security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Linux DR Tuning - 7 (#5504)

Browse Source 
* [Rule Tuning] Linux DR Tuning - 7

* Update execution_egress_connection_from_entrypoint_in_container.toml

* Update execution_kubernetes_direct_api_request_via_curl_or_wget.toml

* Update rules/linux/execution_perl_tty_shell.toml

* Update execution_perl_tty_shell.toml

* Update rules/linux/execution_unix_socket_communication.toml

* Update execution_file_made_executable_via_chmod_inside_container.toml

* Remove duplicate Crowdstrike data source entry

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
This commit is contained in:
Ruben Groenewoud
2026-01-08 11:10:46 +01:00
committed by GitHub
parent ccd3f70ee8
commit e1698890a4
41 changed files with 1121 additions and 1017 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/execution_python_tty_shell.toml
+16 -9
View File
@@ -2,7 +2,7 @@
creation_date = "2020/04/15"
integration = ["endpoint", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2025/03/20"
updated_date = "2025/12/18"
[rule]
author = ["Elastic"]
@@ -11,7 +11,11 @@ Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a
interactive tty after obtaining initial access to a host.
"""
from = "now-9m"
index = ["endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
index = [
"endgame-*",
"logs-endpoint.events.process*",
"logs-sentinel_one_cloud_funnel.*"
]
language = "eql"
license = "Elastic License v2"
name = "Interactive Terminal Spawned via Python"
@@ -89,33 +93,36 @@ tags = [
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start") and
(
(process.parent.name : "python*" and process.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh",
"fish") and process.parent.args_count >= 3 and process.parent.args : "*pty.spawn*" and process.parent.args : "-c") or
(process.parent.name : "python*" and process.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh",
"fish") and process.args : "*sh" and process.args_count == 1 and process.parent.args_count == 1)
(process.parent.name : "python*" and process.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and
process.args in (
"sh", "dash", "bash", "zsh",
"/bin/sh", "/bin/dash", "/bin/bash", "/bin/zsh",
"/usr/bin/sh", "/usr/bin/dash", "/usr/bin/bash", "/usr/bin/zsh",
"/usr/local/bin/sh", "/usr/local/bin/dash", "/usr/local/bin/bash", "/usr/local/bin/zsh"
) and process.args_count == 1 and process.parent.args_count == 1
)
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.006"
name = "Python"
reference = "https://attack.mitre.org/techniques/T1059/006/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"