security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Tuning] Executable Bit Set for Potential Persistence Script (#3929)

Browse Source
This commit is contained in:
Ruben Groenewoud
2024-08-02 21:13:19 +02:00
committed by GitHub
parent ff3f66cacf
commit 93d928625d
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/persistence_potential_persistence_script_executable_bit_set.toml
+3 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2024/06/03"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/06/21"
updated_date = "2024/07/30"
[rule]
author = ["Elastic"]
@@ -64,8 +64,8 @@ query = '''
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and
process.args : (
// Misc.
"/etc/rc.local", "/etc/rc.common", "/etc/init.d/*", "/etc/update-motd.d/*", "/etc/apt/apt.conf.d/*", "/etc/cron*",
"/etc/init/*",
"/etc/rc.local", "/etc/rc.common", "/etc/rc.d/rc.local", "/etc/init.d/*", "/etc/update-motd.d/*",
"/etc/apt/apt.conf.d/*", "/etc/cron*", "/etc/init/*",
// XDG
"/etc/xdg/autostart/*", "/home/*/.config/autostart/*", "/root/.config/autostart/*",