cscli scenarios install crowdsecurity/auditd-postexploit-rm
Attempt to detect a process that is attempting to rm
a lot of files.
This pattern is usually seen in post-exploitation behaviors where a backdoors is trying to "kill" competition.
1type: leaky2#debug: true3name: crowdsecurity/auditd-postexploit-rm4description: "Detect post-exploitation behaviour : rm execve bursts"5filter: evt.Meta.log_type == 'execve' && evt.Meta.exe in ['/usr/bin/rm', '/bin/rm']6#grouping by ppid to track on process doing a lot of invocations to rm, such as a shell script7groupby: evt.Meta.ppid8leakspeed: 1s9capacity: 510blackhole: 1m11labels:12 confidence: 113 spoofable: 014 classification:15 - attack.T1059.00416 behavior: "linux:post-exploitation"17 label: "Post Exploitation command execution"18 service: linux19 remediation: false20scope:21 type: pid22 expression: evt.Meta.ppid23