Description updation across multiple rules (#1893)
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
This commit is contained in:
shashank-elastic
@@ -1,14 +1,16 @@
|
||||
[metadata]
|
||||
creation_date = "2022/02/24"
|
||||
maturity = "production"
|
||||
updated_date = "2022/03/17"
|
||||
updated_date = "2022/03/28"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Identifies Linux binary apt/apt-get abuse to breakout out of restricted shells or environments by spawning an
|
||||
interactive system shell. This activity is not standard use with this binary for a user or system administrator. It
|
||||
indicates a potentially malicious actor attempting to improve the capabilities or stability of their access.
|
||||
interactive system shell. The apt utility allows us to manage installation and removal of softwares on Debian based
|
||||
Linux distributions and the activity of spawning shell is not a standard use of this binary for a user or system
|
||||
administrator. It indicates a potentially malicious actor attempting to improve the capabilities or stability of their
|
||||
access.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
|
||||
@@ -1,13 +1,14 @@
|
||||
[metadata]
|
||||
creation_date = "2022/02/24"
|
||||
maturity = "production"
|
||||
updated_date = "2022/03/17"
|
||||
updated_date = "2022/03/28"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Identifies Linux binary awk abuse to breakout out of restricted shells or environments by spawning an interactive system
|
||||
shell. This activity is not standard use with this binary for a user or system administrator. It indicates a potentially
|
||||
shell. The awk utility is a text processing language used for data extraction and reporting tools and the activity of
|
||||
spawning shell is not a standard use of this binary for a user or system administrator. It indicates a potentially
|
||||
malicious actor attempting to improve the capabilities or stability of their access.
|
||||
"""
|
||||
from = "now-9m"
|
||||
|
||||
@@ -1,14 +1,15 @@
|
||||
[metadata]
|
||||
creation_date = "2022/02/24"
|
||||
maturity = "production"
|
||||
updated_date = "2022/03/17"
|
||||
updated_date = "2022/03/28"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Identifies Linux binary env abuse to break out from restricted environments by spawning an interactive system shell.This
|
||||
activity is not standard use with this binary for a user or system administrator. It indicates a potentially malicious
|
||||
actor attempting to improve the capabilities or stability of their access
|
||||
Identifies Linux binary env abuse to break out from restricted environments by spawning an interactive system shell.The
|
||||
env utility is a shell command for Unix like OS which is used to print a list of environment variables and the activity
|
||||
of spawning shell is not a standard use of this binary for a user or system administrator. It indicates a potentially
|
||||
malicious actor attempting to improve the capabilities or stability of their access
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
|
||||
@@ -1,14 +1,15 @@
|
||||
[metadata]
|
||||
creation_date = "2022/03/07"
|
||||
maturity = "development"
|
||||
updated_date = "2022/03/17"
|
||||
updated_date = "2022/03/28"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Identifies Linux binary expect abuse to break out from restricted environments by spawning an interactive system shell
|
||||
This activity is not standard use with this binary for a user or system administrator and could potentially indicate
|
||||
malicious actor attempting to improve the capabilities or stability of their access.
|
||||
Identifies Linux binary expect abuse to break out from restricted environments by spawning an interactive system shell.
|
||||
The expect utility allows us to automate control of interactive applications such as telnet,ftp,ssh and others and the
|
||||
activity of spawning shell is not a standard use of this binary for a user or system administrator and could potentially
|
||||
indicate malicious actor attempting to improve the capabilities or stability of their access.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
|
||||
@@ -1,14 +1,15 @@
|
||||
[metadata]
|
||||
creation_date = "2022/02/28"
|
||||
maturity = "production"
|
||||
updated_date = "2022/03/17"
|
||||
updated_date = "2022/03/28"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Identifies Linux binary find abuse to break out from restricted environments by spawning an interactive system shell.
|
||||
This activity is not standard use with this binary for a user or system administrator. It indicates a potentially
|
||||
malicious actor attempting to improve the capabilities or stability of their access.
|
||||
The find command in Unix is a command line utility for walking a file hirerarchy and the activity of spawning shell is
|
||||
not a standard use of this binary for a user or system administrator.It indicates a potentially malicious actor
|
||||
attempting to improve the capabilities or stability of their access.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
|
||||
@@ -1,13 +1,14 @@
|
||||
[metadata]
|
||||
creation_date = "2022/03/09"
|
||||
maturity = "production"
|
||||
updated_date = "2022/03/17"
|
||||
updated_date = "2022/03/28"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Identifies Linux binary gcc abuse to break out from restricted environments by spawning an interactive system shell.This
|
||||
activity is not standard use with this binary for a user or system administrator and could potentially indicate
|
||||
Identifies Linux binary gcc abuse to break out from restricted environments by spawning an interactive system shell.The
|
||||
gcc utility is a complier system for various languages and mainly used to complie C and C++ programs and the activity of
|
||||
spawning shell is not a standard use of this binary for a user or system administrator.It indicates a potentially
|
||||
malicious actor attempting to improve the capabilities or stability of their access.
|
||||
"""
|
||||
from = "now-9m"
|
||||
|
||||
@@ -1,14 +1,15 @@
|
||||
[metadata]
|
||||
creation_date = "2022/03/09"
|
||||
maturity = "production"
|
||||
updated_date = "2022/03/17"
|
||||
updated_date = "2022/03/28"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Identifies MySQL server abuse to break out from restricted environments by spawning an interactive system shell.This
|
||||
activity is not standard use with this binary for a user or system administrator and could potentially indicate
|
||||
malicious actor attempting to improve the capabilities or stability of their access.
|
||||
Identifies MySQL server abuse to break out from restricted environments by spawning an interactive system shell.The
|
||||
MySQL is an open source relational database management system and the activity of spawning shell is not a standard use
|
||||
of this binary for a user or system administrator.It indicates a potentially malicious actor attempting to improve the
|
||||
capabilities or stability of their access.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
|
||||
@@ -1,14 +1,16 @@
|
||||
[metadata]
|
||||
creation_date = "2022/03/07"
|
||||
maturity = "development"
|
||||
updated_date = "2022/03/17"
|
||||
updated_date = "2022/03/28"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Identifies Linux binary nice abuse to break out from restricted environments by spawning an interactive system shell.This
|
||||
activity is not standard use with this binary for a user or system administrator. It indicates a potentially malicious
|
||||
actor attempting to improve the capabilities or stability of their access
|
||||
description = """
|
||||
Identifies Linux binary nice abuse to break out from restricted environments by spawning an interactive system shell.The
|
||||
nice command is used to invoke a utility or a shell script with a particular CPU priority, thus giving the process more
|
||||
or less CPU and the activity of spawning shell is not a standard use of this binary for a user or system
|
||||
administrator.It indicates a potentially malicious actor attempting to improve the capabilities or stability of their
|
||||
access.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
|
||||
@@ -1,14 +1,15 @@
|
||||
[metadata]
|
||||
creation_date = "2022/03/10"
|
||||
maturity = "production"
|
||||
updated_date = "2022/03/17"
|
||||
updated_date = "2022/03/28"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Identifies Linux binary ssh abuse to break out from restricted environments by spawning an interactive system shell.This
|
||||
activity is not standard use with this binary for a user or system administrator and could potentially indicate
|
||||
malicious actor attempting to improve the capabilities or stability of their access.
|
||||
Identifies Linux binary ssh abuse to break out from restricted environments by spawning an interactive system shell.The
|
||||
ssh is a network protocol that gives users,particularly system administrators a secure way to access a computer over a
|
||||
network and the activity of spawning shell is not a standard use of this binary for a user or system administrator.It
|
||||
indicates a potentially malicious actor attempting to improve the capabilities or stability of their access.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
|
||||
Reference in New Issue
Block a user