security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Q2 Linux DR Tuning - Part 3 (#4164)

Browse Source 
* [Rule Tuning] Q2 Linux DR Tuning - Part 3

* Update execution_suspicious_executable_running_system_commands.toml
This commit is contained in:
Ruben Groenewoud
2024-10-18 16:18:14 +02:00
committed by GitHub
parent 3982228132
commit 39fc23cb3d
11 changed files with 101 additions and 79 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/execution_cupsd_foomatic_rip_shell_execution.toml
+8 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2024/09/27"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/09/30"
updated_date = "2024/10/17"
[rule]
author = ["Elastic"]
@@ -110,8 +110,13 @@ type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
process.parent.name == "foomatic-rip" and
process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and
not process.command_line like ("*/tmp/foomatic-*", "*-sDEVICE=ps2write*")
process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and not (
process.command_line like (
"*/tmp/foomatic-*", "*-sDEVICE=ps2write*", "*printf*", "/bin/sh -e -c cat", "/bin/bash -c cat",
"/bin/bash -e -c cat"
) or
process.args like "gs*"
)
'''
[[rule.threat]]