security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Update Rule Content Changes from Security Docs Team (#1945)

Browse Source 
* updated content to reflect changes from Security Docs team

* Update rules/linux/execution_flock_binary.toml

* Update rules/linux/execution_expect_binary.toml

* TOML linting

* added escape for crdential_access_spn_attribute_modified.toml

(cherry picked from commit e9f5585a9f)
This commit is contained in:
Terrance DeJesus
2022-05-06 13:21:12 -04:00
committed by github-actions[bot]
parent 4b92b42b45
commit 5769a21867
14 changed files with 88 additions and 85 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/execution_mysql_binary.toml
+5 -5
View File
@@ -1,15 +1,15 @@
[metadata]
creation_date = "2022/03/09"
maturity = "production"
updated_date = "2022/03/31"
updated_date = "2022/04/29"
[rule]
author = ["Elastic"]
description = """
Identifies MySQL server abuse to break out from restricted environments by spawning an interactive system shell.The
MySQL is an open source relational database management system and the activity of spawning shell is not a standard use
of this binary for a user or system administrator.It indicates a potentially malicious actor attempting to improve the
capabilities or stability of their access.
Identifies MySQL server abuse to break out from restricted environments by spawning an interactive system shell. The
MySQL server is an open source relational database management system. The activity of spawning shell is not a standard
use of this binary for a user or system administrator. It indicates a potentially malicious actor attempting to improve
the capabilities or stability of their access.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]