security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Potential Linux Tunneling and/or Port Forwarding (#4858)

Browse Source
This commit is contained in:
Ruben Groenewoud
2025-07-03 09:50:30 +02:00
committed by GitHub
parent 3efcd70f8c
commit 26e35fd03b
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2023/08/23"
integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2025/03/20"
updated_date = "2025/06/30"
[transform]
[[transform.osquery]]
@@ -163,7 +163,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action
// gost & pivotnacci - spawned without process.parent.name
(process.name == "gost" and process.args : ("-L*", "-C*", "-R*")) or (process.name == "pivotnacci")) or (
// ssh
(process.name in ("ssh", "sshd") and (process.args in ("-R", "-L", "-D", "-w") and process.args_count >= 4 and
(process.name == "ssh" and (process.args in ("-R", "-L", "-D", "-w") and process.args_count >= 4 and
not process.args : "chmod")) or
// sshuttle
(process.name == "sshuttle" and process.args in ("-r", "--remote", "-l", "--listen") and process.args_count >= 4) or