sigma-rules

Author	SHA1	Message	Date
Samirbous	6b3b84ca38	[New/Tuning] Linux LPE via SUID Shell (#5980 ) * [New] Kubernetes Pod Exec with Curl or Wget to HTTPS Detects pod or attach `exec` API calls where the decoded request query implies curl or wget fetching an https URL (avoid noisy local http services). * Create execution_kubernetes_pod_exec_potential_reverse_shell.toml * Update execution_kubernetes_pod_exec_curl_wget_https.toml * Update execution_kubernetes_pod_exec_potential_reverse_shell.toml * ++ * ++ * Add auditd rule for root-effective shell -p outside system paths; extend SUID/SGID exploitation coverage. Made-with: Cursor * Revert "++" This reverts commit eb5631d80e980a3ad59f44095741505f5c4fc7ec. * Revert "++" This reverts commit 2d2c34ca211879069f666f850cb00a4e18b24f27. * Delete rules/integrations/kubernetes/execution_kubernetes_pod_exec_curl_wget_https.toml * Delete rules/integrations/kubernetes/execution_kubernetes_pod_exec_potential_reverse_shell.toml * Update privilege_escalation_auditd_euid_root_shell_from_non_standard_path.toml * Update privilege_escalation_auditd_euid_root_shell_from_non_standard_path.toml * Update rules/linux/privilege_escalation_auditd_euid_root_shell_from_non_standard_path.toml Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com> * Update privilege_escalation_auditd_euid_root_shell_from_non_standard_path.toml --------- Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>	2026-05-01 10:51:29 +01:00
Ruben Groenewoud	8dc3fef270	[Rule Tuning] Privilege Escalation via SUID/SGID (#6017 ) Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2026-05-01 10:08:46 +02:00
Mika Ayenson, PhD	8993d1450b	[Rule Tuning] Add Supplemental Mitre Mappings (#5876 ) --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>	2026-04-01 09:12:42 -05:00
Ruben Groenewoud	80ee91b0f2	[Rule Tuning] Linux DR Tuning - 11 (#5511 ) * [Rule Tuning] Linux DR Tuning - 11 * Update privilege_escalation_potential_suid_sgid_exploitation.toml * Update rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml * Update privilege_escalation_docker_escape_via_nsenter.toml --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2026-01-07 16:31:13 +01:00
shashank-elastic	9b292b97ea	Prep 8.19/9.1 (#4869 ) * Prep 8.19/9.1 Release * Download Beats Schema * Download API Schema * Download 8.18.3 Beats Schema * Download Latest Integrations manifest and schema * Comment old schemas * Update Patch version	2025-07-07 11:27:48 -04:00
Jonhnathan	0268daa17d	[Rule Tuning] Tighten Up Elastic Defend Indexes - Linux (#4446 )	2025-02-05 15:25:45 -03:00
Mika Ayenson	fe8c81d762	[FR] Generate investigation guides (#4358 )	2025-01-22 11:17:38 -06:00
shashank-elastic	f0291b440a	Minstack endpoint rules with process.group.id fields (#4294 )	2024-12-10 21:03:32 +05:30
Ruben Groenewoud	ac6a49eeea	[Rule Tuning] Q2 Linux DR Tuning - Part 6 (#4167 )	2024-10-18 16:25:54 +02:00
Mika Ayenson	b80d8342d6	[Docs \| Rule Tuning] Add blog references to rules (#4097 ) * [Docs \| Rule Tuning] Add blog references to rules * Apply suggestions from code review Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Apply suggestions from code review * Update google_workspace blog references * add okta blog references * Update dates --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2024-09-25 15:19:20 -05:00
Ruben Groenewoud	c3ba7b1262	[New Rule] Privilege Escalation via SUID/SGID (#3793 ) * [New Rule] Privilege Escalation via SUID/SGID * unit test error fix? * Update rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml	2024-06-27 16:50:09 +02:00

11 Commits