| Linux Add Files In Known Crontab Directories |
Cron, Scheduled Task/Job |
Anomaly |
| Linux Add User Account |
Local Account, Create Account |
Hunting |
| Linux Adding Crontab Using List Parameter |
Cron, Scheduled Task/Job |
Hunting |
| Linux At Allow Config File Creation |
Cron, Scheduled Task/Job |
Anomaly |
| Linux At Application Execution |
At, Scheduled Task/Job |
Anomaly |
| Linux Auditd Add User Account |
Local Account, Create Account |
Anomaly |
| Linux Auditd Add User Account Type |
Create Account, Local Account |
Anomaly |
| Linux Auditd At Application Execution |
At, Scheduled Task/Job |
Anomaly |
| Linux Auditd Auditd Service Stop |
Service Stop |
Anomaly |
| Linux Auditd Base64 Decode Files |
Deobfuscate/Decode Files or Information |
Anomaly |
| Linux Auditd Change File Owner To Root |
Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification |
TTP |
| Linux Auditd Data Transfer Size Limits Via Split |
Data Transfer Size Limits |
Anomaly |
| Linux Auditd Data Transfer Size Limits Via Split Syscall |
Data Transfer Size Limits |
Anomaly |
| Linux Auditd Database File And Directory Discovery |
File and Directory Discovery |
Anomaly |
| Linux Auditd Disable Or Modify System Firewall |
Disable or Modify System Firewall, Impair Defenses |
Anomaly |
| Linux Auditd Doas Conf File Creation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
TTP |
| Linux Auditd Doas Tool Execution |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
| Linux Auditd Edit Cron Table Parameter |
Cron, Scheduled Task/Job |
TTP |
| Linux Auditd File And Directory Discovery |
File and Directory Discovery |
Anomaly |
| Linux Auditd File Permission Modification Via Chmod |
Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification |
Anomaly |
| Linux Auditd File Permissions Modification Via Chattr |
Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification |
TTP |
| Linux Auditd Find Credentials From Password Managers |
Password Managers, Credentials from Password Stores |
TTP |
| Linux Auditd Find Credentials From Password Stores |
Password Managers, Credentials from Password Stores |
TTP |
| Linux Auditd Find Private Keys |
Private Keys, Unsecured Credentials |
TTP |
| Linux Auditd Find Ssh Private Keys |
Private Keys, Unsecured Credentials |
Anomaly |
| Linux Auditd Hidden Files And Directories Creation |
File and Directory Discovery |
TTP |
| Linux Auditd Insert Kernel Module Using Insmod Utility |
Kernel Modules and Extensions, Boot or Logon Autostart Execution |
Anomaly |
| Linux Auditd Install Kernel Module Using Modprobe Utility |
Kernel Modules and Extensions, Boot or Logon Autostart Execution |
Anomaly |
| Linux Auditd Kernel Module Using Rmmod Utility |
Kernel Modules and Extensions, Boot or Logon Autostart Execution |
TTP |
| Linux Auditd Nopasswd Entry In Sudoers File |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
| Linux Auditd Osquery Service Stop |
Service Stop |
TTP |
| Linux Auditd Possible Access Or Modification Of Sshd Config File |
SSH Authorized Keys, Account Manipulation |
Anomaly |
| Linux Auditd Possible Access To Credential Files |
/etc/passwd and /etc/shadow, OS Credential Dumping |
Anomaly |
| Linux Auditd Possible Access To Sudoers File |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
| Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File |
Cron, Scheduled Task/Job |
Hunting |
| Linux Auditd Preload Hijack Library Calls |
Dynamic Linker Hijacking, Hijack Execution Flow |
TTP |
| Linux Auditd Preload Hijack Via Preload File |
Dynamic Linker Hijacking, Hijack Execution Flow |
TTP |
| Linux Auditd Service Restarted |
Systemd Timers, Scheduled Task/Job |
Anomaly |
| Linux Auditd Service Started |
Service Execution, System Services |
TTP |
| Linux Auditd Setuid Using Chmod Utility |
Setuid and Setgid, Abuse Elevation Control Mechanism |
Anomaly |
| Linux Auditd Setuid Using Setcap Utility |
Setuid and Setgid, Abuse Elevation Control Mechanism |
TTP |
| Linux Auditd Shred Overwrite Command |
Data Destruction |
TTP |
| Linux Auditd Sudo Or Su Execution |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
| Linux Auditd Sysmon Service Stop |
Service Stop |
TTP |
| Linux Auditd System Network Configuration Discovery |
System Network Configuration Discovery |
Anomaly |
| Linux Auditd Unix Shell Configuration Modification |
Unix Shell Configuration Modification, Event Triggered Execution |
TTP |
| Linux Auditd Unload Module Via Modprobe |
Kernel Modules and Extensions, Boot or Logon Autostart Execution |
TTP |
| Linux Auditd Virtual Disk File And Directory Discovery |
File and Directory Discovery |
Anomaly |
| Linux Auditd Whoami User Discovery |
System Owner/User Discovery |
Anomaly |
| Linux Change File Owner To Root |
Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification |
Anomaly |
| Linux Common Process For Elevation Control |
Setuid and Setgid, Abuse Elevation Control Mechanism |
Hunting |
| Linux Doas Conf File Creation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
| Linux Doas Tool Execution |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
| Linux Edit Cron Table Parameter |
Cron, Scheduled Task/Job |
Hunting |
| Linux File Created In Kernel Driver Directory |
Kernel Modules and Extensions, Boot or Logon Autostart Execution |
Anomaly |
| Linux File Creation In Init Boot Directory |
RC Scripts, Boot or Logon Initialization Scripts |
Anomaly |
| Linux File Creation In Profile Directory |
Unix Shell Configuration Modification, Event Triggered Execution |
Anomaly |
| Linux Insert Kernel Module Using Insmod Utility |
Kernel Modules and Extensions, Boot or Logon Autostart Execution |
Anomaly |
| Linux Install Kernel Module Using Modprobe Utility |
Kernel Modules and Extensions, Boot or Logon Autostart Execution |
Anomaly |
| Linux NOPASSWD Entry In Sudoers File |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
| Linux Persistence and Privilege Escalation Risk Behavior |
Abuse Elevation Control Mechanism |
Correlation |
| Linux Possible Access Or Modification Of sshd Config File |
SSH Authorized Keys, Account Manipulation |
Anomaly |
| Linux Possible Access To Credential Files |
/etc/passwd and /etc/shadow, OS Credential Dumping |
Anomaly |
| Linux Possible Access To Sudoers File |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
| Linux Possible Append Command To At Allow Config File |
At, Scheduled Task/Job |
Anomaly |
| Linux Possible Append Command To Profile Config File |
Unix Shell Configuration Modification, Event Triggered Execution |
Anomaly |
| Linux Possible Append Cronjob Entry on Existing Cronjob File |
Cron, Scheduled Task/Job |
Hunting |
| Linux Possible Cronjob Modification With Editor |
Cron, Scheduled Task/Job |
Hunting |
| Linux Possible Ssh Key File Creation |
SSH Authorized Keys, Account Manipulation |
Anomaly |
| Linux Preload Hijack Library Calls |
Dynamic Linker Hijacking, Hijack Execution Flow |
TTP |
| Linux Service File Created In Systemd Directory |
Systemd Timers, Scheduled Task/Job |
Anomaly |
| Linux Service Restarted |
Systemd Timers, Scheduled Task/Job |
Anomaly |
| Linux Service Started Or Enabled |
Systemd Timers, Scheduled Task/Job |
Anomaly |
| Linux Setuid Using Chmod Utility |
Setuid and Setgid, Abuse Elevation Control Mechanism |
Anomaly |
| Linux Setuid Using Setcap Utility |
Setuid and Setgid, Abuse Elevation Control Mechanism |
Anomaly |
| Linux Shred Overwrite Command |
Data Destruction |
TTP |
| Linux Sudo OR Su Execution |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Hunting |
| Linux Sudoers Tmp File Creation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
| Linux Visudo Utility Execution |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |