security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Description updation across multiple rules (#1893)

Browse Source 
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
This commit is contained in:
shashank-elastic
2022-03-28 22:54:37 +05:30
committed by GitHub
parent 9ad3d39a32
commit fb40a4a8c7
9 changed files with 43 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/execution_expect_binary.toml
+5 -4
View File
@@ -1,14 +1,15 @@
[metadata]
creation_date = "2022/03/07"
maturity = "development"
updated_date = "2022/03/17"
updated_date = "2022/03/28"
[rule]
author = ["Elastic"]
description = """
Identifies Linux binary expect abuse to break out from restricted environments by spawning an interactive system shell
This activity is not standard use with this binary for a user or system administrator and could potentially indicate
malicious actor attempting to improve the capabilities or stability of their access.
Identifies Linux binary expect abuse to break out from restricted environments by spawning an interactive system shell.
The expect utility allows us to automate control of interactive applications such as telnet,ftp,ssh and others and the
activity of spawning shell is not a standard use of this binary for a user or system administrator and could potentially
indicate malicious actor attempting to improve the capabilities or stability of their access.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]