
Summary
This rule detects hex encoding or decoding activities that might indicate attempts by adversaries to evade detection mechanisms present in host or network security controls. The rule is specifically looking for process events initiated by specific commands such as 'hexdump', 'od', or 'xxd', which are commonly used for file encoding or decoding tasks. Due to potential false positives arising from legitimate uses of these commands by automated tools like Jenkins, it is recommended to filter results based on process executables or usernames to improve detection accuracy.
Categories
- Endpoint
- Linux
- Other
Data Sources
- Process
- Application Log
ATT&CK Techniques
- T1140
- T1027
Created: 2020-04-17