 Terrance DeJesus
|
c7d1ea428c
|
[New Rule] Abnormal Process ID File Creation (#1964)
* adding rule detection
* changed Rule ID
* Update rules/linux/execution_abnormal_process_id_file_created.toml
Adding reboot extension as well.
Reference: https://exatrack.com/public/Tricephalic_Hellkeeper.pdf
* Update rules/linux/execution_abnormal_process_id_file_created.toml
Adding reboot to description.
Reference: https://exatrack.com/public/Tricephalic_Hellkeeper.pdf
* Update rules/linux/execution_abnormal_process_id_file_created.toml
Added additional reference to similar threat.
* Update rules/linux/execution_abnormal_process_id_file_created.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
* Update rules/linux/execution_abnormal_process_id_file_created.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
* added rule for a process starting where the executable's name represented a PID file
* Adjusted user.id value from integer to string
* Added simple investigation notes and osquery coverage
* TOML linting
* Updated date to reflect recent changes
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
(cherry picked from commit 1704924f7b)
|
2022-05-12 14:40:34 +00:00 |
|