Skip to content

Commit

Permalink
linux_auditd_detection
Browse files Browse the repository at this point in the history
  • Loading branch information
tccontre committed Aug 16, 2024
1 parent 3fedf17 commit ad7926b
Show file tree
Hide file tree
Showing 46 changed files with 324 additions and 0 deletions.
Git LFS file not shown
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
author: Teoderick Contreras, Splunk
id: be89c0f4-5a20-11ef-927e-acde48001122
date: '2024-08-14'
description: Generated datasets for linux auditd split b exec in attack range.
environment: attack_range
dataset:
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1030/linux_auditd_split_b_exec/linux_auditd_split_b_exec.log
sourcetypes:
- 'linux:audit'
references:
- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html
Git LFS file not shown
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
author: Teoderick Contreras, Splunk
id: aa1d025c-5a20-11ef-927e-acde48001122
date: '2024-08-14'
description: Generated datasets for linux auditd split syscall in attack range.
environment: attack_range
dataset:
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1030/linux_auditd_split_syscall/linux_auditd_split_syscall.log
sourcetypes:
- 'linux:audit'
references:
- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html
Git LFS file not shown
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
author: Teoderick Contreras, Splunk
id: 56a7207c-5a24-11ef-927e-acde48001122
date: '2024-08-14'
description: Generated datasets for linux auditd whoami in attack range.
environment: attack_range
dataset:
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/linux_auditd_whoami/linux_auditd_whoami.log
sourcetypes:
- 'linux:audit'
references:
- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html
Git LFS file not shown
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
author: Teoderick Contreras, Splunk
id: deda69c6-5a20-11ef-927e-acde48001122
date: '2024-08-14'
description: Generated datasets for linux auditd find db in attack range.
environment: attack_range
dataset:
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1083/linux_auditd_find_db/linux_auditd_find_db.log
sourcetypes:
- 'linux:audit'
references:
- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html
Git LFS file not shown
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
author: Teoderick Contreras, Splunk
id: 173b555a-5a21-11ef-927e-acde48001122
date: '2024-08-14'
description: Generated datasets for linux auditd find document in attack range.
environment: attack_range
dataset:
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1083/linux_auditd_find_document/linux_auditd_find_document.log
sourcetypes:
- 'linux:audit'
references:
- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html
Git LFS file not shown
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
author: Teoderick Contreras, Splunk
id: 422179f4-5a24-11ef-927e-acde48001122
date: '2024-08-14'
description: Generated datasets for linux auditd find virtual disk in attack range.
environment: attack_range
dataset:
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1083/linux_auditd_find_virtual_disk/linux_auditd_find_virtual_disk.log
sourcetypes:
- 'linux:audit'
references:
- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html
Git LFS file not shown
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
author: Teoderick Contreras, Splunk
id: 6f5ae8be-5a20-11ef-927e-acde48001122
date: '2024-08-14'
description: Generated datasets for linux auditd add user type in attack range.
environment: attack_range
dataset:
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/linux_auditd_add_user_type/linux_auditd_add_user_type.log
sourcetypes:
- 'linux:audit'
references:
- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html
Git LFS file not shown
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
author: Teoderick Contreras, Splunk
id: 47bbaf5e-5a21-11ef-927e-acde48001122
date: '2024-08-14'
description: Generated datasets for linux auditd chattr i in attack range.
environment: attack_range
dataset:
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.002/linux_auditd_chattr_i/linux_auditd_chattr_i.log
sourcetypes:
- 'linux:audit'
references:
- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html
Git LFS file not shown
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
author: Teoderick Contreras, Splunk
id: 30b3f0d2-5a21-11ef-927e-acde48001122
date: '2024-08-14'
description: Generated datasets for linux auditd chmod exec attrib in attack range.
environment: attack_range
dataset:
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.002/linux_auditd_chmod_exec_attrib/linux_auditd_chmod_exec_attrib.log
sourcetypes:
- 'linux:audit'
references:
- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html
Git LFS file not shown
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
author: Teoderick Contreras, Splunk
id: 66554f98-5a25-11ef-927e-acde48001122
date: '2024-08-14'
description: Generated datasets for linux auditd auditd service stop in attack range.
environment: attack_range
dataset:
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_auditd_auditd_service_stop/linux_auditd_auditd_service_stop.log
sourcetypes:
- 'linux:audit'
references:
- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html
Git LFS file not shown
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
author: Teoderick Contreras, Splunk
id: d9926de0-5a22-11ef-927e-acde48001122
date: '2024-08-14'
description: Generated datasets for linux auditd osquerd service stop in attack range.
environment: attack_range
dataset:
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_auditd_osquerd_service_stop/linux_auditd_osquerd_service_stop.log
sourcetypes:
- 'linux:audit'
references:
- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html
Git LFS file not shown
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
author: Teoderick Contreras, Splunk
id: dfe57ad8-5a23-11ef-927e-acde48001122
date: '2024-08-14'
description: Generated datasets for linux auditd sysmon service stop.log in attack range.
environment: attack_range
dataset:
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_auditd_sysmon_service_stop.log/linux_auditd_sysmon_service_stop.log
sourcetypes:
- 'linux:audit'
references:
- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html
Git LFS file not shown
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
author: Teoderick Contreras, Splunk
id: 154a3b82-5a24-11ef-927e-acde48001122
date: '2024-08-14'
description: Generated datasets for linux auditd unix shell mod config in attack range.
environment: attack_range
dataset:
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.004/linux_auditd_unix_shell_mod_config/linux_auditd_unix_shell_mod_config.log
sourcetypes:
- 'linux:audit'
references:
- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html
Git LFS file not shown
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
author: Teoderick Contreras, Splunk
id: 2cb9d3ae-5a24-11ef-927e-acde48001122
date: '2024-08-14'
description: Generated datasets for linux auditd modprobe unload module in attack range.
environment: attack_range
dataset:
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_modprobe_unload_module/linux_auditd_modprobe_unload_module.log
sourcetypes:
- 'linux:audit'
references:
- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html
Git LFS file not shown
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
author: Teoderick Contreras, Splunk
id: 8ceb8526-5a22-11ef-927e-acde48001122
date: '2024-08-14'
description: Generated datasets for linux auditd rmmod in attack range.
environment: attack_range
dataset:
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_rmmod/linux_auditd_rmmod.log
sourcetypes:
- 'linux:audit'
references:
- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html
Git LFS file not shown
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
author: Teoderick Contreras, Splunk
id: 3d1eba04-5a22-11ef-927e-acde48001122
date: '2024-08-14'
description: Generated datasets for linux auditd find gpg in attack range.
environment: attack_range
dataset:
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.004/linux_auditd_find_gpg/linux_auditd_find_gpg.log
sourcetypes:
- 'linux:audit'
references:
- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html
Git LFS file not shown
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
author: Teoderick Contreras, Splunk
id: 5c848496-5a22-11ef-927e-acde48001122
date: '2024-08-14'
description: Generated datasets for linux auditd find ssh files in attack range.
environment: attack_range
dataset:
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.004/linux_auditd_find_ssh_files/linux_auditd_find_ssh_files.log
sourcetypes:
- 'linux:audit'
references:
- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html
Git LFS file not shown
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
author: Teoderick Contreras, Splunk
id: b358d5c0-5a21-11ef-927e-acde48001122
date: '2024-08-14'
description: Generated datasets for linux auditd find credentials in attack range.
environment: attack_range
dataset:
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555.005/linux_auditd_find_credentials/linux_auditd_find_credentials.log
sourcetypes:
- 'linux:audit'
references:
- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
type=EXECVE msg=audit(1723209251.519:128180): argc=3 a0="grep" a1="-Ev" a2=".Xauthority|.bashrc|.bluemix|.boto|.cer|.cloudflared|.credentials.json|.crt|.csr|.db|.der|.docker|.env|.erlang.cookie|.flyrc|.ftpconfig|.git|.git-credentials|.gitconfig|.github|.gnupg|.google_authenticator|.gpg|.htpasswd|.irssi|.jks|.k5login|.kdbx|.key|.keyring|.keystore|.keytab|.kube|.ldaprc|.lesshst|.mozilla|.msmtprc|.ovpn|.p12|.password-store|.pem|.pfx|.pgp|.plan|.profile|.psk|.pub|.pypirc|.rdg|.recently-used.xbel|.rhosts|.roadtools_auth|.secrets.mkey|.service|.socket|.sqlite|.sqlite3|.sudo_as_admin_successful|.svn|.swp|.tf|.tfstate|.timer|.vault-token|.vhd|.vhdx|.viminfo|.vmdk|.vnc|.wgetrc"
type=EXECVE msg=audit(1723209151.427:89620): argc=3 a0="grep" a1="-E" a2="passbolt\.php$"
type=EXECVE msg=audit(1723209151.311:89593): argc=3 a0="grep" a1="-E" a2=".*\.kdbx$|KeePass\.config.*$|KeePass\.ini$|KeePass\.enforced.*$"
type=EXECVE msg=audit(1723209150.803:89498): argc=3 a0="grep" a1="-E" a2="\.vault-token$"
type=EXECVE msg=audit(1723209150.795:89497): argc=3 a0="grep" a1="-E" a2="vault-ssh-helper\.hcl$"
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
author: Teoderick Contreras, Splunk
id: d72ba4fa-5a21-11ef-927e-acde48001122
date: '2024-08-14'
description: Generated datasets for linux auditd find password db.log in attack range.
environment: attack_range
dataset:
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555.005/linux_auditd_find_password_db.log/linux_auditd_find_password_db.log.txt
sourcetypes:
- 'linux:audit'
references:
- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html
Git LFS file not shown
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
author: Teoderick Contreras, Splunk
id: f7eb4f16-5a20-11ef-927e-acde48001122
date: '2024-08-14'
description: Generated datasets for linux auditd disable firewall in attack range.
environment: attack_range
dataset:
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/linux_auditd_disable_firewall/linux_auditd_disable_firewall.log
sourcetypes:
- 'linux:audit'
references:
- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html
Git LFS file not shown
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
author: Teoderick Contreras, Splunk
id: 765100c0-5a22-11ef-927e-acde48001122
date: '2024-08-14'
description: Generated datasets for linux auditd hidden file in attack range.
environment: attack_range
dataset:
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1564.001/linux_auditd_hidden_file/linux_auditd_hidden_file.log
sourcetypes:
- 'linux:audit'
references:
- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html
Git LFS file not shown
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
author: Teoderick Contreras, Splunk
id: c3041618-5a23-11ef-927e-acde48001122
date: '2024-08-14'
description: Generated datasets for linux service start in attack range.
environment: attack_range
dataset:
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/linux_service_start/linux_service_start.log
sourcetypes:
- 'linux:audit'
references:
- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html
Git LFS file not shown
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
author: Teoderick Contreras, Splunk
id: a953b890-5a23-11ef-927e-acde48001122
date: '2024-08-14'
description: Generated datasets for linux auditd preload file in attack range.
environment: attack_range
dataset:
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.006/linux_auditd_preload_file/linux_auditd_preload_file.log
sourcetypes:
- 'linux:audit'
references:
- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html

0 comments on commit ad7926b

Please sign in to comment.