Analytics Story: Linux Post-Exploitation
Description
This analytic story identifies popular Linux post exploitation tools such as autoSUID, LinEnum, LinPEAS, Linux Exploit Suggesters, MimiPenguin.
Why it matters
These tools allow operators find possible exploits or paths for privilege escalation based on SUID binaries, user permissions, kernel version and distro version.
Detections
| Name | Technique | Type |
|---|---|---|
| Suspicious Linux Discovery Commands | Unix Shell | TTP |
| Windows Suspicious QEMU Execution | Malicious File, Data Obfuscation, Masquerading, Run Virtual Instance | TTP |
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Sysmon EventID 1 |  Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Sysmon for Linux EventID 1 |  Linux |
sysmon:linux |
Syslog:Linux-Sysmon/Operational |
References
Source: GitHub | Version: 1