security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,829 Commits 1 Branch 0 Tags
0a37df713b4e52bdf3899284218c36affc254eff
Commit Graph

238 Commits

Author SHA1 Message Date
Ruben Groenewoud 91a757a018 [Security Content] Add Investigation Guides to Linux C2 Rules (#3247) 
* [Security Content] Add Investigation Guides to Linux C2 Rules

* Applied feedback
 2023-12-18 17:02:40 +01:00
Ruben Groenewoud 84824c67fd [Tuning & New Rule] Linux Reverse Shell & DR Tuning (#3254) 
* [Rule Tuning & New Rule] Linux Reverse Shell

* [Tuning & New Rule] Linux Reverse Shells

* Name change

* Update rules/linux/execution_shell_via_child_tcp_utility_linux.toml

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

* Update execution_shell_via_child_tcp_utility_linux.toml

* Update execution_shell_via_background_process.toml

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2023-12-18 09:36:21 +01:00
Ruben Groenewoud 6c614eb102 [Security Content] Add Investigation Guides to Linux Persistence Rules - 1 (#3288) 
* [Security Content] Add IGs to Persistence Rules

* Cleaned query

* IG description fix

* Added related rules

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-12-11 13:53:06 +01:00
Ruben Groenewoud 840958d117 [New Rule] Suspicious File Creation via Kworker (#3237) 
* [New Rule] Suspicious File Creation via Kworker

* Update rules/linux/persistence_kworker_file_creation.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-12-07 23:02:00 +01:00
Ruben Groenewoud 9c61231dc6 [New Rule] UID Elevation from Unknown Executable (#3239) 
* [New Rule] UID Elevation from Unknown Executable

* type change

* bump min stack

* Added additional exclusions

* Update rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-12-07 22:25:01 +01:00
Ruben Groenewoud 1071b12f00 [New Rule] Suspicious Kworker UID Elevation (#3238) 
* [New Rule] Suspicious Kworker UID Elevation

* Update privilege_escalation_kworker_uid_elevation.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-12-07 20:59:07 +01:00
Ruben Groenewoud 38862b89e9 [Tuning] Small Linux DR Tuning (#3287) 2023-12-07 12:45:24 +01:00
shashank-elastic d52546eee5 Enhance Setup Guide information (#3256) 2023-11-03 19:05:29 +05:30
shashank-elastic 5c5d1b214b Setup information for Linux Rules - Set8 (#3200) 2023-10-30 20:58:40 +05:30
Ruben Groenewoud 618a1dbe06 [New Rule] Attempt to Clear Kernel Ring Buffer (#3217) 
* [New Rule] Attempt to Clear Kernel Ring Buffer

* Update defense_evasion_clear_kernel_ring_buffer.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-10-30 09:37:11 +01:00
Ruben Groenewoud 1ac3775743 [New Rule] Network Activity Detected via kworker (#3202) 
* [New Rule] Potential curl CVE-2023-38545 Exploitation

* Revert "[New Rule] Potential curl CVE-2023-38545 Exploitation"

This reverts commit 9c04d1b53d3d63678289f43ec0c7b617d26f1ce0.

* [New Rule] Network Activity Detected via kworker

* White space

* Update rules/linux/command_and_control_linux_kworker_netcon.toml

* Update rules/linux/command_and_control_linux_kworker_netcon.toml

* Update rules/linux/command_and_control_linux_kworker_netcon.toml

* Update command_and_control_linux_kworker_netcon.toml

* Update rules/linux/command_and_control_linux_kworker_netcon.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/command_and_control_linux_kworker_netcon.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update command_and_control_linux_kworker_netcon.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-10-25 15:24:55 +02:00
Ruben Groenewoud 3855dd06d8 [New Rule] Potential Linux Hack Tool Launched (#3125) 
* [New Rule] Potential Linux Hack Tool Launched

* changed description slightly

* Updated description

* Update rules/linux/execution_potential_hack_tool_executed.toml

* Update rules/linux/execution_potential_hack_tool_executed.toml
 2023-10-23 21:35:43 +02:00
Ruben Groenewoud ff268cc6a0 [New Rule] Netcat Listener Established via rlwrap (#3124) 
* [New Rule] Netcat Listener Established via rlwrap

* Update rules/linux/execution_nc_listener_via_rlwrap.toml
 2023-10-23 17:31:26 +02:00
Ruben Groenewoud 020fff3aea [Rule Tuning] Linux Rules (#3092) 
* [Rule Tuning] [WIP] Linux DR

* Update defense_evasion_binary_copied_to_suspicious_directory.toml

* Fixed tag

* Added additional tuning

* unit test fix

* Additional tuning

* tuning

* added max signals

* Added max_signals=1 to brute force rules

* Cross-Platform Tuning

* Small fix

* new_terms conversion

* typo

* new_terms conversion

* Ransomware rule tuning

* performance tuning

* new_terms conversion for auditd_manager

* tune

* Need coffee

* kql/eql stuff

* formatting improvement

* new_terms sudo hijacking conversion

* exclusion

* Deprecations that were added last tuning

* Deprecations that were added last tuning

* Increased max timespan for brute force rules

* version bump

* added domain tag

* Two tunings

* More tuning

* Additional tuning

* updated_date bump

* query optimization

* Tuning

* Readded the exclusions for this one

* Changed int comparison

* Some tunings

* Update persistence_systemd_scheduled_timer_created.toml

* Update rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* [New Rule] Potential curl CVE-2023-38545 Exploitation

* Revert "[New Rule] Potential curl CVE-2023-38545 Exploitation"

This reverts commit 9c04d1b53d3d63678289f43ec0c7b617d26f1ce0.

* Update rules/cross-platform/command_and_control_non_standard_ssh_port.toml

* Update rules/linux/command_and_control_cat_network_activity.toml

* Update persistence_message_of_the_day_execution.toml

* Changed max_signals

* Revert "Merge branch 'main' into rule-tuning-ongoing-dr"

This reverts commit 1106b5d2eba1a3529eff325226d6baabfd4b0bf3, reversing
changes made to 5ff510757f25b0cb32e1ef18e9e2c34c8ec325a8.

* Revertable merge

* Update defense_evasion_ld_preload_env_variable_process_injection.toml

* File name change

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-10-23 16:28:58 +02:00
shashank-elastic 7254c582c5 Move Setup information into setup filed (#3206) 2023-10-23 19:28:18 +05:30
Ruben Groenewoud 9f41c9f35c [New Rule] Upgrade of Non-interactive Shell (#3113) 
* [New Rule] Upgrade of Non-interactive Shell

* Changed numbers to int

* Changed severity

* [New Rule] Pot. Rev Shell via Background Process

* Revert "[New Rule] Pot. Rev Shell via Background Process"

This reverts commit bbb36eae26561dbef4bf57f6c1388cebe7a8b88d.

* Update rules/linux/execution_interpreter_tty_upgrade.toml
 2023-10-18 16:47:07 +02:00
Ruben Groenewoud 6ea11cd9ad [New Rules] cap_setuid/cap_setgid privesc (#3075) 
* [New Rules] cap_setuid/cap_setgid privesc

* Update persistence_setuid_setgid_capability_set.toml

* Update rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update privilege_escalation_suspicious_cap_setuid_python_execution.toml

* Update rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml

* Update privilege_escalation_suspicious_cap_setuid_python_execution.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-10-18 16:24:01 +02:00
Ruben Groenewoud 4190c3a6a7 [New Rule] Potential SSH-IT SSH Worm Downloaded (#3121) 
* [New Rule]

* Fixed grammar mistake

* Update rules/linux/lateral_movement_ssh_it_worm_download.toml

* Update rules/linux/lateral_movement_ssh_it_worm_download.toml
 2023-10-18 16:08:25 +02:00
Ruben Groenewoud 7d674db11e [New Rule] Pot. Network Scan Executed from Host (#3070) 2023-10-18 15:46:31 +02:00
shashank-elastic 276c0f9cd3 Setup information for Linux Rules - Set7 (#3190) 2023-10-17 19:45:01 +05:30
shashank-elastic 5a98208b53 Setup information for Linux Rules - Set6 (#3189) 2023-10-17 19:33:07 +05:30
shashank-elastic 2a48db0598 Setup information for Linux Rules - Set5 (#3188) 2023-10-17 19:11:20 +05:30
shashank-elastic 25b527c149 Setup information for Linux Rules - Set4 (#3179) 2023-10-17 18:59:31 +05:30
shashank-elastic d2c2987d72 Setup information for Linux Rules - Set3 (#3178) 2023-10-17 18:37:20 +05:30
shashank-elastic 1801a4ee7e Setup information for Linux Rules - Set2 (#3177) 2023-10-17 18:25:55 +05:30
shashank-elastic 15718ea09e Improve exsisting setup configurations for Linux (#3141) 2023-10-13 13:39:03 +05:30
Ruben Groenewoud 89cfdcd440 [New Rule] Potential curl CVE-2023-38545 Exploitation (#3168) 
* [New Rule] Potential curl CVE-2023-38545 Exploitation

* Added setup guide

* Update execution_curl_CVE_2023_38545.toml

* File name change

* File name change

* Update dates

* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml

* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2023-10-11 11:42:25 -03:00
Ruben Groenewoud a46797b987 [New Rule] Pot. Rev. Shell via Background Process (#3114) 2023-10-06 23:14:39 +02:00
Ruben Groenewoud c3cc01333a [Tuning] CVE-2023-4911 (#3160) 2023-10-06 13:13:17 +02:00
Ruben Groenewoud f4ad1f28e3 [New Rule] PE via CVE-2023-4911 (Looney Tunables) (#3158) 
* [New Rule] PE via CVE-2023-4911 (Looney Tunables)

* Update rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml

* Update rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml
 2023-10-05 16:41:11 +02:00
Ruben Groenewoud b291317ea6 [New Rule] Network Activity Detected via cat (#3069) 
* [New Rule] Network Activity via cat

* Update command_and_control_cat_network_activity.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-09-18 09:51:20 +02:00
Ruben Groenewoud f8f3576971 [New Rule] Potential UDP Reverse Shell (#2906) 
* [New Rule] Potential UDP Reverse Shell Detected

* Title change

* Update execution_shell_via_udp_cli_utility_linux.toml

* Update execution_shell_via_udp_cli_utility_linux.toml

* Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* updated non-ecs-schema to update unmapped fields

* Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Removed netcat, added destination ip list

* Update execution_shell_via_udp_cli_utility_linux.toml

* Added precautionary exclusions

* Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml

* replaced schema files

* Update execution_shell_via_udp_cli_utility_linux.toml

* Update execution_shell_via_udp_cli_utility_linux.toml

* Update execution_shell_via_udp_cli_utility_linux.toml

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-09-07 17:13:22 +02:00
Ruben Groenewoud 15e71ec2e8 [New Rule] Potential Meterpreter Reverse Shell (#3007) 
* [New Rule] Potential Meterpreter Reverse Shell

* Update execution_shell_via_meterpreter_linux.toml

* Update execution_shell_via_meterpreter_linux.toml

* Update rules/linux/execution_shell_via_meterpreter_linux.toml

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2023-09-07 17:04:06 +02:00
Jonhnathan 4233fef238 [Security Content] Include "Data Source: Elastic Defend" tag (#3002) 
* win folder

* Other folders

* Update test_all_rules.py

* .

* updated missing elastic defend tags

---------

Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
 2023-09-05 14:22:01 -04:00
Ruben Groenewoud 6115a68aba [Rule Tuning] Small Linux DR Tuning (#3074) 
* [Rule tuning] Adressing community issue

* Changed title

* Changed IG title
 2023-09-05 14:20:57 +02:00
Ruben Groenewoud 3c64b454fb [New Rule] Sus User Privilege Enumeration via id (#3049) 2023-08-31 18:13:42 +02:00
Ruben Groenewoud f7d8d4752a [New Rules] GDB Secret Dumping (#3060) 
* [New Rules] GDB Secret Dumping

* Added references to BBR

* Update rules/linux/credential_access_gdb_init_memory_dump.toml

* Update rules_building_block/credential_access_gdb_memory_dump.toml

* Update rules_building_block/credential_access_gdb_memory_dump.toml

* Update rules_building_block/credential_access_gdb_memory_dump.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-08-31 17:41:22 +02:00
Ruben Groenewoud b6ed215958 [New Rule] File Creation, Exec and Self-Deletion (#3045) 
* [New Rule] File Creation, Exec and Self-Deletion

* Update execution_file_execution_followed_by_deletion.toml

* Update execution_file_execution_followed_by_deletion.toml

* Update execution_file_execution_followed_by_deletion.toml

* Update execution_file_execution_followed_by_deletion.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-08-31 17:32:17 +02:00
Ruben Groenewoud 3588600d57 [Rule Tuning] 3 tunings to reduce FPs (#3058) 
* [Rule Tuning] 2 tunings to reduce FPs back to 0

* Added one more tune for community issue #3041

* Update rules/linux/execution_abnormal_process_id_file_created.toml

* Update rules/linux/execution_abnormal_process_id_file_created.toml
 2023-08-31 17:16:57 +02:00
Ruben Groenewoud 2eaaf27f1e [New Rule] Potential Disabling of AppArmor (#3046) 
* [New Rule] Potential Disabling of AppArmor

* Update rules/linux/defense_evasion_disable_apparmor_attempt.toml

* Update rules/linux/defense_evasion_disable_apparmor_attempt.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-08-31 17:06:15 +02:00
Ruben Groenewoud d838a3352f [New Rule] Binary Copied and/or Moved to Suspicious Directory (#3048) 
* [New Rule] Binary Copied and/or Moved to sus dir

* Update rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-08-31 13:46:41 +02:00
Ruben Groenewoud a5b5d513af [New Rule] Potential Sudo Privilege Escalation via CVE-2019-14287 (#3057) 
* [New Rule] Sudo PE via CVE-2019-14287

* Added Elastic Defend Data Source tag

* Update rules/linux/privilege_escalation_sudo_cve_2019_14287.toml

* Update rules/linux/privilege_escalation_sudo_cve_2019_14287.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-08-31 13:11:34 +02:00
Ruben Groenewoud a395f54054 [New Rules] sus program compilation activity (#3043) 2023-08-31 09:30:56 +02:00
Ruben Groenewoud 32abdb95f7 [New Rules] Linux Tunneling and Port Forwarding (#3028) 
* Removed iodine rule due to new tunneling rule

* [New Rules] Linux Tunneling and Port Forwarding

* added ash

* Fixed description styling

* Changed rule name

* Update command_and_control_linux_suspicious_proxychains_activity.toml

* Added deprecation note & name change

* Changed deprecation status

* Removed deprecation date

* Fixed unit testing

* Update rules_building_block/command_and_control_linux_ssh_x11_forwarding.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-08-30 22:12:19 +02:00
Ruben Groenewoud a1716bd673 [Rule Tuning] Several rule tunings (#3024) 
* [Rule Tuning] Several rule tunings

* Added 1 more

* optimized ransomware encryption rules

* Update rules/linux/impact_potential_linux_ransomware_file_encryption.toml

* Update rules/linux/impact_potential_linux_ransomware_note_detected.toml

* Added 2 more tunings based on todays telemetry

* Some tunings

* Tuning

* Tuning

* fixed user.id comparison

* Something went wrong with deprecation

* Something went wrong with deprecation

* Update rules/linux/impact_potential_linux_ransomware_file_encryption.toml

* Update rules/linux/discovery_linux_nping_activity.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/discovery_linux_hping_activity.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Dedeprecated the rule to deprecate later

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-08-25 14:03:29 +02:00
Ruben Groenewoud e938ed28a0 [Rule Tuning] added additional event action (#3008) 2023-08-10 16:59:07 +02:00
Ruben Groenewoud 4cbfd7c4ae [Rule Tuning] Restricted Shell Breakout (#2999) 2023-08-04 19:30:18 +02:00
Ruben Groenewoud e904ebb760 [New Rule] PE via Container Misconfiguration (#2983) 
* [New Rule] PE via Container Misconfiguration

* fixed boolean comparison unit test error

* Update privilege_escalation_container_util_misconfiguration.toml

* Update rules/linux/privilege_escalation_container_util_misconfiguration.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
 2023-08-04 16:39:40 +02:00
Ruben Groenewoud ef49709c7d [New Rules] Linux Wildcard Injection (#2973) 
* [New Rules] Linux Wildcard Injection

* Update rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml

* Update rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-08-04 16:32:34 +02:00
Ruben Groenewoud c6eba3e4e6 [New Rule] Suspicious Symbolic Link Created (#2969) 
* [New Rule] Suspicious Symbolic Link Created

* Update rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* fixed unit testing issues after suggestion commit

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-08-03 23:23:23 +02:00