Detection rules › By event
Sysmon-for-Linux Event ID 1
Sigma (141)
- Access of Sudoers File Content
- Apache Spark Shell Command Injection - ProcessCreation
- Atlassian Confluence CVE-2022-26134
- Audit Rules Deleted Via Auditctl
- Axios NPM Compromise Indicators - Linux
- Bash Interactive Shell
- BPFtrace Unsafe Option Usage
- Capabilities Discovery - Linux
- Capsh Shell Invocation - Linux
- Chmod Targeting Sensitive Directories
- Clipboard Collection with Xclip Tool
- Connection Proxy
- Container Residence Discovery Via Proc Virtual FS
- Copy Passwd Or Shadow From TMP Path
- Crontab Enumeration
- Curl Usage on Linux
- CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)
- DD File Overwrite
- Decode Base64 Encoded Text
- Disable Or Stop Services
- Disabling Security Tools
- Docker Container Discovery Via Dockerenv Listing
- Download File To Potentially Suspicious Directory Via Wget
- Enable BPF Kprobes Tracing
- ESXi Account Creation Via ESXCLI
- ESXi Admin Permission Assigned To Account Via ESXCLI
- ESXi Network Configuration Discovery Via ESXCLI
- ESXi Storage Information Discovery Via ESXCLI
- ESXi Syslog Configuration Change Via ESXCLI
- ESXi System Information Discovery Via ESXCLI
- ESXi VM Kill Via ESXCLI
- ESXi VM List Discovery Via ESXCLI
- ESXi VSAN Information Discovery Via ESXCLI
- Execution Of Script Located In Potentially Suspicious Directory
- File and Directory Discovery - Linux
- File Deletion
- Flush Iptables Ufw Chain
- Group Has Been Deleted Via Groupdel
- History File Deletion
- Inline Python Execution - Spawn Shell Via OS System Library
- Install Root Certificate
- Interactive Bash Suspicious Children
- Kaspersky Endpoint Security Stopped Via CommandLine - Linux
- Linux Base64 Encoded Pipe to Shell
- Linux Base64 Encoded Shebang In CLI
- Linux Crypto Mining Indicators
- Linux Doas Tool Execution
- Linux HackTool Execution
- Linux Logs Clearing Attempts
- Linux Network Service Scanning Tools Execution
- Linux Package Uninstall
- Linux Recon Indicators
- Linux Remote System Discovery
- Linux Setgid Capability Set on a Binary via Setcap Utility
- Linux Setuid Capability Set on a Binary via Setcap Utility
- Linux Shell Pipe to Shell
- Linux Sudo Chroot Execution
- Linux Suspicious Child Process from Node.js - React2Shell
- Linux Webshell Indicators
- LiteLLM / TeamPCP Supply Chain Attack Indicators
- Local Groups Discovery - Linux
- Local System Accounts Discovery - Linux
- Mask System Power Settings Via Systemctl
- Mount Execution With Hidepid Parameter
- Named Pipe Created Via Mkfifo
- Nohup Execution
- OMIGOD SCX RunAsProvider ExecuteScript
- OMIGOD SCX RunAsProvider ExecuteShellCommand
- OS Architecture Discovery Via Grep
- Pnscan Binary Data Transmission Activity
- Potential Container Discovery Via Inodes Listing
- Potential Discovery Activity Using Find - Linux
- Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process
- Potential Exploitation of CVE-2025-5054 or CVE-2025-4598
- Potential GobRAT File Discovery Via Grep
- Potential Linux Amazon SSM Agent Hijacking
- Potential Linux Process Code Injection Via DD Utility
- Potential Netcat Reverse Shell Execution
- Potential Perl Reverse Shell Execution
- Potential PHP Reverse Shell
- Potential Ruby Reverse Shell
- Potential Suspicious Change To Sensitive/Critical Files
- Potential Xterm Reverse Shell
- Potentially Suspicious Execution From Tmp Folder
- Potentially Suspicious Named Pipe Created Via Mkfifo
- Print History File Contents
- Process Discovery
- PUA - TruffleHog Execution - Linux
- Python One-Liners with Base64 Decoding - Linux
- Python Reverse Shell Execution Via PTY And Socket Modules
- Python Spawning Pretty TTY Via PTY Module
- Python WebServer Execution - Linux
- Remote Access Tool - Team Viewer Session Started On Linux Host
- Remove Immutable File Attribute
- Remove Scheduled Cron Task/Job
- Scheduled Cron Task/Job - Linux
- Scheduled Task/Job At
- Script Interpreter Spawning Credential Scanner - Linux
- Security Software Discovery - Linux
- Setuid and Setgid
- Shai-Hulud 2.0 Malicious NPM Package Installation - Linux
- Shai-Hulud Malicious Bun Execution - Linux
- Shai-Hulud Malware Indicators - Linux
- Shai-Hulud NPM Package Malicious Exfiltration via Curl
- Shell Execution GCC - Linux
- Shell Execution Of Process Located In Tmp Directory
- Shell Execution via Find - Linux
- Shell Execution via Flock - Linux
- Shell Execution via Git - Linux
- Shell Execution via Nice - Linux
- Shell Execution via Rsync - Linux
- Shell Invocation via Apt - Linux
- Shell Invocation via Env Command - Linux
- Shell Invocation Via Ssh - Linux
- Sudo Privilege Escalation CVE-2019-14287
- Suspicious Child Process of SAP NetWeaver - Linux
- Suspicious Curl Change User Agents - Linux
- Suspicious Curl File Upload - Linux
- Suspicious Download and Execute Pattern via Curl/Wget
- Suspicious Git Clone - Linux
- Suspicious Invocation of Shell via AWK - Linux
- Suspicious Invocation of Shell via Rsync
- Suspicious Java Children Processes
- Suspicious Nohup Execution
- Suspicious Package Installed - Linux
- Syslog Clearing or Removal Via System Utilities
- System Information Discovery
- System Network Connections Discovery - Linux
- System Network Discovery - Linux
- Terminate Linux Process Via Kill
- Touch Suspicious Service File
- Triple Cross eBPF Rootkit Execve Hijack
- Triple Cross eBPF Rootkit Install Commands
- UFW Disable Attempt
- UNC4841 - Download Compressed Files From Temp.sh Using Wget
- UNC4841 - Download Tar File From Untrusted Direct IP Via Wget
- UNC4841 - Potential SEASPY Execution
- UNC4841 - SSL Certificate Exfiltration Via Openssl
- User Added To Root/Sudoers Group Using Usermod
- User Has Been Deleted Via Userdel
- Vim GTFOBin Abuse - Linux