security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Linux DR Tuning - Part 5 (#4422)

Browse Source 
* [Rule Tuning] Linux DR Tuning - Part 5

* Update rules/linux/persistence_xdg_autostart_netcon.toml
This commit is contained in:
Ruben Groenewoud
2025-02-03 13:53:53 +01:00
committed by GitHub
parent 53b9b53467
commit 6b84542093
16 changed files with 53 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/persistence_potential_persistence_script_executable_bit_set.toml
+5 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/22"
updated_date = "2025/01/24"
[rule]
author = ["Elastic"]
@@ -85,7 +85,10 @@ process.args : (
) and (
(process.name == "chmod" and process.args : ("+x*", "1*", "3*", "5*", "7*")) or
(process.name == "install" and process.args : "-m*" and process.args : ("7*", "5*", "3*", "1*"))
) and not process.parent.executable : "/var/lib/dpkg/*"
) and not (
process.parent.executable : "/var/lib/dpkg/*" or
process.command_line in ("chmod 777 /etc/update-motd.d/", "chmod 755 /etc/update-motd.d/")
)
'''
note = """## Triage and analysis