==================================================

CREATED: NIX-PRIVILEGE-ESCALATION-SUDO-U (#2124)

Description

This detects sudo with the following command lines:

sudo -u#-1 or sudo -u#4294967295 

Which indicate the attempted exploitation of CVE-2019-14287.

ATT&CK Technique T1166
ATT&CK Technique T1169

==================================================

CREATED: NIX-SHELL-DEV-TCP-UP (#2177)

Description

This detector identifies the use of TCP sockets (/dev/tcp) to connect to a remote IP address, download files and redirect the remotely hosted files into a shell for execution. This method of connecting to a remote host with TCP sockets is an alternative technique to download files and behaves similarly to wget or curl.

ATT&CK Technique T1190

==================================================

CREATED: NIX-PASSWD-OUTPUT-HIDDEN-TEMP (#2211)

Description

This detector identifies dumping the passwd file to the tmp directory within a hidden directory or as a hidden file. Adversaries utilize these files and directories for reconnaissance.

ATT&CK Technique T1087

==================================================

CREATED: WIN-DXCAP-APPWHITELIST-BYPASS (#2234)

Description

The DirectX diagnostics and debugger tool (dxcap.exe) included with Visual Studio can be used to bypass application whitelisting. This detector identifies commands which may exploit this technique.

ATT&CK Technique T1218

==================================================

CREATED: WIN-SCHTASK-TASKNAME-LIKELY-RANDOM (#2245)

Description

This detector identifies the creation of scheduled task names that have a low trigram frequency score. The low trigram frequency score indicates that the scheduled task is abnormal and randomly named. Randomly named scheduled tasks are a common artifact of known malware families such as Dridex and ThreadKit.

ATT&CK Technique T1053

Did this answer your question?