security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Description updation across multiple rules (#1893)

Browse Source 
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
This commit is contained in:
shashank-elastic
2022-03-28 22:54:37 +05:30
committed by GitHub
parent 9ad3d39a32
commit fb40a4a8c7
9 changed files with 43 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/execution_nice_binary.toml
+7 -5
View File
@@ -1,14 +1,16 @@
[metadata]
creation_date = "2022/03/07"
maturity = "development"
updated_date = "2022/03/17"
updated_date = "2022/03/28"
[rule]
author = ["Elastic"]
description = """
Identifies Linux binary nice abuse to break out from restricted environments by spawning an interactive system shell.This
activity is not standard use with this binary for a user or system administrator. It indicates a potentially malicious
actor attempting to improve the capabilities or stability of their access
description = """
Identifies Linux binary nice abuse to break out from restricted environments by spawning an interactive system shell.The
nice command is used to invoke a utility or a shell script with a particular CPU priority, thus giving the process more
or less CPU and the activity of spawning shell is not a standard use of this binary for a user or system
administrator.It indicates a potentially malicious actor attempting to improve the capabilities or stability of their
access.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]