LinuxTsunami

Hunt Hypothesis

The LinuxTsunami rule detects potential adversary behavior involving rapid, suspicious file creation or modification patterns on Linux systems, which may indicate automated or malicious activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats that could escalate into more severe compromises.

YARA Rule

rule LinuxTsunami
{
    meta:
	
		Author      = "@benkow_"
		Date        = "2014/09/12" 
		Description = "Strings inside"
		Reference   = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483"

    strings:
        $a = "PRIVMSG %s :[STD]Hitting %s"
        $b = "NOTICE %s :TSUNAMI <target> <secs>"
        $c = "NOTICE %s :I'm having a problem resolving my host, someone will have to SPOOFS me manually."
    condition:
        $a or $b or $c
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: System Log Rotation Using logrotate
  Description: The logrotate utility is legitimately used to rotate and compress system logs, which can generate a large number of file creation events.
  Filter/Exclusion: Exclude processes related to logrotate by checking the command line for /usr/sbin/logrotate or /etc/logrotate.conf.

• Scenario: Scheduled Backup Using rsync
  Description: A scheduled backup job using rsync may create many files in a short period, especially when synchronizing large directories.
  Filter/Exclusion: Filter events where the process is initiated by a cron job and includes paths like /etc/cron.d/ or /var/spool/cron/.

• Scenario: Temporary File Creation by tmpfs Mounts
  Description: Applications using tmpfs mounts (e.g., Docker containers, tmp directories) may create numerous temporary files, which can trigger the rule.
  Filter/Exclusion: Exclude files created in directories like /run, /tmp, or /dev/shm or those with names starting with tmp_.

• Scenario: User-Initiated File Copy Using cp or rsync
  Description: A user might copy a large number of files using cp or rsync, which could be mistaken for malicious activity.
  Filter/Exclusion: Exclude processes where the user is a regular user and the source/destination paths are within user-owned directories (e.g., ~/.cache/, ~/Documents/).

• Scenario: System Integrity Monitoring Tool (e.g., AIDE)
  Description: Security tools like AIDE (Advanced Intrusion Detection Environment) may generate a high volume of file creation or modification events during integrity checks.
  Filter/Exclusion: