fix: Linux Logs Clearing Attempts - Add new filters for sysstat and dmesg legitimate command deletion
fix: Disable Or Stop Services - Add new filters for legitimate service stoppoing via systemctl for snapd, asw and others
fix: Potential Suspicious Change To Sensitive/Critical Files - Add filters for `/^*` and `s/^` usage with sed
fix: Persistence Via Sudoers.d Files - Add filter for dpkg writing README
fix: Chmod Targeting Sensitive Directories - enhance metadata and add multipel filters for legit use cases
update: Shell Invocation via Env Command - Linux - Switch modifier to use contains instead of endswith for better accuracy
---------
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
update: Suspicious Package Installed - Linux - add 'socat' keyword and fix a typo
chore: Local System Accounts Discovery - Linux - fix small typo on 'system' word in description
chore: rename auditd folders and others
update: Audio Capture - Updated syscall field to SYSCALL in order to make use of enriched logs
update: ASLR Disabled Via Sysctl or Direct Syscall - Linux - Updated syscall field to SYSCALL in order to make use of enriched logs
update: Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall - Updated syscall field to SYSCALL in order to make use of enriched logs
update: System Info Discovery via Sysinfo Syscall - Updated syscall field to SYSCALL in order to make use of enriched logs
update: Special File Creation via Mknod Syscall - Updated syscall field to SYSCALL in order to make use of enriched logs
update: Webshell Remote Command Execution - Updated syscall field to SYSCALL in order to make use of enriched logs
update: Cred Dump Tools Dropped Files - Add procdump.exe and procdump64a.exe
update: File Download From Browser Process Via Inline URL - Enhance selection by splitting CLI markers for better matching
update: Tor Client/Browser Execution - Add additional PE metadata markers
update: System Information Discovery via Registry Queries - Enhance registry markers
update: PUA - AdFind Suspicious Execution - Add -sc to dclist string for more accurate coverage.
fix: Removal Of Index Value to Hide Schedule Task - Registry - Remove EventType condition that broke the rule.
fix: Removal Of SD Value to Hide Schedule Task - Registry - Remove EventType condition that broke the rule.
fix: Creation of a Local Hidden User Account by Registry - Fix the TargetObject value
fix: Potential Persistence Via New AMSI Providers - Registry - Change logsource and fix the rule logic
fix: Potential COM Object Hijacking Via TreatAs Subkey - Registry - Change logsource and fix the rule logic
fix: Potential Persistence Via Logon Scripts - Registry - Fix incorrect logsource
fix: PUA - Sysinternal Tool Execution - Registry - Fix incorrect logsource
fix: Suspicious Execution Of Renamed Sysinternals Tools - Registry - Fix incorrect logsource
fix: PUA - Sysinternals Tools Execution - Registry - Fix incorrect logsource
chore: add CI script for regression
chore: add regression data
---------
Co-authored-by: swachchhanda000 <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
remove: Space After Filename - Logic was incorrect and untested
update: Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - Update selection
update: JexBoss Command Sequence - Update the selection to use the |all modifier.
chore: remove any usage of the fields field to prepare for deprecation in the spec.
update: ASLR Disabled Via Sysctl or Direct Syscall - Linux - Add sysctl option
---------
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
the integration pipeline or the rule consumer has to take care of the mapping
update: Audio Capture - use syscall name instead of id
update: Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall - use syscall name instead of id
update: Disable ASLR Via Personality Syscall - Linux - use syscall name instead of id
chore: 🧹 Remove redundant modified field
chore: 🧹 Use Mitre tags instead of url
chore: 🧹 Use permalink for github file reference
chore: 🧹 Order emerging-threats Exploits rules
update: proc_creation_lnx_esxcli_vm_kill.yml - updating MITRE to match v17
update: proc_creation_lnx_esxcli_vsan_discovery.yml - updating MITRE to match v17
update: proc_creation_lnx_esxcli_system_discovery.yml - updating MITRE to match v17
update: proc_creation_lnx_esxcli_network_discovery.yml - updating MITRE to match v17
update: proc_creation_lnx_esxcli_storage_discovery.yml - updating MITRE to match v17
update: proc_creation_lnx_esxcli_syslog_config_change.yml - updating MITRE to match v17
update: proc_creation_lnx_esxcli_user_account_creation.yml - updating MITRE to match v17
update: proc_creation_lnx_esxcli_permission_change_admin.yml - updating MITRE to match v17
update: proc_creation_lnx_esxcli_vm_discovery.yml - updating MITRE to match v17
---------
Co-authored-by: Koifman <primeless42@gmail.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Nasreddine Bencherchali