security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] At Job Created or Modified (#5378)

Browse Source
This commit is contained in:
Ruben Groenewoud
2025-12-02 09:55:41 +01:00
committed by GitHub
parent e8ecba7d00
commit a6569a824f
1 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/persistence_at_job_creation.toml
+4 -4
View File
@@ -2,7 +2,7 @@
creation_date = "2024/05/31"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/12/01"
[rule]
author = ["Elastic"]
@@ -58,10 +58,10 @@ tags = [
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
file where host.os.type == "linux" and
event.action in ("rename", "creation") and file.path : "/var/spool/cron/atjobs/*" and not (
file where host.os.type == "linux" and event.action in ("rename", "creation") and
file.path like ("/var/spool/cron/atjobs/*", "/var/spool/atjobs/*") and
not (
process.executable in (
"/bin/dpkg", "/usr/bin/dpkg", "/bin/dockerd", "/usr/bin/dockerd", "/usr/sbin/dockerd", "/bin/microdnf",
"/usr/bin/microdnf", "/bin/rpm", "/usr/bin/rpm", "/bin/snapd", "/usr/bin/snapd", "/bin/yum", "/usr/bin/yum",