[Rule Tuning] Update Rule Content Changes from Security Docs Team (#1945)
* updated content to reflect changes from Security Docs team * Update rules/linux/execution_flock_binary.toml * Update rules/linux/execution_expect_binary.toml * TOML linting * added escape for crdential_access_spn_attribute_modified.toml
This commit is contained in:
Terrance DeJesus
@@ -1,15 +1,15 @@
|
||||
[metadata]
|
||||
creation_date = "2022/02/24"
|
||||
maturity = "production"
|
||||
updated_date = "2022/03/28"
|
||||
updated_date = "2022/04/29"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Identifies Linux binary env abuse to break out from restricted environments by spawning an interactive system shell.The
|
||||
env utility is a shell command for Unix like OS which is used to print a list of environment variables and the activity
|
||||
of spawning shell is not a standard use of this binary for a user or system administrator. It indicates a potentially
|
||||
malicious actor attempting to improve the capabilities or stability of their access
|
||||
Identifies Linux binary env abuse to break out from restricted environments by spawning an interactive system shell. The
|
||||
env utility is a shell command for Unix-like operating systems and is used to print a list of environment variables. The
|
||||
activity of spawning a shell is not a standard use of this binary for a user or system administrator. It indicates a
|
||||
potentially malicious actor attempting to improve the capabilities or stability of their access.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
|
||||
Reference in New Issue
Block a user