security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Enclose Rule Conditions within Parenthesis (#2486)

Browse Source
This commit is contained in:
Jonhnathan
2023-01-31 16:56:19 -03:00
committed by GitHub
parent 99f177a5ae
commit 8e02c60ef6
11 changed files with 43 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/execution_shell_evasion_linux_binary.toml
+3 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2022/12/20"
updated_date = "2023/01/19"
[rule]
author = ["Elastic"]
@@ -103,7 +103,7 @@ type = "eql"
query = '''
process where event.type == "start" and
(
/* launch shells from unusual process */
(process.name == "capsh" and process.args == "--") or
@@ -137,6 +137,7 @@ process where event.type == "start" and
(process.parent.name == "mysql" and process.parent.args == "-e" and process.parent.args in ("\\!*sh", "\\!*bash", "\\!*dash", "\\!*/bin/sh", "\\!*/bin/bash", "\\!*/bin/dash")) or
(process.parent.name == "ssh" and process.parent.args == "-o" and process.parent.args in ("ProxyCommand=;sh 0<&2 1>&2", "ProxyCommand=;bash 0<&2 1>&2", "ProxyCommand=;dash 0<&2 1>&2", "ProxyCommand=;/bin/sh 0<&2 1>&2", "ProxyCommand=;/bin/bash 0<&2 1>&2", "ProxyCommand=;/bin/dash 0<&2 1>&2")) or
(process.parent.name in ("nawk", "mawk", "awk", "gawk") and process.parent.args : "BEGIN {system(*)}")
)
'''