Threat Hunting Content: Suspicious Execution Place

Most of the rules published on the Threat Detection Marketplace are aimed at detecting attacks on Windows systems. This is not surprising since most of the threats specifically targeted at the Microsoft operating system, as it is the most popular. But there are serious threats for other operating systems, so today we will tell you about a new rule from SOC Prime Team to detect suspicious execution places on Linux systems via auditbeat logs: 

https://tdm.socprime.com/tdm/info/oSfxBay3MovM/CuZ-y3EBv8lhbg_iUo58/?p=1

This rule complements the previously published rule for detecting the activity of the Outlaw hacking group, but unlike the IOCs-based Sigma rule published on our blog, it is able to detect attacks of other groups or botnets on Linux servers. Suspicious execution operations in non-executable places are usually related to malware activity. Linux servers are often the target of cryptocurrency miners and ransomware, and this rule will most likely help to detect an attack on time and prevent data loss or performance issues.

Unfortunately, for the time being, translations for this rule are available only for a few platforms: Azure Sentinel, QRadar, ELK Stack, Humio, Carbon Black.

MITRE ATT&CK:

Tactics: Execution, Defense Evasion

Techniques: Command-Line Interface (T1059), Scripting (T1064)

 

Other rules related to auditbeat logs that enable detection of cyber threats: https://tdm.socprime.com/?logSources%5B%5D=auditbeat&searchProject=&searchType=&searchSubType=&searchValue=