Linux Detections

Name Data Source Technique Type Analytic Story Date
Linux Account Manipulation Of SSH Config and Keys Sysmon for Linux EventID 11 Data Destruction File Deletion Indicator Removal Anomaly AcidRain 2024-09-30
Linux Add Files In Known Crontab Directories Sysmon for Linux EventID 11 Cron Scheduled Task/Job Anomaly Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-09-30
Linux Add User Account Sysmon for Linux EventID 1 Local Account Create Account Hunting Linux Persistence Techniques, Linux Privilege Escalation 2024-10-17
Linux Adding Crontab Using List Parameter Sysmon for Linux EventID 1 Cron Scheduled Task/Job Hunting Data Destruction, Gomir, Industroyer2, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-10-17
Linux apt-get Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux APT Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux At Allow Config File Creation Sysmon for Linux EventID 11 Cron Scheduled Task/Job Anomaly Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-09-30
Linux At Application Execution Sysmon for Linux EventID 1 At Scheduled Task/Job Anomaly Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-09-30
Linux Auditd Add User Account Linux Auditd Proctitle Local Account Create Account Anomaly Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Add User Account Type Linux Auditd Add User Create Account Local Account Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd At Application Execution Linux Auditd Syscall At Scheduled Task/Job Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-09-30
Linux Auditd Auditd Service Stop Linux Auditd Service Stop Service Stop Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Base64 Decode Files Linux Auditd Execve Deobfuscate/Decode Files or Information Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Change File Owner To Root Linux Auditd Proctitle Linux and Mac File and Directory Permissions Modification File and Directory Permissions Modification TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-10-17
Linux Auditd Clipboard Data Copy Linux Auditd Execve Clipboard Data Anomaly Compromised Linux Host, Linux Living Off The Land 2024-09-30
Linux Auditd Data Destruction Command Linux Auditd Execve Data Destruction TTP AwfulShred, Compromised Linux Host, Data Destruction 2024-09-30
Linux Auditd Data Transfer Size Limits Via Split Linux Auditd Execve Data Transfer Size Limits Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Data Transfer Size Limits Via Split Syscall Linux Auditd Syscall Data Transfer Size Limits Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Database File And Directory Discovery Linux Auditd Execve File and Directory Discovery Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Dd File Overwrite Linux Auditd Proctitle Data Destruction TTP Compromised Linux Host, Data Destruction, Industroyer2 2024-09-30
Linux Auditd Disable Or Modify System Firewall Linux Auditd Service Stop Disable or Modify System Firewall Impair Defenses Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Doas Conf File Creation Linux Auditd Path Sudo and Sudo Caching Abuse Elevation Control Mechanism TTP Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Doas Tool Execution Linux Auditd Syscall Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Edit Cron Table Parameter Linux Auditd Syscall Cron Scheduled Task/Job TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-09-30
Linux Auditd File And Directory Discovery Linux Auditd Execve File and Directory Discovery Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd File Permission Modification Via Chmod Linux Auditd Proctitle Linux and Mac File and Directory Permissions Modification File and Directory Permissions Modification Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-12-02
Linux Auditd File Permissions Modification Via Chattr Linux Auditd Execve Linux and Mac File and Directory Permissions Modification File and Directory Permissions Modification TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Find Credentials From Password Managers Linux Auditd Execve Password Managers Credentials from Password Stores TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Find Credentials From Password Stores Linux Auditd Execve Password Managers Credentials from Password Stores TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Find Private Keys Linux Auditd Execve Private Keys Unsecured Credentials TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Find Ssh Private Keys Linux Auditd Execve Private Keys Unsecured Credentials Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Hardware Addition Swapoff Linux Auditd Execve Hardware Additions Anomaly AwfulShred, Compromised Linux Host, Data Destruction 2024-09-30
Linux Auditd Hidden Files And Directories Creation Linux Auditd Execve File and Directory Discovery TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Insert Kernel Module Using Insmod Utility Linux Auditd Syscall Kernel Modules and Extensions Boot or Logon Autostart Execution Anomaly Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit 2024-09-30
Linux Auditd Install Kernel Module Using Modprobe Utility Linux Auditd Syscall Kernel Modules and Extensions Boot or Logon Autostart Execution Anomaly Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit 2024-09-30
Linux Auditd Kernel Module Enumeration Linux Auditd Syscall System Information Discovery Rootkit Anomaly Compromised Linux Host, Linux Rootkit 2024-09-30
Linux Auditd Kernel Module Using Rmmod Utility Linux Auditd Syscall Kernel Modules and Extensions Boot or Logon Autostart Execution TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Nopasswd Entry In Sudoers File Linux Auditd Proctitle Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Osquery Service Stop Linux Auditd Service Stop Service Stop TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Possible Access Or Modification Of Sshd Config File Linux Auditd Path SSH Authorized Keys Account Manipulation Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Possible Access To Credential Files Linux Auditd Proctitle /etc/passwd and /etc/shadow OS Credential Dumping Anomaly Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Possible Access To Sudoers File Linux Auditd Path Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File Linux Auditd Path Cron Scheduled Task/Job Hunting Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-10-17
Linux Auditd Preload Hijack Library Calls Linux Auditd Execve Dynamic Linker Hijacking Hijack Execution Flow TTP Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Preload Hijack Via Preload File Linux Auditd Path Dynamic Linker Hijacking Hijack Execution Flow TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Service Restarted Linux Auditd Proctitle Systemd Timers Scheduled Task/Job Anomaly AwfulShred, Compromised Linux Host, Data Destruction, Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-09-30
Linux Auditd Service Started Linux Auditd Proctitle Service Execution System Services TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Setuid Using Chmod Utility Linux Auditd Proctitle Setuid and Setgid Abuse Elevation Control Mechanism Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Setuid Using Setcap Utility Linux Auditd Execve Setuid and Setgid Abuse Elevation Control Mechanism TTP Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Shred Overwrite Command Linux Auditd Proctitle Data Destruction TTP AwfulShred, Compromised Linux Host, Data Destruction, Industroyer2, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Stop Services Linux Auditd Service Stop Service Stop TTP AwfulShred, Compromised Linux Host, Data Destruction, Industroyer2 2024-09-30
Linux Auditd Sudo Or Su Execution Linux Auditd Proctitle Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Sysmon Service Stop Linux Auditd Service Stop Service Stop TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd System Network Configuration Discovery Linux Auditd Syscall System Network Configuration Discovery Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Unix Shell Configuration Modification Linux Auditd Path Unix Shell Configuration Modification Event Triggered Execution TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Unload Module Via Modprobe Linux Auditd Execve Kernel Modules and Extensions Boot or Logon Autostart Execution TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Virtual Disk File And Directory Discovery Linux Auditd Execve File and Directory Discovery Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Whoami User Discovery Linux Auditd Syscall System Owner/User Discovery Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux AWK Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux Busybox Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux c89 Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux c99 Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux Change File Owner To Root Sysmon for Linux EventID 1 Linux and Mac File and Directory Permissions Modification File and Directory Permissions Modification Anomaly Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Clipboard Data Copy Sysmon for Linux EventID 1 Clipboard Data Anomaly Linux Living Off The Land 2024-09-30
Linux Common Process For Elevation Control Sysmon for Linux EventID 1 Setuid and Setgid Abuse Elevation Control Mechanism Hunting Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-10-17
Linux Composer Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux Cpulimit Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux Csvtool Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux Curl Upload File Sysmon for Linux EventID 1 Ingress Tool Transfer TTP Data Exfiltration, Ingress Tool Transfer, Linux Living Off The Land 2024-09-30
Linux Data Destruction Command Sysmon for Linux EventID 1 Data Destruction TTP AwfulShred, Data Destruction 2024-09-30
Linux DD File Overwrite Sysmon for Linux EventID 1 Data Destruction TTP Data Destruction, Industroyer2 2024-09-30
Linux Decode Base64 to Shell Sysmon for Linux EventID 1 Obfuscated Files or Information Unix Shell TTP Linux Living Off The Land 2024-09-30
Linux Deleting Critical Directory Using RM Command Sysmon for Linux EventID 1 Data Destruction TTP AwfulShred, Data Destruction, Industroyer2 2024-09-30
Linux Deletion Of Cron Jobs Sysmon for Linux EventID 11 Data Destruction File Deletion Indicator Removal Anomaly AcidPour, AcidRain, Data Destruction 2024-09-30
Linux Deletion Of Init Daemon Script Sysmon for Linux EventID 11 Data Destruction File Deletion Indicator Removal TTP AcidPour, AcidRain, Data Destruction 2024-09-30
Linux Deletion Of Services Sysmon for Linux EventID 11 Data Destruction File Deletion Indicator Removal TTP AcidPour, AcidRain, AwfulShred, Data Destruction 2024-09-30
Linux Deletion of SSL Certificate Sysmon for Linux EventID 11 Data Destruction File Deletion Indicator Removal Anomaly AcidPour, AcidRain 2024-09-30
Linux Disable Services Sysmon for Linux EventID 1 Service Stop TTP AwfulShred, Data Destruction, Industroyer2 2024-09-30
Linux Doas Conf File Creation Sysmon for Linux EventID 11 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Doas Tool Execution Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Docker Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux Edit Cron Table Parameter Sysmon for Linux EventID 1 Cron Scheduled Task/Job Hunting Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-10-17
Linux Emacs Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux File Created In Kernel Driver Directory Sysmon for Linux EventID 11 Kernel Modules and Extensions Boot or Logon Autostart Execution Anomaly Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit 2024-09-30
Linux File Creation In Init Boot Directory Sysmon for Linux EventID 11 RC Scripts Boot or Logon Initialization Scripts Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux File Creation In Profile Directory Sysmon for Linux EventID 11 Unix Shell Configuration Modification Event Triggered Execution Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Find Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux GDB Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux Gem Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux GNU Awk Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux Hardware Addition SwapOff Sysmon for Linux EventID 1 Hardware Additions Anomaly AwfulShred, Data Destruction 2024-09-30
Linux High Frequency Of File Deletion In Boot Folder Sysmon for Linux EventID 11 Data Destruction File Deletion Indicator Removal TTP AcidPour, Data Destruction, Industroyer2 2024-09-30
Linux High Frequency Of File Deletion In Etc Folder Sysmon for Linux EventID 11 Data Destruction File Deletion Indicator Removal Anomaly AcidRain, Data Destruction 2024-09-30
Linux Impair Defenses Process Kill Sysmon for Linux EventID 1 Disable or Modify Tools Impair Defenses Hunting AwfulShred, Data Destruction 2024-10-17
Linux Indicator Removal Clear Cache Sysmon for Linux EventID 1 Indicator Removal TTP AwfulShred, Data Destruction 2024-09-30
Linux Indicator Removal Service File Deletion Sysmon for Linux EventID 1 File Deletion Indicator Removal Anomaly AwfulShred, Data Destruction 2024-09-30
Linux Ingress Tool Transfer Hunting Sysmon for Linux EventID 1 Ingress Tool Transfer Hunting Ingress Tool Transfer, Linux Living Off The Land 2024-10-17
Linux Ingress Tool Transfer with Curl Sysmon for Linux EventID 1 Ingress Tool Transfer Anomaly Ingress Tool Transfer, Linux Living Off The Land 2024-09-30
Linux Insert Kernel Module Using Insmod Utility Sysmon for Linux EventID 1 Kernel Modules and Extensions Boot or Logon Autostart Execution Anomaly Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit 2024-09-30
Linux Install Kernel Module Using Modprobe Utility Sysmon for Linux EventID 1 Kernel Modules and Extensions Boot or Logon Autostart Execution Anomaly Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit 2024-09-30
Linux Iptables Firewall Modification Sysmon for Linux EventID 1 Disable or Modify System Firewall Impair Defenses Anomaly Cyclops Blink, Sandworm Tools 2024-09-30
Linux Java Spawning Shell Sysmon for Linux EventID 1 Exploit Public-Facing Application External Remote Services TTP Data Destruction, Hermetic Wiper, Log4Shell CVE-2021-44228, Spring4Shell CVE-2022-22965 2024-09-30
Linux Kernel Module Enumeration Sysmon for Linux EventID 1 System Information Discovery Rootkit Anomaly Linux Rootkit 2024-09-30
Linux Kworker Process In Writable Process Path Sysmon for Linux EventID 1 Masquerade Task or Service Masquerading Hunting Cyclops Blink, Sandworm Tools 2024-10-17
Linux Make Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux MySQL Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux Ngrok Reverse Proxy Usage Sysmon for Linux EventID 1 Protocol Tunneling Proxy Web Service Anomaly Reverse Network Proxy 2024-09-30
Linux Node Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux NOPASSWD Entry In Sudoers File Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Obfuscated Files or Information Base64 Decode Sysmon for Linux EventID 1 Obfuscated Files or Information Anomaly Linux Living Off The Land 2024-09-30
Linux Octave Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux OpenVPN Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux Persistence and Privilege Escalation Risk Behavior Abuse Elevation Control Mechanism Correlation Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux PHP Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux pkexec Privilege Escalation Sysmon for Linux EventID 1 Exploitation for Privilege Escalation TTP Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux Possible Access Or Modification Of sshd Config File Sysmon for Linux EventID 1 SSH Authorized Keys Account Manipulation Anomaly Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Possible Access To Credential Files Sysmon for Linux EventID 1 /etc/passwd and /etc/shadow OS Credential Dumping Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Possible Access To Sudoers File Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Possible Append Command To At Allow Config File Sysmon for Linux EventID 1 At Scheduled Task/Job Anomaly Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-09-30
Linux Possible Append Command To Profile Config File Sysmon for Linux EventID 1 Unix Shell Configuration Modification Event Triggered Execution Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Possible Append Cronjob Entry on Existing Cronjob File Sysmon for Linux EventID 1 Cron Scheduled Task/Job Hunting Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-10-17
Linux Possible Cronjob Modification With Editor Sysmon for Linux EventID 1 Cron Scheduled Task/Job Hunting Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-10-17
Linux Possible Ssh Key File Creation Sysmon for Linux EventID 11 SSH Authorized Keys Account Manipulation Anomaly Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Preload Hijack Library Calls Sysmon for Linux EventID 1 Dynamic Linker Hijacking Hijack Execution Flow TTP Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Proxy Socks Curl Sysmon for Linux EventID 1 Proxy Non-Application Layer Protocol TTP Ingress Tool Transfer, Linux Living Off The Land 2024-09-30
Linux Puppet Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux RPM Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux Ruby Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux Service File Created In Systemd Directory Sysmon for Linux EventID 11 Systemd Timers Scheduled Task/Job Anomaly Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-09-30
Linux Service Restarted Sysmon for Linux EventID 1 Systemd Timers Scheduled Task/Job Anomaly AwfulShred, Data Destruction, Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-09-30
Linux Service Started Or Enabled Sysmon for Linux EventID 1 Systemd Timers Scheduled Task/Job Anomaly Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-09-30
Linux Setuid Using Chmod Utility Sysmon for Linux EventID 1 Setuid and Setgid Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Setuid Using Setcap Utility Sysmon for Linux EventID 1 Setuid and Setgid Abuse Elevation Control Mechanism Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Shred Overwrite Command Sysmon for Linux EventID 1 Data Destruction TTP AwfulShred, Data Destruction, Industroyer2, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Sqlite3 Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux SSH Authorized Keys Modification Sysmon for Linux EventID 1 SSH Authorized Keys Anomaly Linux Living Off The Land 2024-09-30
Linux SSH Remote Services Script Execute Sysmon for Linux EventID 1 SSH TTP Linux Living Off The Land 2024-09-30
Linux Stdout Redirection To Dev Null File Sysmon for Linux EventID 1 Disable or Modify System Firewall Impair Defenses Anomaly Cyclops Blink, Data Destruction, Industroyer2 2024-10-17
Linux Stop Services Sysmon for Linux EventID 1 Service Stop TTP AwfulShred, Data Destruction, Industroyer2 2024-09-30
Linux Sudo OR Su Execution Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Hunting Linux Persistence Techniques, Linux Privilege Escalation 2024-10-17
Linux Sudoers Tmp File Creation Sysmon for Linux EventID 11 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux System Network Discovery Sysmon for Linux EventID 1 System Network Configuration Discovery Anomaly Data Destruction, Industroyer2, Network Discovery 2024-09-30
Linux System Reboot Via System Request Key Sysmon for Linux EventID 1 System Shutdown/Reboot TTP AwfulShred, Data Destruction 2024-09-30
Linux Unix Shell Enable All SysRq Functions Sysmon for Linux EventID 1 Unix Shell Command and Scripting Interpreter Anomaly AwfulShred, Data Destruction 2024-09-30
Linux Visudo Utility Execution Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Potential password in username Linux Secure Local Accounts Credentials In Files Hunting Credential Dumping, Insider Threat 2024-10-17
Suspicious Linux Discovery Commands CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Unix Shell TTP Linux Post-Exploitation 2024-09-30