auditd-postexploit-pkill Scenario

« auditd-postexploit-pkill »
v0.5 by crowdsecurity
Attack scenarioservice:linuxspoofable:0MITRE:T1059confidence:2

Detect post-exploitation behaviour : pkill execve bursts

Installation

cscli scenarios install crowdsecurity/auditd-postexploit-pkill

Description

Attempt to detect a process that is attempting to kill a lot of 3rd party processes.

This pattern is usually seen in post-exploitation behaviors where a backdoors is trying to "kill" competition.

YAML Configuration

1type: leaky
2#debug: true
3name: crowdsecurity/auditd-postexploit-pkill
4description: "Detect post-exploitation behaviour : pkill execve bursts"
5#we're looking for the EXCVE syscalls to 'pkill' (which is actually pgrep)
6filter: evt.Meta.log_type == 'execve' && evt.Meta.exe == '/usr/bin/pgrep'
7#grouping by ppid to track on process doing a lot of invocations to rm, such as a shell script
8groupby: evt.Meta.ppid
9leakspeed: 1s
10capacity: 5
11blackhole: 1m
12labels:
13  confidence: 2
14  spoofable: 0
15  classification:
16    - attack.T1059.004
17  behavior: "linux:post-exploitation"
18  label: "Post Exploitation command execution"
19  service: linux
20  remediation: false
21scope:
22  type: pid
23  expression: evt.Meta.ppid
24

Hub configuration

« auditd-postexploit-pkill »v0.5 by crowdsecurityAttack scenarioservice:linuxspoofable:0MITRE:T1059confidence:2

« auditd-postexploit-pkill »
v0.5 by crowdsecurity
Attack scenarioservice:linuxspoofable:0MITRE:T1059confidence:2