heroui logo

Suspicious Commands Linux

Sigma Rules

View Source
Summary
This rule detects the execution of certain commands on a Linux system that are indicative of potential malware or hacking attempts. The ruleset focuses on specific command-line executions through the `EXECVE` syscall that can be misused for unauthorized actions. The commands monitored include `chmod 777`, `chmod u+s`, and copying shell binaries (`/bin/ksh` or `/bin/sh`). These commands are frequently leveraged by attackers to escalate privileges or maintain persistence within a compromised system. The rule is designed to trigger alerts when any one of these suspect commands is executed. It aims to enhance the security monitoring of Linux environments by flagging potentially malicious activity while also considering common administrative tasks that may generate false positives.
Categories
  • Linux
  • Endpoint
Data Sources
  • Process
  • Logon Session
Created: 2017-12-12