security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Telnet Authentication Bypass Rule Tuning (#5771)

Browse Source 
* Add xinetd in process names
This commit is contained in:
Eric Forte
2026-02-25 15:43:18 -05:00
committed by GitHub
parent b2f76bd2c9
commit 4201fe6f8a
2 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/initial_access_telnet_auth_bypass_envar_auditd.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2026/01/26"
integration = ["auditd_manager"]
maturity = "production"
updated_date = "2026/01/26"
updated_date = "2026/02/24"
[rule]
author = ["Elastic"]
@@ -86,7 +86,7 @@ type = "eql"
query = '''
sequence by host.id with maxspan=1s
[process where host.os.type == "linux" and event.type == "start" and event.action in ("process_started", "executed") and process.name == "telnetd"] by process.pid
[process where host.os.type == "linux" and event.type == "start" and event.action in ("process_started", "executed") and process.name in ("telnetd", "xinetd")] by process.pid
[process where host.os.type == "linux" and event.type == "start" and event.action in ("process_started", "executed") and process.name == "login" and process.args : "-*f*"] by process.parent.pid
'''
rules/linux/initial_access_telnet_auth_bypass_via_user_envar.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2026/01/24"
integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2026/01/24"
updated_date = "2026/02/24"
[rule]
author = ["Elastic"]
@@ -95,7 +95,7 @@ type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and
event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed") and
process.name == "login" and process.parent.name == "telnetd" and process.args : "-*f*"
process.name == "login" and process.parent.name in ("telnetd", "xinetd") and process.args : "-*f*"
'''