GitHub Repo

Data Source: Linux Auditd Execve

Date: 2025-02-20

ID: 9ef6364d-cc67-480e-8448-3306829a6a24

Author: Teoderick Contreras, Splunk

Description

Logs the execution of processes on a Linux system, including details about the executed command, arguments, and the initiating process.

Details

Property Value
Source auditd
Sourcetype auditd
Separator type
Name ▲▼ Technique ▲▼ Type ▲▼
Linux Auditd Base64 Decode Files Deobfuscate/Decode Files or Information Anomaly
Linux Auditd Clipboard Data Copy Clipboard Data Anomaly
Linux Auditd Data Transfer Size Limits Via Split Data Transfer Size Limits Anomaly
Linux Auditd Database File And Directory Discovery File and Directory Discovery Anomaly
Linux Auditd File And Directory Discovery File and Directory Discovery Anomaly
Linux Auditd File Permissions Modification Via Chattr Linux and Mac File and Directory Permissions Modification Anomaly
Linux Auditd Find Credentials From Password Managers Password Managers TTP
Linux Auditd Find Credentials From Password Stores Password Managers TTP
Linux Auditd Find Ssh Private Keys Private Keys Anomaly
Linux Auditd Hardware Addition Swapoff Hardware Additions Anomaly
Linux Auditd Hidden Files And Directories Creation File and Directory Discovery Anomaly
Linux Auditd Preload Hijack Library Calls Dynamic Linker Hijacking TTP
Linux Auditd Private Keys and Certificate Enumeration Private Keys Anomaly
Linux Auditd Setuid Using Setcap Utility Setuid and Setgid TTP
Linux Auditd Unload Module Via Modprobe Kernel Modules and Extensions TTP
Linux Auditd Virtual Disk File And Directory Discovery File and Directory Discovery Anomaly

Supported Apps

Event Fields

+ Fields 
  <span class="pill kill-chain">msg</span>
  
  <span class="pill kill-chain">type</span>
  
  <span class="pill kill-chain">msg</span>
  
  <span class="pill kill-chain">argc</span>
  
</div>

Example Log

1type=EXECVE msg=audit(1723044684.257:15795): argc=3 a0="sudo" a1="LD_PRELOAD=./myfopen.so" a2="./prog"

Source: GitHub | Version: 2