# Wazuh Custom Rules — Linux Security Detection # Rule IDs: 100300-100499 # MITRE ATT&CK coverage for Linux endpoints sshd ROOT user (root) from (\S+) SSH root login attempted authentication,ssh,root,linux sshd failure 10 10m 10+ failed SSH login attempts from same IP — possible brute force authentication,ssh,brute_force,linux T1110 sshd sshd sudo authentication failure user NOT in sudoers sudo attempt for non-existent user — possible lateral movement privilege_escalation,sudo,linux T1548.003 sudo add to group sudo User added to sudo group — possible privilege escalation privilege_escalation,sudo,linux,persistence T1548.003 syslog sudo /etc/sudoers Sudoers file modified — critical privilege escalation risk privilege_escalation,config_change,linux,critical T1548.003 syslog su SU su command executed — privilege escalation attempt privilege_escalation,linux T1548 syslog (COMMAND|cmd)=.*(bash|sh|-i) Interactive shell spawned from unusual location — possible implant privilege_escalation,execution,linux T1059 syslog cron (CRON|anacron)\s+job New cron job created persistence,cron,linux T1053 syslog cron (wget|curl|nc|bash|python|perl).*http Cron job executing network download — possible malware delivery persistence,cron,linux,execution T1053 syslog systemd Created symlink.*systemd New systemd service created — possible persistence mechanism persistence,systemd,linux T1543.003 syslog sshd Accepted publickey SSH public key authentication successful — verify authorized key persistence,ssh,linux T1098 syslog run-parts /etc/rc.* Init script created in rc.d directory — possible persistence persistence,linux T1053 syslog kernel truncat (auth|secure| messages) Log file truncated or deleted — possible attacker log clearing defense_evasion,log_tampering,linux,critical T1070.002 syslog auditd audit.rules|config changed Auditd configuration changed — possible defense evasion defense_evasion,audit,linux,critical T1070 syslog history -c|history -w|\.bash_history Bash history cleared or written — possible cover-up defense_evasion,linux T1070.002 syslog touch.*(/etc/passwd|/etc/shadow|/etc/sudoers) Timestamps modified on critical system file defense_evasion,timestomping,linux T1070.006 syslog (python|php|perl).*-i Interactive shell spawned via scripting language — possible reverse shell execution,linux,reverse_shell T1059.006 syslog (bash|sh).*-c.*base64 base64-encoded command detected — possible obfuscated execution execution,obfuscation,linux,critical T1027 syslog (wget|curl).*(\.sh|\.pl|\.py|\.exe) Script downloaded from internet and executed — possible malware execution,linux,malware,critical T1105 syslog nc.*(-l|-e|--listen)|ncat.*listen Netcat listener started — possible backdoor execution,linux,backdoor,critical T1059 syslog LD_PRELOAD LD_PRELOAD environment variable set — possible library injection execution,linux,privilege_escalation T1574.006 syslog systemd Started.*(nc|netcat|ncat).*internet Network tool started — possible data exfiltration exfiltration,c2,linux T1041 syslog (curl|wget).*(\.tar\.gz|\.zip).*http Archive file downloaded — possible data exfiltration staging exfiltration,linux T1047 sshd Forwarding (-L |-R ) SSH tunnel created — possible exfiltration or C2 channel lateral_movement,c2,linux T1572