security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Tuning & New Rule] Linux Reverse Shell & DR Tuning (#3254)

Browse Source 
* [Rule Tuning & New Rule] Linux Reverse Shell

* [Tuning & New Rule] Linux Reverse Shells

* Name change

* Update rules/linux/execution_shell_via_child_tcp_utility_linux.toml

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

* Update execution_shell_via_child_tcp_utility_linux.toml

* Update execution_shell_via_background_process.toml

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

(cherry picked from commit 84824c67fd)
This commit is contained in:
Ruben Groenewoud
2023-12-18 09:36:21 +01:00
committed by github-actions[bot]
parent 7e07c12fd8
commit ee5fa810aa
9 changed files with 185 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/execution_shell_via_meterpreter_linux.toml
+6 -1
View File
@@ -60,7 +60,12 @@ However, if more advanced configuration is required to detect specific behavior,
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''