This section displays SIGMA rules belonging to category Linux. It updates itself automatically when new commits are available in quasarops.
| Title | Equation Group Indicators |
|---|---|
| rule_category | linux |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/linux/lnx_apt_equationgroup_lnx.yml |
| author | Florian Roth |
| status | |
| date | 2017/04/09 |
| description | Detects suspicious shell commands used in various Equation Group scripts and tools |
| tags | attack.execution attack.g0020 attack.t1059 |
| Title | Buffer Overflow Attempts |
|---|---|
| rule_category | linux |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/linux/lnx_buffer_overflows.yml |
| author | Florian Roth |
| status | |
| date | 2017/03/01 |
| description | Detects buffer overflow attempts in Unix system log files |
| tags |
| Title | Relevant ClamAV Message |
|---|---|
| rule_category | linux |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/linux/lnx_clamav.yml |
| author | Florian Roth |
| status | |
| date | 2017/03/01 |
| description | Detects relevant ClamAV messages |
| tags |
| Title | Clear Command History |
|---|---|
| rule_category | linux |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/linux/lnx_shell_clear_cmd_history.yml |
| author | Patrick Bareiss |
| status | experimental |
| date | 2019/03/24 |
| description | Clear command history in linux which is used for defense evasion. |
| tags | attack.defense_evasion attack.t1146 |
| Title | Privilege Escalation Preparation |
|---|---|
| rule_category | linux |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/linux/lnx_shell_priv_esc_prep.yml |
| author | Patrick Bareiss |
| status | experimental |
| date | 2019/04/05 |
| description | Detects suspicious shell commands indicating the information gathering phase as preparation for the Privilege Escalation. |
| tags | attack.privilege_escalation attack.t1068 |
| Title | Suspicious Activity in Shell Commands |
|---|---|
| rule_category | linux |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/linux/lnx_shell_susp_commands.yml |
| author | Florian Roth |
| status | |
| date | 2017/08/21 |
| description | Detects suspicious shell commands used in various exploit codes (see references) |
| tags |
| Title | Suspicious Log Entries |
|---|---|
| rule_category | linux |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/linux/lnx_shell_susp_log_entries.yml |
| author | Florian Roth |
| status | |
| date | 2017/03/25 |
| description | Detects suspicious log entries in Linux log files |
| tags |
| Title | Suspicious Reverse Shell Command Line |
|---|---|
| rule_category | linux |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/linux/lnx_shell_susp_rev_shells.yml |
| author | Florian Roth |
| status | experimental |
| date | 2019/04/02 |
| description | Detects suspicious shell commands or program code that may be exected or used in command line to establish a reverse shell |
| tags |
| Title | Shellshock Expression |
|---|---|
| rule_category | linux |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/linux/lnx_shellshock.yml |
| author | Florian Roth |
| status | |
| date | 2017/03/14 |
| description | Detects shellshock expressions in log files |
| tags |
| Title | SSHD Error Message CVE-2018-15473 |
|---|---|
| rule_category | linux |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/linux/lnx_ssh_cve_2018_15473.yml |
| author | Florian Roth |
| status | |
| date | 2017/08/24 |
| description | Detects exploitation attempt using public exploit code for CVE-2018-15473 |
| tags |
| Title | Sudo Privilege Escalation CVE-2019-14287 |
|---|---|
| rule_category | linux |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/linux/lnx_sudo_cve_2019_14287.yml |
| author | Florian Roth |
| status | experimental |
| date | 2019/10/15 |
| description | Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287 |
| tags | attack.privilege_escalation attack.t1068 attack.t1169 |
| Title | Failed Logins with Different Accounts from Single Source System |
|---|---|
| rule_category | linux |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/linux/lnx_susp_failed_logons_single_source.yml |
| author | Florian Roth |
| status | |
| date | 2017/02/16 |
| description | Detects suspicious failed logins with different user accounts from a single source system |
| tags |
| Title | JexBoss Command Sequence |
|---|---|
| rule_category | linux |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/linux/lnx_susp_jexboss.yml |
| author | Florian Roth |
| status | |
| date | 2017/08/24 |
| description | Detects suspicious command sequence that JexBoss |
| tags |
| Title | Suspicious Named Error |
|---|---|
| rule_category | linux |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/linux/lnx_susp_named.yml |
| author | Florian Roth |
| status | experimental |
| date | 2018/02/20 |
| description | Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts |
| tags |
| Title | Suspicious SSHD Error |
|---|---|
| rule_category | linux |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/linux/lnx_susp_ssh.yml |
| author | Florian Roth |
| status | |
| date | 2017/06/30 |
| description | Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts |
| tags |
| Title | Suspicious VSFTPD Error Messages |
|---|---|
| rule_category | linux |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/linux/lnx_susp_vsftp.yml |
| author | Florian Roth |
| status | |
| date | 2017/07/05 |
| description | Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts |
| tags |