security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Linux binary(s) ftp shell evasion threat (#2007)

Browse Source 
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit 98a85ddcee)
This commit is contained in:
shashank-elastic
2022-06-01 22:07:52 +05:30
committed by github-actions[bot]
parent 29cf0c8f77
commit 821e04aaf8
1 changed files with 2 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/execution_shell_evasion_linux_binary.toml
+2 -1
View File
@@ -91,6 +91,7 @@ references = [
"https://gtfobins.github.io/gtfobins/capsh/",
"https://gtfobins.github.io/gtfobins/byebug/",
"https://gtfobins.github.io/gtfobins/git/",
"https://gtfobins.github.io/gtfobins/ftp/"
]
risk_score = 47
rule_id = "52376a86-ee86-4967-97ae-1a05f55816f0"
@@ -107,7 +108,7 @@ process where event.type == "start" and
/* launching shells from unusual parents or parent+arg combos */
(process.name in ("bash", "sh", "dash","ash") and
(process.parent.name in ("byebug","git")) or
(process.parent.name in ("byebug","git","ftp")) or
/* shells specified in parent args */
/* nice rule is broken in 8.2 */