-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathcustom_revshell_linux.xml
74 lines (69 loc) · 2.31 KB
/
custom_revshell_linux.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
<!--
Sysmon For Linux OSSEC/Wazuh rules - by 0xbad53c
based on/contains rules from:
https://github.com/SigmaHQ/sigma/tree/master/rules/linux
-->
<group name="reverse_shells">
<!-- netcat -->
<rule id="110000" level="0">
<if_sid>80789</if_sid>
<field name="audit.exe">/usr/bin/nc</field>
<description>Netcat usage detected.</description>
<group>audit_command,</group>
</rule>
<rule id="110001" level="12">
<if_sid>110000</if_sid>
<match> -e </match>
<description>Potential Shell: $(audit.exe) with user loginuid $(audit.auid)</description>
<group>audit_command,</group>
</rule>
<!-- bash -->
<rule id="110020" level="0">
<if_sid>80789</if_sid>
<field name="audit.exe">/usr/bin/bash</field>
<description>Bash usage detected.</description>
<group>audit_command,</group>
</rule>
<rule id="110021" level="12">
<if_sid>110020</if_sid>
<match>/dev/tcp/</match>
<description>Potential Shell: $(audit.exe) with user loginuid $(audit.auid)</description>
<group>audit_command,</group>
</rule>
<rule id="110022" level="12">
<if_sid>110020</if_sid>
<match>/dev/udp/</match>
<description>Potential Shell: $(audit.exe) with user loginuid $(audit.auid)</description>
<group>audit_command,</group>
</rule>
<!-- python -->
<rule id="110030" level="3">
<if_sid>80789</if_sid>
<field name="audit.exe">/usr/bin/python|/usr/bin/python2|/usr/bin/python3</field>
<description>Python usage detected.</description>
<group>audit_command,</group>
</rule>
<rule id="110031" level="12">
<if_sid>110030</if_sid>
<match>-c</match>
<match>socket.socket</match>
<match>subprocess.call</match>
<description>Potential Shell: $(audit.exe) with user loginuid $(audit.auid)</description>
<group>audit_command,</group>
</rule>
<!-- php -->
<rule id="110050" level="0">
<if_sid>80789</if_sid>
<field name="audit.exe">/usr/bin/php</field>
<description>PHP usage detected.</description>
<group>audit_command,</group>
</rule>
<rule id="110051" level="12">
<if_sid>110050</if_sid>
<match>-r</match>
<match>fsockopen</match>
<match>exec</match>
<description>Potential Shell: $(audit.exe) with user loginuid $(audit.auid)</description>
<group>audit_command,</group>
</rule>
</group>