated Files or Information
|
Anomaly
|
Linux Living Off The Land
|
2024-09-30
|
Linux Octave Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
Linux OpenVPN Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
Linux Persistence and Privilege Escalation Risk Behavior
|
|
Abuse Elevation Control Mechanism
|
Correlation
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux PHP Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
Linux pkexec Privilege Escalation
|
Sysmon for Linux EventID 1
|
Exploitation for Privilege Escalation
|
TTP
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
Linux Possible Access Or Modification Of sshd Config File
|
Sysmon for Linux EventID 1
|
SSH Authorized Keys
Account Manipulation
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Possible Access To Credential Files
|
Sysmon for Linux EventID 1
|
/etc/passwd and /etc/shadow
OS Credential Dumping
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Possible Access To Sudoers File
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Possible Append Command To At Allow Config File
|
Sysmon for Linux EventID 1
|
At
Scheduled Task/Job
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-09-30
|
Linux Possible Append Command To Profile Config File
|
Sysmon for Linux EventID 1
|
Unix Shell Configuration Modification
Event Triggered Execution
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Possible Append Cronjob Entry on Existing Cronjob File
|
Sysmon for Linux EventID 1
|
Cron
Scheduled Task/Job
|
Hunting
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-10-17
|
Linux Possible Cronjob Modification With Editor
|
Sysmon for Linux EventID 1
|
Cron
Scheduled Task/Job
|
Hunting
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-10-17
|
Linux Possible Ssh Key File Creation
|
Sysmon for Linux EventID 11
|
SSH Authorized Keys
Account Manipulation
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Preload Hijack Library Calls
|
Sysmon for Linux EventID 1
|
Dynamic Linker Hijacking
Hijack Execution Flow
|
TTP
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Proxy Socks Curl
|
Sysmon for Linux EventID 1
|
Proxy
Non-Application Layer Protocol
|
TTP
|
Ingress Tool Transfer, Linux Living Off The Land
|
2024-09-30
|
Linux Puppet Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
Linux RPM Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
Linux Ruby Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
Linux Service File Created In Systemd Directory
|
Sysmon for Linux EventID 11
|
Systemd Timers
Scheduled Task/Job
|
Anomaly
|
Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-09-30
|
Linux Service Restarted
|
Sysmon for Linux EventID 1
|
Systemd Timers
Scheduled Task/Job
|
Anomaly
|
AwfulShred, Data Destruction, Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-09-30
|
Linux Service Started Or Enabled
|
Sysmon for Linux EventID 1
|
Systemd Timers
Scheduled Task/Job
|
Anomaly
|
Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-09-30
|
Linux Setuid Using Chmod Utility
|
Sysmon for Linux EventID 1
|
Setuid and Setgid
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Setuid Using Setcap Utility
|
Sysmon for Linux EventID 1
|
Setuid and Setgid
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Shred Overwrite Command
|
Sysmon for Linux EventID 1
|
Data Destruction
|
TTP
|
AwfulShred, Data Destruction, Industroyer2, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Sqlite3 Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
Linux SSH Authorized Keys Modification
|
Sysmon for Linux EventID 1
|
SSH Authorized Keys
|
Anomaly
|
Linux Living Off The Land
|
2024-09-30
|
Linux SSH Remote Services Script Execute
|
Sysmon for Linux EventID 1
|
SSH
|
TTP
|
Linux Living Off The Land
|
2024-09-30
|
Linux Stdout Redirection To Dev Null File
|
Sysmon for Linux EventID 1
|
Disable or Modify System Firewall
Impair Defenses
|
Anomaly
|
Cyclops Blink, Data Destruction, Industroyer2
|
2024-10-17
|
Linux Stop Services
|
Sysmon for Linux EventID 1
|
Service Stop
|
TTP
|
AwfulShred, Data Destruction, Industroyer2
|
2024-09-30
|
Linux Sudo OR Su Execution
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Hunting
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-10-17
|
Linux Sudoers Tmp File Creation
|
Sysmon for Linux EventID 11
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux System Network Discovery
|
Sysmon for Linux EventID 1
|
System Network Configuration Discovery
|
Anomaly
|
Data Destruction, Industroyer2, Network Discovery
|
2024-09-30
|
Linux System Reboot Via System Request Key
|
Sysmon for Linux EventID 1
|
System Shutdown/Reboot
|
TTP
|
AwfulShred, Data Destruction
|
2024-09-30
|
Linux Unix Shell Enable All SysRq Functions
|
Sysmon for Linux EventID 1
|
Unix Shell
Command and Scripting Interpreter
|
Anomaly
|
AwfulShred, Data Destruction
|
2024-09-30
|
Linux Visudo Utility Execution
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Potential password in username
|
Linux Secure
|
Local Accounts
Credentials In Files
|
Hunting
|
Credential Dumping, Insider Threat
|
2024-10-17
|
Suspicious Linux Discovery Commands
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Unix Shell
|
TTP
|
Linux Post-Exploitation
|
2024-09-30
|