Most of the rules published on the Threat Detection Marketplace are aimed at detecting attacks on Windows systems. This is not surprising since most of the threats specifically targeted at the Microsoft operating system, as it is the most popular. But there are serious threats for other operating systems, so today we will tell you about a new rule from SOC Prime Team to detect suspicious execution places on Linux systems via auditbeat logs:

This rule complements the previously published rule for detecting the activity of the Outlaw hacking group, but unlike the IOCs-based Sigma rule published on our blog, it is able to detect attacks of other groups or botnets on Linux servers. Suspicious execution operations in non-executable places are usually related to malware activity. Linux servers are often the target of cryptocurrency miners and ransomware, and this rule will most likely help to detect an attack on time and prevent data loss or performance issues.

Unfortunately, for the time being, translations for this rule are available only for a few platforms: Azure Sentinel, QRadar, ELK Stack, Humio, Carbon Black.


Tactics: Execution, Defense Evasion

Techniques: Command-Line Interface (T1059), Scripting (T1064)


Other rules related to auditbeat logs that enable detection of cyber threats:

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts