Adversaries may use Linux reconnaissance commands to gather system information and identify potential targets, indicating early-stage compromise. SOC teams should proactively hunt for these indicators in Azure Sentinel to detect and respond to advanced persistent threats before they escalate.
Detection Rule
title: Linux Recon Indicators
id: 0cf7a157-8879-41a2-8f55-388dd23746b7
status: test
description: Detects events with patterns found in commands used for reconnaissance on linux systems
references:
- https://github.com/sleventyeleven/linuxprivchecker/blob/0d701080bbf92efd464e97d71a70f97c6f2cd658/linuxprivchecker.py
author: Florian Roth (Nextron Systems)
date: 2022-06-20
tags:
- attack.reconnaissance
- attack.t1592.004
- attack.credential-access
- attack.t1552.001
logsource:
category: process_creation
product: linux
detection:
selection:
CommandLine|contains:
- ' -name .htpasswd'
- ' -perm -4000 '
condition: selection
falsepositives:
- Legitimate administration activities
level: high
imProcessCreate
| where TargetProcessCommandLine contains " -name .htpasswd" or TargetProcessCommandLine contains " -perm -4000 "Scenario: System Monitoring Tool Usage
Description: A system administrator is using top or htop to monitor system resource usage.
Filter/Exclusion: Exclude processes with top or htop in the command line, or filter by user (e.g., user = root or user = admin).
Scenario: Scheduled Job Execution
Description: A legitimate cron job is running a script that includes reconnaissance-like commands (e.g., find, ls, or ps).
Filter/Exclusion: Exclude commands executed by cron jobs by checking the COMMAND field for /usr/bin/crontab or using a source field filter for cron.
Scenario: Log File Analysis
Description: An admin is reviewing log files using grep or awk to troubleshoot an issue.
Filter/Exclusion: Exclude commands that include grep or awk when the command line contains /var/log/ or /etc/ in the path.
Scenario: Package Management Activity
Description: A package manager like apt or yum is being used to install or update software, which may involve reconnaissance-like commands.
Filter/Exclusion: Exclude commands that include apt, yum, or dnf in the command line, or filter by process name.
Scenario: System Backup Script
Description: A backup script is running commands like find, tar, or rsync to archive data.
Filter/Exclusion: Exclude commands that include tar, rsync, or find when the command line contains /backup/ or /data/ in the path.