Adversaries may execute known hacktools by leveraging containerized environments to evade detection and maintain persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise of Linux-based systems.
Detection Rule
title: Linux HackTool Execution
id: a015e032-146d-4717-8944-7a1884122111
status: test
description: Detects known hacktool execution based on image name.
references:
- https://github.com/Gui774ume/ebpfkit
- https://github.com/pathtofile/bad-bpf
- https://github.com/carlospolop/PEASS-ng
- https://github.com/t3l3machus/hoaxshell
- https://github.com/t3l3machus/Villain
- https://github.com/HavocFramework/Havoc
- https://github.com/1N3/Sn1per
- https://github.com/Ne0nd0g/merlin
- https://github.com/Pennyw0rth/NetExec/
author: Nasreddine Bencherchali (Nextron Systems), Georg Lauenstein (sure[secure])
date: 2023-01-03
modified: 2024-09-19
tags:
- attack.execution
- attack.resource-development
- attack.t1587
logsource:
product: linux
category: process_creation
detection:
selection_c2_frameworks:
Image|endswith:
- '/crackmapexec'
- '/havoc'
- '/merlin-agent'
- '/merlinServer-Linux-x64'
- '/msfconsole'
- '/msfvenom'
- '/ps-empire server'
- '/ps-empire'
- '/sliver-client'
- '/sliver-server'
- '/Villain.py'
selection_c2_framework_cobaltstrike:
Image|contains:
- '/cobaltstrike'
- '/teamserver'
selection_scanners:
Image|endswith:
- '/autorecon'
- '/httpx'
- '/legion'
- '/naabu'
- '/netdiscover'
- '/nuclei'
- '/recon-ng'
selection_scanners_sniper:
Image|contains: '/sniper'
selection_web_enum:
Image|endswith:
- '/dirb'
- '/dirbuster'
- '/eyewitness'
- '/feroxbuster'
- '/ffuf'
- '/gobuster'
- '/wfuzz'
- '/whatweb'
selection_web_vuln:
Image|endswith:
- '/joomscan'
- '/nikto'
- '/wpscan'
selection_exploit_tools:
Image|endswith:
- '/aircrack-ng'
- '/bloodhound-python'
- '/bpfdos'
- '/ebpfki'
- '/evil-winrm'
- '/hashcat'
- '/hoaxshell.py'
- '/hydra'
- '/john'
- '/ncrack'
# default binary: https://github.com/Pennyw0rth/NetExec/releases/download/v1.0.0/nxc-ubuntu-latest
- '/nxc-ubuntu-latest'
- '/pidhide'
- '/pspy32'
- '/pspy32s'
- '/pspy64'
- '/pspy64s'
- '/setoolkit'
- '/sqlmap'
- '/writeblocker'
selection_linpeas:
# covers: all linux versions listed here: https://github.com/carlospolop/PEASS-ng/releases
Image|contains: '/linpeas'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
imProcessCreate
| where (TargetProcessName endswith "/crackmapexec" or TargetProcessName endswith "/havoc" or TargetProcessName endswith "/merlin-agent" or TargetProcessName endswith "/merlinServer-Linux-x64" or TargetProcessName endswith "/msfconsole" or TargetProcessName endswith "/msfvenom" or TargetProcessName endswith "/ps-empire server" or TargetProcessName endswith "/ps-empire" or TargetProcessName endswith "/sliver-client" or TargetProcessName endswith "/sliver-server" or TargetProcessName endswith "/Villain.py") or (TargetProcessName contains "/cobaltstrike" or TargetProcessName contains "/teamserver") or (TargetProcessName endswith "/autorecon" or TargetProcessName endswith "/httpx" or TargetProcessName endswith "/legion" or TargetProcessName endswith "/naabu" or TargetProcessName endswith "/netdiscover" or TargetProcessName endswith "/nuclei" or TargetProcessName endswith "/recon-ng") or TargetProcessName contains "/sniper" or (TargetProcessName endswith "/dirb" or TargetProcessName endswith "/dirbuster" or TargetProcessName endswith "/eyewitness" or TargetProcessName endswith "/feroxbuster" or TargetProcessName endswith "/ffuf" or TargetProcessName endswith "/gobuster" or TargetProcessName endswith "/wfuzz" or TargetProcessName endswith "/whatweb") or (TargetProcessName endswith "/joomscan" or TargetProcessName endswith "/nikto" or TargetProcessName endswith "/wpscan") or (TargetProcessName endswith "/aircrack-ng" or TargetProcessName endswith "/bloodhound-python" or TargetProcessName endswith "/bpfdos" or TargetProcessName endswith "/ebpfki" or TargetProcessName endswith "/evil-winrm" or TargetProcessName endswith "/hashcat" or TargetProcessName endswith "/hoaxshell.py" or TargetProcessName endswith "/hydra" or TargetProcessName endswith "/john" or TargetProcessName endswith "/ncrack" or TargetProcessName endswith "/nxc-ubuntu-latest" or TargetProcessName endswith "/pidhide" or TargetProcessName endswith "/pspy32" or TargetProcessName endswith "/pspy32s" or TargetProcessName endswith "/pspy64" or TargetProcessName endswith "/pspy64s" or TargetProcessName endswith "/setoolkit" or TargetProcessName endswith "/sqlmap" or TargetProcessName endswith "/writeblocker") or TargetProcessName contains "/linpeas"Scenario: System update using apt or yum
Filter/Exclusion: Check for presence of apt or yum in the command line and exclude commands like apt update, apt upgrade, or yum -y update.
Scenario: Scheduled maintenance job using cron
Filter/Exclusion: Filter out commands that include /usr/bin/cron or /etc/cron.d/ in the command line, or check for cron job execution patterns.
Scenario: Admin task using rsync for backups
Filter/Exclusion: Exclude commands that include rsync with paths pointing to backup directories (e.g., /backup/, /var/backups/).
Scenario: Docker container runtime execution
Filter/Exclusion: Filter out commands that include docker run or docker exec, especially when the image name matches known hacktools.
Scenario: Legitimate system monitoring tool like nagios or zabbix
Filter/Exclusion: Exclude commands that include nagios, zabbix, or other known monitoring tools, especially when executed from their respective service directories.