security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
48baf1187b4e7bccedad171cbf0b07da65cdf10c
blue-team-tools/rules/linux/process_creation
T
History
frack113 48baf1187b Merge PR #4752 from @frack113 - Update rules to use the windash modifier 
update: File Enumeration Via Dir Command - Update logic to use a wildcard in addition, for better accuracy.
chore: update multiple rules to use the windash modifier 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
2024-03-11 12:01:30 +01:00
..
proc_creation_lnx_at_command.yml
Order yaml field
2022-10-25 08:53:44 +02:00
proc_creation_lnx_base64_decode.yml
feat: add new linux rules
2022-12-29 11:17:42 +01:00
proc_creation_lnx_base64_execution.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_lnx_base64_shebang_cli.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_lnx_bash_interactive_shell.yml
Merge PR #4700 from @nasbench - Promote older rules status from experimental to test
2024-02-01 02:09:31 +01:00
proc_creation_lnx_bpf_kprob_tracing_enabled.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
proc_creation_lnx_bpftrace_unsafe_option_usage.yml
change status to test
2023-01-27 06:48:34 +01:00
proc_creation_lnx_capa_discovery.yml
Merge PR #4752 from @frack113 - Update rules to use the windash modifier
2024-03-11 12:01:30 +01:00
proc_creation_lnx_cat_sudoers.yml
chore: add nextron authors tag
2023-02-01 11:14:59 +01:00
proc_creation_lnx_chattr_immutable_removal.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_lnx_clear_logs.yml
Order yaml field
2022-10-25 08:53:44 +02:00
proc_creation_lnx_clear_syslog.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_lnx_clipboard_collection.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_lnx_cp_passwd_or_shadow_tmp.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
proc_creation_lnx_crontab_enumeration.yml
feat: new linux rules related to GobRAT malware (#4272)
2023-06-02 15:49:43 +02:00
proc_creation_lnx_crontab_removal.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_lnx_crypto_mining.yml
Merge PR #4392 from @tjgeorgen - Update MITRE Tags
2023-08-28 16:53:27 +02:00
proc_creation_lnx_curl_usage.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_lnx_cve_2022_26134_atlassian_confluence.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_lnx_dd_file_overwrite.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_lnx_dd_process_injection.yml
Merge PR #4592 from @skaynum - Create Rule to detect Linux Process Code Injection
2023-12-01 19:29:03 +01:00
proc_creation_lnx_disable_ufw.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
proc_creation_lnx_doas_execution.yml
Linux rules update
2022-09-16 09:22:57 +02:00
proc_creation_lnx_esxcli_network_discovery.yml
Merge PR #4396 from @kidrek - Add New Rules Related To ESXCLI Usage
2023-09-06 11:42:23 +02:00
proc_creation_lnx_esxcli_permission_change_admin.yml
Merge PR #4396 from @kidrek - Add New Rules Related To ESXCLI Usage
2023-09-06 11:42:23 +02:00
proc_creation_lnx_esxcli_storage_discovery.yml
Merge PR #4396 from @kidrek - Add New Rules Related To ESXCLI Usage
2023-09-06 11:42:23 +02:00
proc_creation_lnx_esxcli_syslog_config_change.yml
Merge PR #4425 from @kidrek - ESXi Syslog Configuration Change Via ESXCLI
2023-09-07 15:49:06 +02:00
proc_creation_lnx_esxcli_system_discovery.yml
Merge PR #4396 from @kidrek - Add New Rules Related To ESXCLI Usage
2023-09-06 11:42:23 +02:00
proc_creation_lnx_esxcli_user_account_creation.yml
Merge PR #4424 from @kidrek - Account Creation Via ESXCLI
2023-09-06 11:43:21 +02:00
proc_creation_lnx_esxcli_vm_discovery.yml
Merge PR #4396 from @kidrek - Add New Rules Related To ESXCLI Usage
2023-09-06 11:42:23 +02:00
proc_creation_lnx_esxcli_vm_kill.yml
Merge PR #4396 from @kidrek - Add New Rules Related To ESXCLI Usage
2023-09-06 11:42:23 +02:00
proc_creation_lnx_esxcli_vsan_discovery.yml
Merge PR #4396 from @kidrek - Add New Rules Related To ESXCLI Usage
2023-09-06 11:42:23 +02:00
proc_creation_lnx_file_and_directory_discovery.yml
Title modified in several rules (#3728)
2022-11-25 15:34:38 +01:00
proc_creation_lnx_file_deletion.yml
Order yaml field
2022-10-25 08:53:44 +02:00
proc_creation_lnx_grep_os_arch_discovery.yml
feat: new linux rules related to GobRAT malware (#4272)
2023-06-02 15:49:43 +02:00
proc_creation_lnx_groupdel.yml
Merge PR #4533 from @nasbench - Promote experimental rules
2023-11-02 10:48:45 +01:00
proc_creation_lnx_gtfobin_apt.yml
Merge PR #4533 from @nasbench - Promote experimental rules
2023-11-02 10:48:45 +01:00
proc_creation_lnx_gtfobin_vim.yml
Merge PR #4533 from @nasbench - Promote experimental rules
2023-11-02 10:48:45 +01:00
proc_creation_lnx_install_root_certificate.yml
Order yaml field
2022-10-25 08:53:44 +02:00
proc_creation_lnx_install_suspicioua_packages.yml
Merge PR #4533 from @nasbench - Promote experimental rules
2023-11-02 10:48:45 +01:00
proc_creation_lnx_iptables_flush_ufw.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
proc_creation_lnx_kill_process.yml
Merge PR #4700 from @nasbench - Promote older rules status from experimental to test
2024-02-01 02:09:31 +01:00
proc_creation_lnx_local_account.yml
Update Title (#3733)
2022-11-28 06:43:17 +01:00
proc_creation_lnx_local_groups.yml
Update Title (#3733)
2022-11-28 06:43:17 +01:00
proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml
feat: new linux rules related to GobRAT malware (#4272)
2023-06-02 15:49:43 +02:00
proc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yml
fix: update rules for tests
2023-06-19 09:24:18 +02:00
proc_creation_lnx_mkfifo_named_pipe_creation.yml
feat: add rules related to Barracuda ESG exploitation
2023-06-18 22:14:57 +02:00
proc_creation_lnx_mount_hidepid.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
proc_creation_lnx_netcat_reverse_shell.yml
Merge PR #4700 from @nasbench - Promote older rules status from experimental to test
2024-02-01 02:09:31 +01:00
proc_creation_lnx_nohup_susp_execution.yml
feat: new linux rules related to GobRAT malware (#4272)
2023-06-02 15:49:43 +02:00
proc_creation_lnx_nohup.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_lnx_omigod_scx_runasprovider_executescript.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_lnx_perl_reverse_shell.yml
Merge PR #4700 from @nasbench - Promote older rules status from experimental to test
2024-02-01 02:09:31 +01:00
proc_creation_lnx_php_reverse_shell.yml
Merge PR #4700 from @nasbench - Promote older rules status from experimental to test
2024-02-01 02:09:31 +01:00
proc_creation_lnx_process_discovery.yml
Order yaml field
2022-10-25 08:53:44 +02:00
proc_creation_lnx_proxy_connection.yml
Order yaml field
2022-10-25 08:53:44 +02:00
proc_creation_lnx_python_pty_spawn.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_lnx_python_reverse_shell.yml
Merge PR #4745 from @nasbench - Promote older rules status from experimental to test
2024-03-01 15:38:35 +01:00
proc_creation_lnx_remote_system_discovery.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_lnx_remove_package.yml
Merge PR #4700 from @nasbench - Promote older rules status from experimental to test
2024-02-01 02:09:31 +01:00
proc_creation_lnx_ruby_reverse_shell.yml
Merge PR #4700 from @nasbench - Promote older rules status from experimental to test
2024-02-01 02:09:31 +01:00
proc_creation_lnx_schedule_task_job_cron.yml
Update Title (#3733)
2022-11-28 06:43:17 +01:00
proc_creation_lnx_security_software_discovery.yml
Update Title (#3733)
2022-11-28 06:43:17 +01:00
proc_creation_lnx_security_tools_disabling.yml
old experimental rule promotion
2022-10-09 16:54:04 +02:00
proc_creation_lnx_services_stop_and_disable.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_lnx_setgid_setuid.yml
Remove mitre url
2023-01-10 18:09:04 +01:00
proc_creation_lnx_ssm_agent_abuse.yml
Merge PR #4524 from @wagga40 - Fix Typos In Metadata Fields
2023-10-28 13:15:09 +02:00
proc_creation_lnx_sudo_cve_2019_14287.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_lnx_susp_chmod_directories.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_lnx_susp_container_residence_discovery.yml
Merge PR #4524 from @wagga40 - Fix Typos In Metadata Fields
2023-10-28 13:15:09 +02:00
proc_creation_lnx_susp_curl_fileupload.yml
Merge PR #4745 from @nasbench - Promote older rules status from experimental to test
2024-03-01 15:38:35 +01:00
proc_creation_lnx_susp_curl_useragent.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_lnx_susp_dockerenv_recon.yml
Merge PR #4380 from @SethHanford - Lnx container discovery
2023-08-24 13:04:25 +02:00
proc_creation_lnx_susp_execution_tmp_folder.yml
Merge PR #4392 from @tjgeorgen - Update MITRE Tags
2023-08-28 16:53:27 +02:00
proc_creation_lnx_susp_find_execution.yml
Merge PR #4533 from @nasbench - Promote experimental rules
2023-11-02 10:48:45 +01:00
proc_creation_lnx_susp_git_clone.yml
Merge PR #4533 from @nasbench - Promote experimental rules
2023-11-02 10:48:45 +01:00
proc_creation_lnx_susp_history_delete.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_lnx_susp_history_recon.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_lnx_susp_hktl_execution.yml
Merge PR #4508 from @gs3cl - Update Hacktool and Network Scanner Linux Rules
2023-10-28 12:40:22 +02:00
proc_creation_lnx_susp_inod_listing.yml
Merge PR #4524 from @wagga40 - Fix Typos In Metadata Fields
2023-10-28 13:15:09 +02:00
proc_creation_lnx_susp_interactive_bash.yml
Merge PR #4392 from @tjgeorgen - Update MITRE Tags
2023-08-28 16:53:27 +02:00
proc_creation_lnx_susp_java_children.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_lnx_susp_network_utilities_execution.yml
Merge PR #4508 from @gs3cl - Update Hacktool and Network Scanner Linux Rules
2023-10-28 12:40:22 +02:00
proc_creation_lnx_susp_pipe_shell.yml
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18 11:53:44 +02:00
proc_creation_lnx_susp_recon_indicators.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_lnx_susp_sensitive_file_access.yml
feat: add new rule related to linux sensitive file tampering (#4263)
2023-05-30 16:23:19 +02:00
proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml
feat: new linux rules related to GobRAT malware (#4272)
2023-06-02 15:49:43 +02:00
proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml
feat: new linux rules related to GobRAT malware (#4272)
2023-06-02 15:49:43 +02:00
proc_creation_lnx_system_info_discovery.yml
Order yaml field
2022-10-25 08:53:44 +02:00
proc_creation_lnx_system_network_connections_discovery.yml
feat: update windows firewall rules
2023-01-17 19:01:37 +01:00
proc_creation_lnx_system_network_discovery.yml
chore: split selection clause into two (#4160)
2023-04-05 05:04:54 +02:00
proc_creation_lnx_touch_susp.yml
Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test
2023-12-01 12:50:36 +01:00
proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_lnx_triple_cross_rootkit_install.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_lnx_userdel.yml
Merge PR #4533 from @nasbench - Promote experimental rules
2023-11-02 10:48:45 +01:00
proc_creation_lnx_usermod_susp_group.yml
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
proc_creation_lnx_webshell_detection.yml
Merge PR #4533 from @nasbench - Promote experimental rules
2023-11-02 10:48:45 +01:00
proc_creation_lnx_wget_download_suspicious_directory.yml
feat: new linux rules related to GobRAT malware (#4272)
2023-06-02 15:49:43 +02:00
proc_creation_lnx_xterm_reverse_shell.yml
Merge PR #4745 from @nasbench - Promote older rules status from experimental to test
2024-03-01 15:38:35 +01:00