4f4ef7a8cc
Merge PR #5042 from @wieso-itzi - Update Python PTY rules
...
Create Release / Create Release (push) Has been cancelled
update: Python Spawning Pretty TTY Via PTY Module - Update the logic to account for the possibility of calling the spawn function via a variable, as an alias or other methods.
update: Python Reverse Shell Execution Via PTY And Socket Modules - Add additional strings to increase accuracy and coverage.
---------
Signed-off-by: wieso-itzi <85185077+wieso-itzi@users.noreply.github.com >
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-11-04 12:15:00 +01:00
d270dc542c
Merge PR #5039 from @CheraghiMilad - Update Local System Accounts Discovery - Linux
...
update: Local System Accounts Discovery - Linux - Increase coverage by adding additional utilities such as "nano", "tail, "vim"
---------
Co-authored-by: Milad Cheraghi <cheraghimiladmail@gmail.com >
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-10-08 22:09:13 +02:00
08c52c367c
Merge PR #5027 from @nasbench - Promote older rules status from experimental to test
...
chore: promote older rules status from experimental to test
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2024-10-01 14:56:09 +02:00
35a5eb9a4c
Merge PR #5013 from @ruppde - Update linux scanning rules
...
update: Linux HackTool Execution - Remove "zenmap" and "nmap" as they are already covered by 3e102cd9-a70d-4a7a-9508-403963092f31
update: Linux Network Service Scanning Tools Execution - Add "zenmap" utility
2024-09-22 19:29:20 +02:00
3e2f8d5aba
Merge PR #4975 from @Murphy0801 - Add new rules related to GTFOBins
...
new: Capsh Shell Invocation - Linux
new: Inline Python Execution - Spawn Shell Via OS System Library
new: Shell Execution GCC - Linux
new: Shell Execution via Find - Linux
new: Shell Execution via Flock - Linux
new: Shell Execution via Git - Linux
new: Shell Execution via Nice - Linux
new: Shell Execution via Rsync - Linux
new: Shell Invocation via Env Command - Linux
new: Shell Invocation Via Ssh - Linux
new: Suspicious Invocation of Shell via AWK - Linux
---------
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-09-02 13:19:31 +02:00
839f5636f5
Merge PR #4991 from @nasbench - Promote older rules status from experimental to test
...
chore: promote older rules status from `experimental` to `test`
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2024-09-02 10:01:36 +02:00
598d29f811
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
...
chore: change tags, date, modified fields to comply with v2 of the Sigma spec.
chore: update the related type from `obsoletes` to `obsolete`.
chore: update local json schema to the latest version.
2024-08-12 12:02:50 +02:00
1d40f1d20b
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS
...
chore: update Microsoft references link to use the "learn" subdomain instead of "docs".
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
Thanks: @ryanplasma
2024-07-02 12:00:11 +02:00
47085e9489
Merge PR #4891 from @nasbench - Promote older rules status from experimental to test
...
chore: promote older rules status from experimental to test
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2024-07-01 10:42:32 +02:00
d84959e50f
Merge PR #4867 from @nasbench - Promote older rules status from experimental to test
...
chore: promote older rules status from experimental to test
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2024-06-03 10:29:22 +02:00
f7ec533704
Merge PR #4841 from @nasbench - Promote older rules status from experimental to test
...
chore: promote older rules status from "experimental" to "test"
2024-05-02 10:34:25 +02:00
86ca651ea6
Merge PR #4801 from @signalblur - Add Pnscan rule
...
new: Pnscan Binary Data Transmission Activity
---------
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2024-04-16 14:36:41 +02:00
a8e1ecd658
Merge PR #4791 from @nasbench - Promote older rules status from experimental to test
...
chore: promote older rules status from experimental to test
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2024-04-01 15:14:10 +02:00
68511f711f
Merge PR #4759 from @joshnck - Add new rules covering incoming TeamViewer connection activity
...
new: Remote Access Tool - Team Viewer Session Started On Linux Host
new: Remote Access Tool - Team Viewer Session Started On MacOS Host
new: Remote Access Tool - Team Viewer Session Started On Windows Host
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-03-15 21:41:29 +01:00
48baf1187b
Merge PR #4752 from @frack113 - Update rules to use the windash modifier
...
update: File Enumeration Via Dir Command - Update logic to use a wildcard in addition, for better accuracy.
chore: update multiple rules to use the windash modifier
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-03-11 12:01:30 +01:00
0108cdc344
Merge PR #4745 from @nasbench - Promote older rules status from experimental to test
...
chore: promote older rules status from experimental to test
2024-03-01 15:38:35 +01:00
367ebd9395
Merge PR #4700 from @nasbench - Promote older rules status from experimental to test
...
chore: promote older rules status from experimental to test
2024-02-01 02:09:31 +01:00
fade537547
Merge PR #4592 from @skaynum - Create Rule to detect Linux Process Code Injection
...
new: Potential Linux Process Code Injection Via DD Utility
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2023-12-01 19:29:03 +01:00
ae960f0881
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
...
chore: promote older rules status from experimental to test
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2023-12-01 12:50:36 +01:00
a6e7cce606
Merge PR #4533 from @nasbench - Promote experimental rules
...
chore: promote older rules status from `experimental` to `test`
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2023-11-02 10:48:45 +01:00
8bf3282194
Merge PR #4524 from @wagga40 - Fix Typos In Metadata Fields
...
update: Registry Persistence via Service in Safe Mode - Fix typo in title
chore: Fix multiple typo in metadata fields and comments
---------
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com >
2023-10-28 13:15:09 +02:00
7071370989
Merge PR #4508 from @gs3cl - Update Hacktool and Network Scanner Linux Rules
...
update: Linux HackTool Execution - Increase coverage by adding more tools
update: Linux Network Service Scanning Tools Execution - Increase coverage by adding more tools
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
2023-10-28 12:40:22 +02:00
95793d73bd
Merge PR #4482 From @nasbench - Add New Automation Workflows
...
chore: update workflows and add quality of life updates and automation to the repository
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2023-10-18 11:53:44 +02:00
020fc8061f
Merge PR #4479 From @frack113 - Upgrade Rules Status
...
chore: Upgrade status level from `experimental` to `test` for rules that have not changed in 300 days
---------
Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com >
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2023-10-17 14:35:26 +02:00
e738fff0a3
Merge PR #4425 from @kidrek - ESXi Syslog Configuration Change Via ESXCLI
...
new: ESXi Syslog Configuration Change Via ESXCLI
---------
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2023-09-07 15:49:06 +02:00
b177b1e46b
Merge PR #4424 from @kidrek - Account Creation Via ESXCLI
...
new: ESXi Account Creation Via ESXCLI
---------
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com >
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2023-09-06 11:43:21 +02:00
359292e572
Merge PR #4396 from @kidrek - Add New Rules Related To ESXCLI Usage
...
new: ESXi Network Configuration Discovery Via ESXCLI
new: ESXi Admin Permission Assigned To Account Via ESXCLI
new: ESXi Storage Information Discovery Via ESXCLI
new: ESXi System Information Discovery Via ESXCLI
new: ESXi VM List Discovery Via ESXCLI
new: ESXi VM Kill Via ESXCLI
new: ESXi VSAN Information Discovery Via ESXCLI
---------
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2023-09-06 11:42:23 +02:00
60b8e9b70f
Merge PR #4392 from @tjgeorgen - Update MITRE Tags
...
- update: update MITRE tags for multiple rules
---------
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com >
2023-08-28 16:53:27 +02:00
df4fa62bca
Merge PR #4380 from @SethHanford - Lnx container discovery
...
new: Container Residence Discovery Via Proc Virtual FS
new: Docker Container Discovery Via Dockerenv Listing
new: Potential Container Discovery Via Inodes Listing
---------
Co-authored-by: Seth Hanford <shanford@seth-mba.local >
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2023-08-24 13:04:25 +02:00
1e0fb02ef7
Update proc_creation_lnx_ssm_agent_abuse.yml
2023-08-04 00:09:48 +02:00
d854c66616
Title has been update to avoid duplication.
2023-08-03 19:38:29 +05:00
5c0f48ae55
New rule created for Linux OS.
2023-08-03 18:35:12 +05:00
44e0625360
fix: update rules for tests
2023-06-19 09:24:18 +02:00
22628faaf0
feat: add rules related to Barracuda ESG exploitation
2023-06-18 22:14:57 +02:00
04cf7e9ea3
feat: new linux rules related to GobRAT malware ( #4272 )
2023-06-02 15:49:43 +02:00
331a65103f
feat: add new rule related to linux sensitive file tampering ( #4263 )
2023-05-30 16:23:19 +02:00
239afc945d
fix: update curl rules flags to use regex ( #4213 )
2023-05-03 10:16:01 +02:00
4b8f70fb97
feat: add new rules related to linux reverse shells ( #4166 )
2023-04-25 11:03:11 +02:00
999cd5763a
chore: split selection clause into two ( #4160 )
2023-04-05 05:04:54 +02:00
a035aa0385
feat: new rule related to process termination using kill ( #4112 )
2023-03-20 22:04:26 +01:00
2a1124e95e
feat: new rules Linux Package Uninstall ( #4098 )
2023-03-13 00:04:53 +01:00
e3503d5d60
feat: more updates
2023-03-06 00:39:26 +01:00
273fdb9985
fix: typos in multiple rules ( #4011 )
2023-02-06 13:53:23 +01:00
7c38a5c496
chore: add nextron authors tag
2023-02-01 11:14:59 +01:00
66700a69e2
Merge pull request #3994 from ionsor/patch-8
...
Update proc_creation_lnx_hack_tools.yml
2023-01-31 17:45:11 +01:00
2684f0f63c
fix: remove unnecessary entry
2023-01-31 17:21:42 +01:00
412efdad03
fix: update selection
2023-01-31 17:15:49 +01:00
164ee358c3
fix: update modified date
2023-01-31 17:12:20 +01:00
6a337151d1
feat: apply suggestions from code review
...
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2023-01-31 17:11:18 +01:00
8f6242c35f
Update proc_creation_lnx_hack_tools.yml
...
added to the list of hacking tools, Linpeas, a privilege escalation script
2023-01-31 17:01:17 +01:00
wieso-itzi