auditd-postexploit-rm Scenario

« auditd-postexploit-rm »
v0.6 by crowdsecurity
Attack scenarioservice:linuxspoofable:0MITRE:T1059confidence:1

Detect post-exploitation behaviour : rm execve bursts

Installation

cscli scenarios install crowdsecurity/auditd-postexploit-rm

Description

Attempt to detect a process that is attempting to rm a lot of files.

This pattern is usually seen in post-exploitation behaviors where a backdoors is trying to "kill" competition.

YAML Configuration

1type: leaky
2#debug: true
3name: crowdsecurity/auditd-postexploit-rm
4description: "Detect post-exploitation behaviour : rm execve bursts"
5filter: evt.Meta.log_type == 'execve' && evt.Meta.exe in ['/usr/bin/rm', '/bin/rm']
6#grouping by ppid to track on process doing a lot of invocations to rm, such as a shell script
7groupby: evt.Meta.ppid
8leakspeed: 1s
9capacity: 5
10blackhole: 1m
11labels:
12  confidence: 1
13  spoofable: 0
14  classification:
15    - attack.T1059.004
16  behavior: "linux:post-exploitation"
17  label: "Post Exploitation command execution"
18  service: linux
19  remediation: false
20scope:
21  type: pid
22  expression: evt.Meta.ppid
23

Hub configuration

« auditd-postexploit-rm »v0.6 by crowdsecurityAttack scenarioservice:linuxspoofable:0MITRE:T1059confidence:1

« auditd-postexploit-rm »
v0.6 by crowdsecurity
Attack scenarioservice:linuxspoofable:0MITRE:T1059confidence:1