auditd-sus-exec Scenario

« auditd-sus-exec »
v0.5 by crowdsecurity
Attack scenarioservice:linuxspoofable:0MITRE:T1059confidence:2

Detect post-exploitation behaviour : exec from suspicious locations

Installation

cscli scenarios install crowdsecurity/auditd-sus-exec

Description

Attempt to detect a binary that is executed from unusual / suspicious locations, such as /tmp/ or hidden directories startimg with a ..

This pattern is usually seen in post-exploitation when attackers are attempting to hide backdoors and other tools.

YAML Configuration

1type: trigger
2#debug: true
3name: crowdsecurity/auditd-sus-exec
4description: "Detect post-exploitation behaviour : exec from suspicious locations"
5filter: evt.Meta.log_type == 'execve' and ( evt.Meta.exe startsWith "/tmp/" or evt.Meta.exe contains "/." )
6labels:
7  confidence: 2
8  spoofable: 0
9  classification:
10    - attack.T1059.004
11  behavior: "linux:post-exploitation"
12  label: "Post Exploitation command execution"
13  service: linux
14  remediation: false
15scope:
16  type: pid
17  expression: evt.Meta.ppid
18

Hub configuration

« auditd-sus-exec »v0.5 by crowdsecurityAttack scenarioservice:linuxspoofable:0MITRE:T1059confidence:2

« auditd-sus-exec »
v0.5 by crowdsecurity
Attack scenarioservice:linuxspoofable:0MITRE:T1059confidence:2