Data Source: Sysmon for Linux EventID 1

Date: 2025-01-23

ID: 93643652-30fe-4941-a1f7-6454f2948660

Author: Patrick Bareiss, Splunk

Description

Logs process creation events on Linux systems, including details about the process name, process ID, command line arguments, and parent process ID.

Details

Property	Value
Source	`Syslog:Linux-Sysmon/Operational`
Sourcetype	`sysmon:linux`
Separator	EventID

Name ▲▼	Technique ▲▼	Type ▲▼
Linux Docker Privilege Escalation	Sudo and Sudo Caching	Anomaly
Curl Execution with Percent Encoded URL	Obfuscated Files or Information, Ingress Tool Transfer	Anomaly
File Download or Read to Pipe Execution	Ingress Tool Transfer	TTP
Java Writing JSP File	Exploit Public-Facing Application, External Remote Services	TTP
Linux Add User Account	Local Account	Hunting
Linux Adding Crontab Using List Parameter	Cron	Hunting
Linux APT Privilege Escalation	Sudo and Sudo Caching	Anomaly
Linux At Application Execution	At	Anomaly
Linux AWK Privilege Escalation	Sudo and Sudo Caching	Anomaly
Linux Busybox Privilege Escalation	Sudo and Sudo Caching	Anomaly
Linux c89 Privilege Escalation	Sudo and Sudo Caching	Anomaly
Linux c99 Privilege Escalation	Sudo and Sudo Caching	Anomaly
Linux Change File Owner To Root	Linux and Mac File and Directory Permissions Modification	Anomaly
Linux Clipboard Data Copy	Clipboard Data	Anomaly
Linux Common Process For Elevation Control	Setuid and Setgid	Hunting
Linux Composer Privilege Escalation	Sudo and Sudo Caching	Anomaly
Linux Cpulimit Privilege Escalation	Sudo and Sudo Caching	Anomaly
Linux Csvtool Privilege Escalation	Sudo and Sudo Caching	Anomaly
Linux Curl Upload File	Ingress Tool Transfer	TTP
Linux Data Destruction Command	Data Destruction	TTP
Linux DD File Overwrite	Data Destruction	TTP
Linux Decode Base64 to Shell	Obfuscated Files or Information, Unix Shell	TTP
Linux Deleting Critical Directory Using RM Command	Data Destruction	TTP
Linux Disable Services	Service Stop	TTP
Linux Doas Tool Execution	Sudo and Sudo Caching	Anomaly
Linux Docker Root Directory Mount	Escape to Host	TTP
Linux Docker Shell Execution	Container CLI/API	Anomaly
Linux Edit Cron Table Parameter	Cron	Hunting
Linux Emacs Privilege Escalation	Sudo and Sudo Caching	Anomaly
Linux Find Privilege Escalation	Sudo and Sudo Caching	Anomaly
Linux GDB Privilege Escalation	Sudo and Sudo Caching	Anomaly
Linux Gdrive Binary Activity	Exfiltration Over Web Service	TTP
Linux Gem Privilege Escalation	Sudo and Sudo Caching	Anomaly
Linux GNU Awk Privilege Escalation	Sudo and Sudo Caching	Anomaly
Linux Hardware Addition SwapOff	Hardware Additions	Anomaly
Linux Impair Defenses Process Kill	Disable or Modify Tools	Hunting
Linux Indicator Removal Clear Cache	Indicator Removal	TTP
Linux Indicator Removal Service File Deletion	File Deletion	Anomaly
Linux Ingress Tool Transfer Hunting	Ingress Tool Transfer	Hunting
Linux Ingress Tool Transfer with Curl	Ingress Tool Transfer	Anomaly
Linux Insert Kernel Module Using Insmod Utility	Kernel Modules and Extensions	Anomaly
Linux Install Kernel Module Using Modprobe Utility	Kernel Modules and Extensions	Anomaly
Linux Iptables Firewall Modification	Disable or Modify System Firewall	Anomaly
Linux Kernel Module Enumeration	System Information Discovery, Rootkit	Anomaly
Linux Kworker Process In Writable Process Path	Masquerade Task or Service	Hunting
Linux Make Privilege Escalation	Sudo and Sudo Caching	Anomaly
Linux MySQL Privilege Escalation	Sudo and Sudo Caching	Anomaly
Linux Ngrok Reverse Proxy Usage	Protocol Tunneling, Proxy, Web Service	Anomaly
Linux Node Privilege Escalation	Sudo and Sudo Caching	Anomaly
Linux NOPASSWD Entry In Sudoers File	Sudo and Sudo Caching	Anomaly
Linux Obfuscated Files or Information Base64 Decode	Obfuscated Files or Information	Anomaly
Linux Octave Privilege Escalation	Sudo and Sudo Caching	Anomaly
Linux OpenVPN Privilege Escalation	Sudo and Sudo Caching	Anomaly
Linux PHP Privilege Escalation	Sudo and Sudo Caching	Anomaly
Linux pkexec Privilege Escalation	Exploitation for Privilege Escalation	TTP
Linux Possible Access Or Modification Of sshd Config File	SSH Authorized Keys	Anomaly
Linux Possible Access To Credential Files	/etc/passwd and /etc/shadow	Anomaly
Linux Possible Access To Sudoers File	Sudo and Sudo Caching	Anomaly
Linux Possible Append Command To At Allow Config File	At	Anomaly
Linux Possible Append Command To Profile Config File	Unix Shell Configuration Modification	Anomaly
Linux Possible Append Cronjob Entry on Existing Cronjob File	Cron	Hunting
Linux Possible Cronjob Modification With Editor	Cron	Hunting
Linux Preload Hijack Library Calls	Dynamic Linker Hijacking	TTP
Linux Proxy Socks Curl	Proxy, Non-Application Layer Protocol	TTP
Linux Puppet Privilege Escalation	Sudo and Sudo Caching	Anomaly
Linux RPM Privilege Escalation	Sudo and Sudo Caching	Anomaly
Linux Ruby Privilege Escalation	Sudo and Sudo Caching	Anomaly
Linux Service Restarted	Systemd Timers	Anomaly
Linux Service Started Or Enabled	Systemd Timers	Anomaly
Linux Setuid Using Chmod Utility	Setuid and Setgid	Anomaly
Linux Setuid Using Setcap Utility	Setuid and Setgid	Anomaly
Linux Shred Overwrite Command	Data Destruction	TTP
Linux Sqlite3 Privilege Escalation	Sudo and Sudo Caching	Anomaly
Linux SSH Authorized Keys Modification	SSH Authorized Keys	Anomaly
Linux SSH Remote Services Script Execute	SSH	TTP
Linux Stdout Redirection To Dev Null File	Disable or Modify System Firewall	Anomaly
Linux Stop Services	Service Stop	TTP
Linux Sudo OR Su Execution	Sudo and Sudo Caching	Hunting
Linux Suspicious React or Next.js Child Process	Exploit Public-Facing Application, Unix Shell	TTP
Linux System Network Discovery	System Network Configuration Discovery	Anomaly
Linux System Reboot Via System Request Key	System Shutdown/Reboot	TTP
Linux Telnet Authentication Bypass	Abuse Elevation Control Mechanism	TTP
Linux Unix Shell Enable All SysRq Functions	Unix Shell	Anomaly
Linux Visudo Utility Execution	Sudo and Sudo Caching	Anomaly
Suspicious Curl Network Connection	Ingress Tool Transfer	TTP
Suspicious Linux Discovery Commands	Unix Shell	TTP
Web or Application Server Spawning a Shell	Exploit Public-Facing Application, External Remote Services	TTP

Supported Apps

Splunk Add-on for Sysmon for Linux (version 1.0.0)

Event Fields

+ Fields

  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">Channel</span>
  
  <span class="pill kill-chain">CommandLine</span>
  
  <span class="pill kill-chain">Company</span>
  
  <span class="pill kill-chain">Computer</span>
  
  <span class="pill kill-chain">CurrentDirectory</span>
  
  <span class="pill kill-chain">Description</span>
  
  <span class="pill kill-chain">EventChannel</span>
  
  <span class="pill kill-chain">EventCode</span>
  
  <span class="pill kill-chain">EventData_Xml</span>
  
  <span class="pill kill-chain">EventDescription</span>
  
  <span class="pill kill-chain">EventID</span>
  
  <span class="pill kill-chain">EventRecordID</span>
  
  <span class="pill kill-chain">FileVersion</span>
  
  <span class="pill kill-chain">Guid</span>
  
  <span class="pill kill-chain">Hashes</span>
  
  <span class="pill kill-chain">Image</span>
  
  <span class="pill kill-chain">IntegrityLevel</span>
  
  <span class="pill kill-chain">Keywords</span>
  
  <span class="pill kill-chain">Level</span>
  
  <span class="pill kill-chain">LogonGuid</span>
  
  <span class="pill kill-chain">LogonId</span>
  
  <span class="pill kill-chain">Name</span>
  
  <span class="pill kill-chain">Opcode</span>
  
  <span class="pill kill-chain">OriginalFileName</span>
  
  <span class="pill kill-chain">ParentCommandLine</span>
  
  <span class="pill kill-chain">ParentImage</span>
  
  <span class="pill kill-chain">ParentProcessGuid</span>
  
  <span class="pill kill-chain">ParentProcessId</span>
  
  <span class="pill kill-chain">ParentUser</span>
  
  <span class="pill kill-chain">ProcessGuid</span>
  
  <span class="pill kill-chain">ProcessID</span>
  
  <span class="pill kill-chain">ProcessId</span>
  
  <span class="pill kill-chain">Product</span>
  
  <span class="pill kill-chain">RecordID</span>
  
  <span class="pill kill-chain">RuleName</span>
  
  <span class="pill kill-chain">SystemTime</span>
  
  <span class="pill kill-chain">System_Props_Xml</span>
  
  <span class="pill kill-chain">Task</span>
  
  <span class="pill kill-chain">TerminalSessionId</span>
  
  <span class="pill kill-chain">ThreadID</span>
  
  <span class="pill kill-chain">User</span>
  
  <span class="pill kill-chain">UserId</span>
  
  <span class="pill kill-chain">UtcTime</span>
  
  <span class="pill kill-chain">Version</span>
  
  <span class="pill kill-chain">action</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">dest</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">original_file_name</span>
  
  <span class="pill kill-chain">os</span>
  
  <span class="pill kill-chain">parent_process</span>
  
  <span class="pill kill-chain">parent_process_exec</span>
  
  <span class="pill kill-chain">parent_process_guid</span>
  
  <span class="pill kill-chain">parent_process_id</span>
  
  <span class="pill kill-chain">parent_process_name</span>
  
  <span class="pill kill-chain">parent_process_path</span>
  
  <span class="pill kill-chain">process</span>
  
  <span class="pill kill-chain">process_current_directory</span>
  
  <span class="pill kill-chain">process_exec</span>
  
  <span class="pill kill-chain">process_guid</span>
  
  <span class="pill kill-chain">process_hash</span>
  
  <span class="pill kill-chain">process_id</span>
  
  <span class="pill kill-chain">process_integrity_level</span>
  
  <span class="pill kill-chain">process_name</span>
  
  <span class="pill kill-chain">process_path</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">signature</span>
  
  <span class="pill kill-chain">signature_id</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
  <span class="pill kill-chain">user</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
</div>

Example Log

1<Event><System><Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime="2022-08-09T10:42:47.749450000Z"/><EventRecordID>1926574</EventRecordID><Correlation/><Execution ProcessID="1465" ThreadID="1465"/><Channel>Linux-Sysmon/Operational</Channel><Computer>ar-linux</Computer><Security UserId="0"/></System><EventData><Data Name="RuleName">-</Data><Data Name="UtcTime">2022-08-09 10:42:47.757</Data><Data Name="ProcessGuid">{ec23eae3-3a27-62f2-085e-16549b550000}</Data><Data Name="ProcessId">10268</Data><Data Name="Image">/usr/bin/sudo</Data><Data Name="FileVersion">-</Data><Data Name="Description">-</Data><Data Name="Product">-</Data><Data Name="Company">-</Data><Data Name="OriginalFileName">-</Data><Data Name="CommandLine">sudo gdb -nx -ex !sh -ex quit</Data><Data Name="CurrentDirectory">/home/ubuntu</Data><Data Name="User">ubuntu</Data><Data Name="LogonGuid">{ec23eae3-315b-62f2-e803-000000000000}</Data><Data Name="LogonId">1000</Data><Data Name="TerminalSessionId">13</Data><Data Name="IntegrityLevel">no level</Data><Data Name="Hashes">-</Data><Data Name="ParentProcessGuid">{ec23eae3-315b-62f2-4884-4ea587550000}</Data><Data Name="ParentProcessId">15369</Data><Data Name="ParentImage">/bin/bash</Data><Data Name="ParentCommandLine">-bash</Data><Data Name="ParentUser">ubuntu</Data></EventData></Event>

Required Output Fields

action
dest
original_file_name
parent_process
parent_process_exec
parent_process_guid
parent_process_id
parent_process_name
parent_process_path
process
process_exec
process_guid
process_hash
process_id
process_integrity_level
process_name
process_path
user
user_id
vendor_product

Source: GitHub | Version: 2