security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b724a7f59d2da573e29953c8331ed9ff38b3a671
blue-team-tools/rules/linux/process_creation
T
History
Murphy0801 3e2f8d5aba Merge PR #4975 from @Murphy0801 - Add new rules related to GTFOBins 
new: Capsh Shell Invocation - Linux
new: Inline Python Execution - Spawn Shell Via OS System Library
new: Shell Execution GCC - Linux
new: Shell Execution via Find - Linux
new: Shell Execution via Flock - Linux
new: Shell Execution via Git - Linux
new: Shell Execution via Nice - Linux
new: Shell Execution via Rsync - Linux
new: Shell Invocation via Env Command - Linux
new: Shell Invocation Via Ssh - Linux
new: Suspicious Invocation of Shell via AWK - Linux 

---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
2024-09-02 13:19:31 +02:00
..
proc_creation_lnx_apt_shell_execution.yml
Merge PR #4975 from @Murphy0801 - Add new rules related to GTFOBins
2024-09-02 13:19:31 +02:00
proc_creation_lnx_at_command.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_awk_shell_spawn.yml
Merge PR #4975 from @Murphy0801 - Add new rules related to GTFOBins
2024-09-02 13:19:31 +02:00
proc_creation_lnx_base64_decode.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_base64_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_base64_shebang_cli.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_bash_interactive_shell.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_bpf_kprob_tracing_enabled.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_bpftrace_unsafe_option_usage.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_capa_discovery.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_capsh_shell_invocation.yml
Merge PR #4975 from @Murphy0801 - Add new rules related to GTFOBins
2024-09-02 13:19:31 +02:00
proc_creation_lnx_cat_sudoers.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_chattr_immutable_removal.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_clear_logs.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_clear_syslog.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_clipboard_collection.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_cp_passwd_or_shadow_tmp.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_crontab_enumeration.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_crontab_removal.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_crypto_mining.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_curl_usage.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_cve_2022_26134_atlassian_confluence.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_dd_file_overwrite.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_dd_process_injection.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_disable_ufw.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_doas_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_env_shell_invocation.yml
Merge PR #4975 from @Murphy0801 - Add new rules related to GTFOBins
2024-09-02 13:19:31 +02:00
proc_creation_lnx_esxcli_network_discovery.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_esxcli_permission_change_admin.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_esxcli_storage_discovery.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_esxcli_syslog_config_change.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_esxcli_system_discovery.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_esxcli_user_account_creation.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_esxcli_vm_discovery.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_esxcli_vm_kill.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_esxcli_vsan_discovery.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_file_and_directory_discovery.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_file_deletion.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_find_shell_execution.yml
Merge PR #4975 from @Murphy0801 - Add new rules related to GTFOBins
2024-09-02 13:19:31 +02:00
proc_creation_lnx_flock_shell_execution.yml
Merge PR #4975 from @Murphy0801 - Add new rules related to GTFOBins
2024-09-02 13:19:31 +02:00
proc_creation_lnx_gcc_shell_execution.yml
Merge PR #4975 from @Murphy0801 - Add new rules related to GTFOBins
2024-09-02 13:19:31 +02:00
proc_creation_lnx_git_shell_execution.yml
Merge PR #4975 from @Murphy0801 - Add new rules related to GTFOBins
2024-09-02 13:19:31 +02:00
proc_creation_lnx_grep_os_arch_discovery.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_groupdel.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_install_root_certificate.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_install_suspicioua_packages.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_iptables_flush_ufw.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_kill_process.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_local_account.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_local_groups.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_mkfifo_named_pipe_creation.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_mount_hidepid.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_netcat_reverse_shell.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_nice_shell_execution.yml
Merge PR #4975 from @Murphy0801 - Add new rules related to GTFOBins
2024-09-02 13:19:31 +02:00
proc_creation_lnx_nohup_susp_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_nohup.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_omigod_scx_runasprovider_executescript.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_perl_reverse_shell.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_php_reverse_shell.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_pnscan_binary_cli_pattern.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_process_discovery.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_proxy_connection.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_python_pty_spawn.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_python_reverse_shell.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_python_shell_os_system.yml
Merge PR #4975 from @Murphy0801 - Add new rules related to GTFOBins
2024-09-02 13:19:31 +02:00
proc_creation_lnx_remote_access_tools_teamviewer_incoming_connection.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_remote_system_discovery.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_remove_package.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_rsync_shell_execution.yml
Merge PR #4975 from @Murphy0801 - Add new rules related to GTFOBins
2024-09-02 13:19:31 +02:00
proc_creation_lnx_ruby_reverse_shell.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_schedule_task_job_cron.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_security_software_discovery.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_security_tools_disabling.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_services_stop_and_disable.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_setgid_setuid.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_ssh_shell_execution.yml
Merge PR #4975 from @Murphy0801 - Add new rules related to GTFOBins
2024-09-02 13:19:31 +02:00
proc_creation_lnx_ssm_agent_abuse.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_sudo_cve_2019_14287.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_susp_chmod_directories.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_susp_container_residence_discovery.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_susp_curl_fileupload.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_susp_curl_useragent.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_susp_dockerenv_recon.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_susp_execution_tmp_folder.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_susp_find_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_susp_git_clone.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_susp_history_delete.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_susp_history_recon.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_susp_hktl_execution.yml
Merge PR #4991 from @nasbench - Promote older rules status from experimental to test
2024-09-02 10:01:36 +02:00
proc_creation_lnx_susp_inod_listing.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_susp_interactive_bash.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_susp_java_children.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_susp_network_utilities_execution.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_susp_pipe_shell.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_susp_recon_indicators.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_susp_sensitive_file_access.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_system_info_discovery.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_system_network_connections_discovery.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_system_network_discovery.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_touch_susp.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_triple_cross_rootkit_install.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_userdel.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_usermod_susp_group.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_vim_shell_execution.yml
Merge PR #4975 from @Murphy0801 - Add new rules related to GTFOBins
2024-09-02 13:19:31 +02:00
proc_creation_lnx_webshell_detection.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_wget_download_suspicious_directory.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
proc_creation_lnx_xterm_reverse_shell.yml
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00