Adversaries may use grep or egrep to identify and target security software on Linux systems, indicating potential reconnaissance activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early signs of adversarial reconnaissance and mitigate potential compromises.
Detection Rule
title: Security Software Discovery - Linux
id: c9d8b7fd-78e4-44fe-88f6-599135d46d60
status: test
description: Detects usage of system utilities (only grep and egrep for now) to discover security software discovery
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-19
modified: 2022-11-27
tags:
- attack.discovery
- attack.t1518.001
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith:
# You can add more grep variations such as fgrep, rgrep...etc
- '/grep'
- '/egrep'
CommandLine|contains:
- 'nessusd' # nessus vulnerability scanner
- 'td-agent' # fluentd log shipper
- 'packetbeat' # elastic network logger/shipper
- 'filebeat' # elastic log file shipper
- 'auditbeat' # elastic auditing agent/log shipper
- 'osqueryd' # facebook osquery
- 'cbagentd' # carbon black
- 'falcond' # crowdstrike falcon
condition: selection
falsepositives:
- Legitimate activities
level: low
imProcessCreate
| where (TargetProcessName endswith "/grep" or TargetProcessName endswith "/egrep") and (TargetProcessCommandLine contains "nessusd" or TargetProcessCommandLine contains "td-agent" or TargetProcessCommandLine contains "packetbeat" or TargetProcessCommandLine contains "filebeat" or TargetProcessCommandLine contains "auditbeat" or TargetProcessCommandLine contains "osqueryd" or TargetProcessCommandLine contains "cbagentd" or TargetProcessCommandLine contains "falcond")Scenario: System administrator runs a scheduled job to audit installed security tools using grep or egrep
Filter/Exclusion: Check for process owner (user field) against known admin accounts or use a regex to match known audit scripts.
Scenario: Security team uses grep to search for specific security software (e.g., snort, suricata, ossec) in configuration files during routine maintenance
Filter/Exclusion: Include a filter for process.name matching grep and file.path containing known configuration directories like /etc/security/ or /opt/security/.
Scenario: A log analysis tool (e.g., logrotate) uses egrep to filter log entries related to security software
Filter/Exclusion: Filter by process.name matching the log analysis tool or check for file.path containing log directories like /var/log/security/.
Scenario: A DevOps pipeline runs a script to check for security software installation status using grep
Filter/Exclusion: Filter by process.name matching the CI/CD tool (e.g., jenkins, gitlab-runner) or check for user field matching the DevOps service account.
Scenario: A system update script uses grep to verify if a security tool (e.g., clamav, fail2ban) is already installed
Filter/Exclusion: Filter by process.name matching the update script or check for file.path containing package management directories like /var/lib/dpkg/ or /usr/local/bin/.