GitHub Repo

Linux Detections

Name Data Source Technique Type Analytic Story Date
Java Writing JSP File Sysmon for Linux EventID 1, Sysmon for Linux EventID 11 T1133 T1190 TTP SAP NetWeaver Exploitation, Spring4Shell CVE-2022-22965, Atlassian Confluence Server and Data Center CVE-2022-26134, SysAid On-Prem Software CVE-2023-47246 Vulnerability 2026-05-13
Linux Auditd Service Restarted Linux Auditd Proctitle T1053.006 Anomaly Scheduled Tasks, AwfulShred, Linux Persistence Techniques, Compromised Linux Host, Linux Living Off The Land, Linux Privilege Escalation, Data Destruction, Gomir 2026-05-13
Linux Auditd File Permission Modification Via Chmod Linux Auditd Proctitle T1222.002 Anomaly Linux Persistence Techniques, XorDDos, Linux Living Off The Land, Linux Privilege Escalation, Salt Typhoon, China-Nexus Threat Activity, Axios Supply Chain Post Compromise, Compromised Linux Host 2026-05-13
Linux Auditd Find Credentials From Password Stores Linux Auditd Execve T1555.005 TTP Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Hellcat Ransomware, Scattered Lapsus$ Hunters, Compromised Linux Host 2026-05-13
Linux Auditd Add User Account Linux Auditd Proctitle T1136.001 Anomaly Linux Persistence Techniques, Linux Privilege Escalation, Compromised Linux Host 2026-05-13
Linux Auditd Unload Module Via Modprobe Linux Auditd Execve T1547.006 TTP Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host 2026-05-13
Linux Preload Hijack Library Calls Sysmon for Linux EventID 1 T1574.006 TTP Linux Persistence Techniques, VoidLink Cloud-Native Linux Malware, Linux Privilege Escalation, Salt Typhoon, China-Nexus Threat Activity 2026-05-13
Linux Obfuscated Files or Information Base64 Decode Sysmon for Linux EventID 1 T1027 Anomaly Linux Living Off The Land 2026-05-13
Linux Sudo OR Su Execution Sysmon for Linux EventID 1 T1548.003 Hunting Linux Persistence Techniques, VoidLink Cloud-Native Linux Malware, Linux Privilege Escalation 2026-05-13
Linux Auditd Base64 Decode Files Linux Auditd Execve T1140 Anomaly Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host 2026-05-13
Linux RPM Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Linux Visudo Utility Execution Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2026-05-13
Linux Possible Access Or Modification Of sshd Config File Sysmon for Linux EventID 1 T1098.004 Anomaly Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Linux DD File Overwrite Sysmon for Linux EventID 1 T1485 TTP Data Destruction, Industroyer2 2026-05-13
Linux PHP Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Linux Account Manipulation Of SSH Config and Keys Sysmon for Linux EventID 11 T1070.004 T1485 Anomaly AcidRain, Hellcat Ransomware 2026-05-13
Linux Auditd Possible Access To Credential Files Linux Auditd Proctitle T1003.008 Anomaly Linux Persistence Techniques, Linux Privilege Escalation, Salt Typhoon, China-Nexus Threat Activity, Axios Supply Chain Post Compromise, Compromised Linux Host 2026-05-13
Linux Doas Tool Execution Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2026-05-13
Curl Execution with Percent Encoded URL CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688 T1027 T1105 Anomaly Living Off The Land, Compromised Windows Host, Ingress Tool Transfer 2026-05-13
Linux Auditd Preload Hijack Library Calls Linux Auditd Execve T1574.006 TTP Linux Persistence Techniques, Linux Privilege Escalation, Salt Typhoon, China-Nexus Threat Activity, Compromised Linux Host 2026-05-13
Linux Possible Append Command To Profile Config File Sysmon for Linux EventID 1 T1546.004 Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2026-05-13
Linux Busybox Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Linux Auditd At Application Execution Linux Auditd Syscall T1053.002 Anomaly Scheduled Tasks, Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host 2026-05-13
Linux Cpulimit Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Linux Auditd Data Transfer Size Limits Via Split Linux Auditd Execve T1030 Anomaly Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Hellcat Ransomware, Compromised Linux Host 2026-05-13
Linux Service File Created In Systemd Directory Sysmon for Linux EventID 11 T1053.006 Anomaly Scheduled Tasks, Linux Persistence Techniques, VoidLink Cloud-Native Linux Malware, Linux Living Off The Land, Linux Privilege Escalation, China-Nexus Threat Activity, Gomir 2026-05-13
Linux Auditd Sysmon Service Stop Linux Auditd Service Stop T1489 Anomaly Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host 2026-05-13
Potential password in username Linux Secure T1078.003 T1552.001 Hunting Insider Threat, Credential Dumping 2026-05-13
Linux Service Started Or Enabled Sysmon for Linux EventID 1 T1053.006 Anomaly Scheduled Tasks, Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Gomir 2026-05-13
Linux Docker Root Directory Mount Sysmon for Linux EventID 1 T1611 TTP Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Linux Auditd Hardware Addition Swapoff Linux Auditd Execve T1200 Anomaly Scattered Lapsus$ Hunters, AwfulShred, Data Destruction, Compromised Linux Host 2026-05-13
Linux Auditd Shred Overwrite Command Linux Auditd Proctitle T1485 TTP AwfulShred, Industroyer2, Linux Persistence Techniques, Linux Privilege Escalation, Data Destruction, Compromised Linux Host 2026-05-13
Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File Linux Auditd Cwd, Linux Auditd Path T1053.003 Hunting Scheduled Tasks, Linux Persistence Techniques, Linux Living Off The Land, XorDDos, Linux Privilege Escalation, Compromised Linux Host 2026-05-13
Linux Edit Cron Table Parameter Sysmon for Linux EventID 1 T1053.003 Hunting Linux Persistence Techniques, Scheduled Tasks, Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Linux Add User Account Sysmon for Linux EventID 1, Cisco Isovalent Process Exec T1136.001 Hunting Linux Persistence Techniques, Linux Privilege Escalation, Cisco Isovalent Suspicious Activity 2026-05-13
Linux Telnet Authentication Bypass Sysmon for Linux EventID 1 T1548 TTP Telnetd CVE-2026-24061 2026-05-13
Linux Doas Conf File Creation Sysmon for Linux EventID 11 T1548.003 Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2026-05-13
Linux Auditd Doas Conf File Creation Linux Auditd Cwd, Linux Auditd Path T1548.003 TTP Linux Persistence Techniques, Linux Privilege Escalation, Compromised Linux Host 2026-05-13
Linux OpenVPN Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Linux Deletion Of Cron Jobs Sysmon for Linux EventID 11 T1070.004 T1485 Anomaly AcidRain, Data Destruction, AcidPour 2026-05-13
Linux Suspicious Namespace Creation Linux Auditd Syscall, Sysmon for Linux EventID 1 T1068 TTP Linux Privilege Escalation 2026-05-12
Linux Possible Append Command To At Allow Config File Sysmon for Linux EventID 1 T1053.002 Anomaly Linux Persistence Techniques, Scheduled Tasks, Linux Privilege Escalation 2026-05-13
Linux Possible Append Cronjob Entry on Existing Cronjob File Sysmon for Linux EventID 1 T1053.003 Hunting Scheduled Tasks, Linux Persistence Techniques, Linux Living Off The Land, XorDDos, Linux Privilege Escalation 2026-05-13
Linux Auditd Whoami User Discovery Linux Auditd Syscall T1033 Anomaly Linux Persistence Techniques, QuietVault, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host 2026-05-13
Linux Node Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Linux Setuid Using Chmod Utility Sysmon for Linux EventID 1 T1548.001 Anomaly Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Linux Composer Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Linux Auditd Edit Cron Table Parameter Linux Auditd Syscall T1053.003 Anomaly Scheduled Tasks, Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host 2026-05-13
Linux Service Restarted Sysmon for Linux EventID 1 T1053.006 Anomaly Scheduled Tasks, AwfulShred, Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Data Destruction, Gomir 2026-05-13
Linux Auditd Kernel Module Enumeration Linux Auditd Syscall T1014 T1082 Anomaly Linux Rootkit, XorDDos, Compromised Linux Host 2026-05-13
Linux Install Kernel Module Using Modprobe Utility Sysmon for Linux EventID 1 T1547.006 Anomaly Linux Rootkit, Linux Persistence Techniques, VoidLink Cloud-Native Linux Malware, Linux Privilege Escalation, China-Nexus Threat Activity 2026-05-13
Linux SSH Remote Services Script Execute Sysmon for Linux EventID 1 T1021.004 TTP VoidLink Cloud-Native Linux Malware, Linux Living Off The Land, Hellcat Ransomware 2026-05-13
Linux Decode Base64 to Shell Sysmon for Linux EventID 1, Cisco Isovalent Process Exec T1027 T1059.004 TTP Linux Living Off The Land, Cisco Isovalent Suspicious Activity 2026-05-13
Linux Ingress Tool Transfer Hunting Sysmon for Linux EventID 1 T1105 Hunting NPM Supply Chain Compromise, Ingress Tool Transfer, XorDDos, Linux Living Off The Land, Axios Supply Chain Post Compromise 2026-05-13
Linux Auditd Find Ssh Private Keys Linux Auditd Execve T1552.004 Anomaly Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Hellcat Ransomware, Compromised Linux Host 2026-05-13
Linux Auditd Disable Or Modify System Firewall Linux Auditd Service Stop T1686 Anomaly Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host 2026-05-13
Linux Auditd Doas Tool Execution Linux Auditd Syscall T1548.003 Anomaly Linux Persistence Techniques, Linux Privilege Escalation, Compromised Linux Host 2026-05-13
Linux Csvtool Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Linux NOPASSWD Entry In Sudoers File Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Persistence Techniques, Salt Typhoon, China-Nexus Threat Activity, Linux Privilege Escalation 2026-05-13
Linux Auditd File Permissions Modification Via Chattr Linux Auditd Execve T1222.002 Anomaly Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host 2026-05-13
Linux File Creation In Init Boot Directory Sysmon for Linux EventID 11 T1037.004 Anomaly Backdoor Pingpong, Linux Persistence Techniques, XorDDos, Linux Privilege Escalation, China-Nexus Threat Activity 2026-05-13
Linux Deletion Of Services Sysmon for Linux EventID 11 T1070.004 T1485 TTP AcidRain, AwfulShred, Data Destruction, AcidPour 2026-05-13
Linux Persistence and Privilege Escalation Risk Behavior T1548 Correlation Linux Persistence Techniques, Linux Privilege Escalation 2026-05-13
Linux Octave Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Linux Deletion of SSL Certificate Sysmon for Linux EventID 11 T1070.004 T1485 Anomaly AcidRain, AcidPour 2026-05-13
Linux Emacs Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Linux Auditd Auditd Service Stop Linux Auditd Service Stop T1489 Anomaly Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host 2026-05-13
Linux Auditd Setuid Using Setcap Utility Linux Auditd Execve T1548.001 TTP Linux Persistence Techniques, Linux Privilege Escalation, Compromised Linux Host 2026-05-13
File Download or Read to Pipe Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688 T1105 TTP Compromised Windows Host, NPM Supply Chain Compromise, Ingress Tool Transfer, Linux Living Off The Land, Log4Shell CVE-2021-44228 2026-05-13
Linux Make Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Linux Auditd Database File And Directory Discovery Linux Auditd Execve T1083 Anomaly Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host 2026-05-13
Linux Auditd Possible Access Or Modification Of Sshd Config File Linux Auditd Cwd, Linux Auditd Path T1098.004 Anomaly Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host 2026-05-13
Linux Find Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Linux Disable Services Sysmon for Linux EventID 1 T1489 TTP AwfulShred, Data Destruction, Industroyer2 2026-05-13
Linux Shred Overwrite Command Sysmon for Linux EventID 1 T1485 TTP AwfulShred, Industroyer2, Linux Persistence Techniques, Linux Privilege Escalation, Data Destruction 2026-05-13
Linux Auditd Change File Owner To Root Linux Auditd Proctitle T1222.002 Anomaly Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host 2026-05-13
Linux Auditd Sudo Or Su Execution Linux Auditd Proctitle T1548.003 Anomaly Linux Persistence Techniques, Linux Privilege Escalation, Compromised Linux Host 2026-05-13
Linux Impair Defenses Process Kill Sysmon for Linux EventID 1 T1685 Hunting Scattered Lapsus$ Hunters, AwfulShred, Data Destruction 2026-05-13
Linux Change File Owner To Root Sysmon for Linux EventID 1 T1222.002 Anomaly Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Linux pkexec Privilege Escalation Sysmon for Linux EventID 1 T1068 TTP Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Linux Auditd Insert Kernel Module Using Insmod Utility Linux Auditd Syscall T1547.006 Anomaly Linux Rootkit, Linux Persistence Techniques, XorDDos, Linux Privilege Escalation, Compromised Linux Host 2026-05-13
Linux Common Process For Elevation Control Sysmon for Linux EventID 1 T1548.001 Hunting Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Salt Typhoon, China-Nexus Threat Activity, Axios Supply Chain Post Compromise 2026-05-13
Linux Auditd Copy Fail Privilege Escalation Linux Auditd Syscall T1068 TTP Linux Privilege Escalation 2026-05-13
Linux Indicator Removal Service File Deletion Sysmon for Linux EventID 1 T1070.004 Anomaly AwfulShred, Data Destruction 2026-05-13
Linux Sudoers Tmp File Creation Sysmon for Linux EventID 11 T1548.003 Anomaly Linux Persistence Techniques, Salt Typhoon, China-Nexus Threat Activity, Linux Privilege Escalation 2026-05-13
Linux Adding Crontab Using List Parameter Sysmon for Linux EventID 1 T1053.003 Hunting Scheduled Tasks, Industroyer2, Linux Persistence Techniques, VoidLink Cloud-Native Linux Malware, Linux Living Off The Land, Linux Privilege Escalation, Data Destruction, Cisco Isovalent Suspicious Activity, Gomir 2026-05-13
Linux Suspicious React or Next.js Child Process Sysmon for Linux EventID 1 T1059.004 T1190 TTP React2Shell 2026-05-13
Linux Deletion Of Init Daemon Script Sysmon for Linux EventID 11 T1070.004 T1485 TTP AcidRain, Data Destruction, AcidPour 2026-05-13
Linux Puppet Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Linux Auditd Setuid Using Chmod Utility Linux Auditd Proctitle T1548.001 Anomaly Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host 2026-05-13
Linux Possible Access To Sudoers File Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Persistence Techniques, Salt Typhoon, China-Nexus Threat Activity, Linux Privilege Escalation 2026-05-13
Linux Auditd Preload Hijack Via Preload File Linux Auditd Cwd, Linux Auditd Path T1574.006 TTP Linux Persistence Techniques, VoidLink Cloud-Native Linux Malware, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host 2026-05-13
Linux Possible Cronjob Modification With Editor Sysmon for Linux EventID 1 T1053.003 Hunting Scheduled Tasks, Linux Persistence Techniques, Linux Living Off The Land, XorDDos, Linux Privilege Escalation 2026-05-13
Linux Auditd Unix Shell Configuration Modification Linux Auditd Cwd, Linux Auditd Path T1546.004 TTP Linux Persistence Techniques, QuietVault, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host 2026-05-13
Linux System Network Discovery Osquery Results, Sysmon for Linux EventID 1 T1016 Anomaly VoidLink Cloud-Native Linux Malware, Network Discovery, Data Destruction, Industroyer2 2026-05-13
Web or Application Server Spawning a Shell Sysmon EventID 1, Sysmon for Linux EventID 1 T1133 T1190 TTP WS FTP Server Critical Vulnerabilities, GhostRedirector IIS Module and Rungan Backdoor, Hermetic Wiper, Microsoft WSUS CVE-2025-59287, Log4Shell CVE-2021-44228, SAP NetWeaver Exploitation, Spring4Shell CVE-2022-22965, HAFNIUM Group, SysAid On-Prem Software CVE-2023-47246 Vulnerability, Microsoft SharePoint Vulnerabilities, CISA AA22-257A, Flax Typhoon, CISA AA22-264A, ProxyNotShell, ProxyShell, Cleo File Transfer Software, PHP-CGI RCE Attack on Japanese Organizations, BlackByte Ransomware, Data Destruction 2026-05-13
Linux Docker Shell Execution Sysmon for Linux EventID 1 T1059.013 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Linux Auditd Kernel Module Using Rmmod Utility Linux Auditd Syscall T1547.006 TTP Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host 2026-05-13
Linux Auditd Auditd Daemon Shutdown Linux Auditd Daemon End T1685.004 Anomaly Compromised Linux Host 2026-05-13
Linux Auditd Data Destruction Command Linux Auditd Proctitle T1485 TTP AwfulShred, Data Destruction, Compromised Linux Host 2026-05-13
Linux Auditd Install Kernel Module Using Modprobe Utility Linux Auditd Syscall T1547.006 Anomaly Linux Rootkit, Linux Persistence Techniques, Linux Privilege Escalation, China-Nexus Threat Activity, Compromised Linux Host 2026-05-13
Linux AWK Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Linux File Created In Kernel Driver Directory Sysmon for Linux EventID 11 T1547.006 Anomaly Linux Persistence Techniques, Linux Rootkit, Linux Privilege Escalation 2026-05-13
Linux Binary Launched Process with Null Argv Linux Messages Syslog T1068 TTP Linux Privilege Escalation 2026-05-12
Linux Auditd System Network Configuration Discovery Linux Auditd Syscall T1016 Anomaly Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host 2026-05-13
Linux File Creation In Profile Directory Sysmon for Linux EventID 11 T1546.004 Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2026-05-13
Linux Proxy Socks Curl Sysmon for Linux EventID 1 T1090 T1095 TTP Linux Living Off The Land, Ingress Tool Transfer 2026-06-04
Linux Auditd AI CLI Permission Override Activated Linux Auditd Proctitle T1480 Anomaly QuietVault 2026-05-13
Linux Add Files In Known Crontab Directories Sysmon for Linux EventID 11 T1053.003 Anomaly Scheduled Tasks, Linux Persistence Techniques, Linux Living Off The Land, XorDDos, Linux Privilege Escalation 2026-05-13
Linux GNU Awk Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Linux Auditd Virtual Disk File And Directory Discovery Linux Auditd Execve T1083 Anomaly Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host 2026-05-13
Linux Deleting Critical Directory Using RM Command Sysmon for Linux EventID 1 T1485 TTP AwfulShred, Data Destruction, Industroyer2 2026-05-13
Linux Ruby Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Linux PF_ALG Registration Outside of Boot Window Linux Messages Syslog T1068 TTP Linux Privilege Escalation 2026-05-11
GitHub Workflow File Creation or Modification Sysmon EventID 11, Sysmon for Linux EventID 11 T1195 T1554 T1574.006 Hunting NPM Supply Chain Compromise 2026-05-13
Linux Auditd File And Directory Discovery Linux Auditd Execve T1083 Anomaly Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host 2026-05-13
Linux Auditd Auditd Daemon Abort Linux Auditd Daemon Abort T1685.004 Anomaly Compromised Linux Host 2026-05-13
Linux Stdout Redirection To Dev Null File Sysmon for Linux EventID 1 T1686 Anomaly Cyclops Blink, Data Destruction, Industroyer2 2026-05-13
Linux Ngrok Reverse Proxy Usage Sysmon for Linux EventID 1 T1090 T1102 T1572 Anomaly Reverse Network Proxy 2026-05-13
Linux System Reboot Via System Request Key Sysmon for Linux EventID 1 T1529 TTP AwfulShred, Data Destruction 2026-05-13
Linux Auditd Possible Access To Sudoers File Linux Auditd Cwd, Linux Auditd Path T1548.003 Anomaly Linux Persistence Techniques, Linux Privilege Escalation, Salt Typhoon, China-Nexus Threat Activity, Compromised Linux Host 2026-05-13
Linux Auditd Data Transfer Size Limits Via Split Syscall Linux Auditd Syscall T1030 Anomaly Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host 2026-05-13
Linux Auditd Osquery Service Stop Linux Auditd Service Stop T1489 Anomaly Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host 2026-05-13
Linux Auditd Clipboard Data Copy Linux Auditd Execve T1115 Anomaly Linux Living Off The Land, Compromised Linux Host 2026-05-13
Linux Indicator Removal Clear Cache Sysmon for Linux EventID 1 T1070 TTP AwfulShred, Data Destruction 2026-05-13
Linux Gem Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Linux c89 Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Linux Insert Kernel Module Using Insmod Utility Sysmon for Linux EventID 1 T1547.006 Anomaly Linux Persistence Techniques, Linux Privilege Escalation, XorDDos, Linux Rootkit 2026-05-13
Linux Auditd Private Keys and Certificate Enumeration Linux Auditd Execve T1552.004 Anomaly Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host 2026-05-13
Linux Auditd Service Started Linux Auditd Proctitle T1569.002 Anomaly Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host 2026-05-13
Linux Auditd Find Credentials From Password Managers Linux Auditd Execve T1555.005 TTP Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Scattered Lapsus$ Hunters, Compromised Linux Host 2026-05-13
Linux Magic SysRq Key Abuse Linux Auditd Cwd, Linux Auditd Path T1059.004 T1489 T1499 T1529 TTP Compromised Linux Host 2026-05-13
Linux Gdrive Binary Activity Sysmon for Linux EventID 1 T1567 TTP China-Nexus Threat Activity 2026-05-13
Linux Iptables Firewall Modification Sysmon for Linux EventID 1 T1686 Anomaly Backdoor Pingpong, China-Nexus Threat Activity, Cyclops Blink, Sandworm Tools 2026-05-13
Linux Data Destruction Command Sysmon for Linux EventID 1 T1485 TTP AwfulShred, Data Destruction 2026-05-13
Linux Clipboard Data Copy Sysmon for Linux EventID 1 T1115 Anomaly Linux Living Off The Land 2026-05-13
Linux APT Privilege Escalation Sysmon for Linux EventID 1, Cisco Isovalent Process Exec T1548.003 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Suspicious Linux Discovery Commands Sysmon for Linux EventID 1 T1059.004 TTP Linux Post-Exploitation, VoidLink Cloud-Native Linux Malware 2026-05-13
Linux Auditd Dd File Overwrite Linux Auditd Proctitle T1485 TTP Compromised Linux Host, Data Destruction, Industroyer2 2026-05-13
Suspicious Curl Network Connection CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688 T1105 TTP APT37 Rustonotto and FadeStealer, Ingress Tool Transfer, Linux Living Off The Land, Silver Sparrow, GhostRedirector IIS Module and Rungan Backdoor, Hellcat Ransomware 2026-05-13
Linux High Frequency Of File Deletion In Etc Folder Sysmon for Linux EventID 11 T1070.004 T1485 Anomaly AcidRain, Data Destruction 2026-05-13
Linux At Allow Config File Creation Sysmon for Linux EventID 11 T1053.003 Anomaly Linux Persistence Techniques, Scheduled Tasks, Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Linux GDB Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Linux Hardware Addition SwapOff Sysmon for Linux EventID 1 T1200 Anomaly Scattered Lapsus$ Hunters, AwfulShred, Data Destruction 2026-05-13
Linux Auditd Add User Account Type Linux Auditd Add User T1136.001 Anomaly Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host 2026-05-13
Linux High Frequency Of File Deletion In Boot Folder Sysmon for Linux EventID 11 T1070.004 T1485 TTP AcidPour, Data Destruction, Industroyer2 2026-05-13
Linux Sqlite3 Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Linux Ingress Tool Transfer with Curl Sysmon for Linux EventID 1 T1105 Anomaly XorDDos, NPM Supply Chain Compromise, Linux Living Off The Land, Ingress Tool Transfer 2026-05-13
Shai-Hulud 2 Exfiltration Artifact Files Sysmon EventID 11, Sysmon for Linux EventID 11 T1074.001 T1195.002 T1552.001 TTP NPM Supply Chain Compromise 2026-05-13
Shai-Hulud Workflow File Creation or Modification Sysmon EventID 11, Sysmon for Linux EventID 11 T1195 T1554 T1574.006 TTP NPM Supply Chain Compromise 2026-05-13
Linux Possible Access To Credential Files Sysmon for Linux EventID 1 T1003.008 Anomaly Linux Persistence Techniques, XorDDos, Linux Privilege Escalation, Salt Typhoon, China-Nexus Threat Activity 2026-05-13
Linux Auditd Stop Services Linux Auditd Service Stop T1489 Hunting Compromised Linux Host, AwfulShred, Data Destruction, Industroyer2 2026-05-13
Linux At Application Execution Sysmon for Linux EventID 1 T1053.002 Anomaly Scheduled Tasks, Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Cisco Isovalent Suspicious Activity 2026-05-13
Linux Kworker Process In Writable Process Path Sysmon for Linux EventID 1 T1036.004 Hunting Cyclops Blink, Sandworm Tools 2026-05-13
Linux Malformed Auth Entry Linux Secure T1068 Anomaly Linux Privilege Escalation 2026-05-06
Linux Curl Upload File Sysmon for Linux EventID 1, Cisco Isovalent Process Exec T1105 TTP Data Exfiltration, NPM Supply Chain Compromise, Linux Living Off The Land, Ingress Tool Transfer 2026-05-13
Linux Auditd Nopasswd Entry In Sudoers File Linux Auditd Proctitle T1548.003 Anomaly Linux Persistence Techniques, Linux Privilege Escalation, Salt Typhoon, China-Nexus Threat Activity, Compromised Linux Host 2026-05-13
Linux Setuid Using Setcap Utility Sysmon for Linux EventID 1 T1548.001 Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2026-05-13
Linux Kernel Module Enumeration Sysmon for Linux EventID 1 T1014 T1082 Anomaly Linux Rootkit, XorDDos 2026-05-13
Linux Auditd Hidden Files And Directories Creation Linux Auditd Execve T1083 Anomaly Linux Persistence Techniques, Linux Living Off The Land, Linux Privilege Escalation, Compromised Linux Host 2026-05-13
Linux Auditd Auditd Daemon Start Linux Auditd Daemon Start T1685.004 Anomaly Compromised Linux Host 2026-05-13
Linux Unix Shell Enable All SysRq Functions Sysmon for Linux EventID 1 T1059.004 Anomaly AwfulShred, Data Destruction 2026-05-13
Linux c99 Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Linux SSH Authorized Keys Modification Sysmon for Linux EventID 1 T1098.004 Anomaly VoidLink Cloud-Native Linux Malware, Linux Living Off The Land, Hellcat Ransomware 2026-05-13
Linux Medusa Rootkit Sysmon for Linux EventID 11 T1014 T1589.001 TTP Medusa Rootkit, China-Nexus Threat Activity, VoidLink Cloud-Native Linux Malware, Hellcat Ransomware 2026-05-13
Linux Stop Services Sysmon for Linux EventID 1 T1489 TTP AwfulShred, Data Destruction, Industroyer2 2026-05-13
Linux Possible Ssh Key File Creation Sysmon for Linux EventID 11 T1098.004 Anomaly Linux Persistence Techniques, Hellcat Ransomware, Linux Living Off The Land, Linux Privilege Escalation 2026-05-13
Linux MySQL Privilege Escalation Sysmon for Linux EventID 1 T1548.003 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2026-05-13