security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update defense_evasion_deletion_of_bash_command_line_history.toml (#3614)

Browse Source 
* Update defense_evasion_deletion_of_bash_command_line_history.toml

* Update defense_evasion_deletion_of_bash_command_line_history.toml

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

(cherry picked from commit 1d57e0c779)
This commit is contained in:
Samirbous
2024-07-05 12:58:07 +01:00
committed by github-actions[bot]
parent be5dad8941
commit c9f50a2d5c
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/05/04"
integration = ["endpoint", "auditd_manager"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/07/05"
[rule]
author = ["Elastic"]
@@ -47,7 +47,7 @@ process where event.action in ("exec", "exec_event", "executed", "process_starte
(process.args : "truncate" and process.args : "-s0"))
and process.args : (".bash_history", "/root/.bash_history", "/home/*/.bash_history","/Users/.bash_history", "/Users/*/.bash_history",
".zsh_history", "/root/.zsh_history", "/home/*/.zsh_history", "/Users/.zsh_history", "/Users/*/.zsh_history")) or
(process.name : "history" and process.args : "-c") or
(process.args : "history" and process.args : "-c") or
(process.args : "export" and process.args : ("HISTFILE=/dev/null", "HISTFILESIZE=0")) or
(process.args : "unset" and process.args : "HISTFILE") or
(process.args : "set" and process.args : "history" and process.args : "+o")