heroui logo

OS Architecture Discovery Via Grep

Sigma Rules

View Source
Summary
This rule aims to detect potential reconnaissance activities on a Linux system, specifically those related to operating system architecture discovery. An adversary might employ the 'grep' command to filter output from the 'uname' command or the '/proc/cpuinfo' file to glean crucial details about the system architecture. By monitoring process creation events, this detection rule identifies instances when 'grep' is used in conjunction with certain architecture-related strings in the command line input. The rule implements specific conditions that need to be satisfied; it looks for instances where the process image ends with '/grep' and requires that the command line must end with one of several common architecture identifiers. If both conditions are met simultaneously, an alert is triggered, signifying potential unwanted discovery activity.
Categories
  • Linux
  • Endpoint
  • Application
Data Sources
  • Process
Created: 2023-06-02