security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Use endswith with processname

Browse Source
This commit is contained in:
Alejandro Ortuno
2020-10-11 09:37:08 +02:00
parent 748dccc289
commit 418a9d5a02
2 changed files with 9 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/lnx_local_account.yml
+4 -4
View File
@@ -11,22 +11,22 @@ logsource:
product: linux
detection:
selection_1:
ProcessName|contains:
ProcessName|endswith:
- '*/lastlog'
selection_2:
CommandLine|contains:
- "'x:0:'"
selection_3:
ProcessName|contains:
ProcessName|endswith:
- '*/cat'
CommandLine|contains:
- '/etc/passwd'
- '/etc/sudoers'
selection_4:
ProcessName|contains:
ProcessName|endswith:
- '*/id'
selection_5:
ProcessName|contains:
ProcessName|endswith:
- '*/lsof'
CommandLine|contains:
- '-u'
rules/linux/macos_local_account.yml
+5 -5
View File
@@ -11,12 +11,12 @@ logsource:
product: macos
detection:
selection_1:
ProcessName|contains:
ProcessName|endswith:
- '*/dscl'
CommandLine|contains:
- '. list /users'
selection_2:
ProcessName|contains:
ProcessName|endswith:
- '*/dscacheutil'
CommandLine|contains:
- '-q user'
@@ -24,16 +24,16 @@ detection:
CommandLine|contains:
- "'x:0:'"
selection_4:
ProcessName|contains:
ProcessName|endswith:
- '*/cat'
CommandLine|contains:
- '/etc/passwd'
- '/etc/sudoers'
selection_5:
ProcessName|contains:
ProcessName|endswith:
- '*/id'
selection_6:
ProcessName|contains:
ProcessName|endswith:
- '*/lsof'
CommandLine|contains:
- '-u'