SigmaHQ · CheraghiMilad · Dec 9, 2024 · Dec 9, 2024 · Dec 13, 2024 · Dec 14, 2024
diff --git a/...eation/proc_creation_lnx_local_groups.yml → ...ation_lnx_susp_local_groups_discovery.yml b/...eation/proc_creation_lnx_local_groups.yml → ...ation_lnx_susp_local_groups_discovery.yml
@@ -4,12 +4,16 @@ status: test
 description: Detects enumeration of local system groups. Adversaries may attempt to find local system groups and permission settings
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md
-author: Ömer Günal, Alejandro Ortuno, oscd.community
+    - https://www.warp.dev/terminus/linux-list-users
+    - https://medium.com/@shalinpatel./list-all-groups-in-linux-ec1372309d6f
+    - https://cloudzy.com/blog/linux-netstat-command/
+author: Ömer Günal, Alejandro Ortuno, oscd.community, CheraghiMilad
 date: 2020-10-11
-modified: 2022-11-27
+modified: 2024-12-09
 tags:
     - attack.discovery
     - attack.t1069.001
+    - detection.threat-hunting
 logsource:
     category: process_creation
     product: linux
@@ -19,11 +23,26 @@ detection:
     selection_2:
         Image|endswith:
             - '/cat'
+            - '/ed'
+            - '/emacs'
             - '/head'
-            - '/tail'
+            - '/less'
             - '/more'
+            - '/nano'
+            - '/tail'
+            - '/vi'
+            - '/vim'
         CommandLine|contains: '/etc/group'
-    condition: 1 of selection*
+    selection_3:
+        Image|endswith: '/getent'
+        CommandLine|contains: 'group'
+    selection_4:
+        Image|endswith: '/netstat'
+        CommandLine|contains: 'localgroup'
+    selection_5:
+        Image|endswith: '/id'
+        CommandLine|contains: '-Gn'
+    condition: 1 of selection_*
 falsepositives:
     - Legitimate administration activities
 level: low
diff --git a/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml b/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml
@@ -5,9 +5,9 @@ description: Detects suspicious sub processes of web server processes
 references:
     - https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/
     - https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF
-author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), CheraghiMilad
 date: 2021-10-15
-modified: 2022-12-28
+modified: 2024-12-13
 tags:
     - attack.persistence
     - attack.t1505.003
@@ -33,17 +33,23 @@ detection:
             - 'websphere'
     sub_processes:
         Image|endswith:
-            - '/whoami'
-            - '/ifconfig'
-            - '/ip'
-            - '/bin/uname'
             - '/bin/cat'
             - '/bin/crontab'
+            - '/bin/ufw'
+            - '/bin/uname'
             - '/hostname'
+            - '/id'
+            - '/ifconfig'
+            - '/ip'
             - '/iptables'
             - '/netstat'
+            - '/nslookup'
             - '/pwd'
             - '/route'
+            - '/users'
+            - '/w'
+            - '/who'
+            - '/whoami'
     condition: 1 of selection_* and sub_processes
 falsepositives:
     - Web applications that invoke Linux command line tools