c2bcfc575f
[New Rule] Elastic Agent Stopped ( #1991 )
...
* new rule for detecting if elastic agent has been stopped
* adjusted query based on feedback; added powershell, taskkill, pskill and processhacker
2022-07-18 17:15:01 -04:00
4235b5d798
[New Rule] Dynamic Linker Copy ( #2099 )
...
* [New Rule] Dynamic Linker Copy
* Update rules/linux/persistence_dynamic_linker_backup.toml
* Update rules/linux/persistence_dynamic_linker_backup.toml
* Update rules/linux/persistence_dynamic_linker_backup.toml
(cherry picked from commit 9995558b2a
2022-07-13 15:18:44 +00:00
4913be81e0
[New Rule] Tc BPF Filter ( #2091 )
...
* tc bpf filter
* Update rules/linux/execution_tc_bpf_filter.toml
(cherry picked from commit 58ad0823ca
2022-07-13 14:42:49 +00:00
d8ee4473a2
[Security Content] 8.4 - Add Investigation Guides ( #2069 )
...
* [Security Content] 8.4 - Add Investigation Guides
* Apply suggestions from code review
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
* Update rules/windows/credential_access_cmdline_dump_tool.toml
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
* Apply suggestions from code review
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/windows/credential_access_credential_dumping_msbuild.toml
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com >
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com >
Removed changes from:
- rules/windows/execution_command_shell_started_by_svchost.toml
(selectively cherry picked from commit 3a8efc8183
2022-07-13 14:29:48 +00:00
3e73a3c60a
[New Rule] Insmod kernel module load ( #2093 )
...
* insmod kernel module load
* Update rules/linux/persistence_insmod_kernel_module_load.toml
* Update rules/linux/persistence_insmod_kernel_module_load.toml
(cherry picked from commit d7d0466344
2022-07-13 14:23:29 +00:00
e241df5d76
[Rule Tuning] Potential Reverse Shell Activity via Terminal ( #2077 )
...
* adjusted query rule to exclude noisy FPs
* adjusted event.action to be event.type
(cherry picked from commit 7581234fe8
2022-07-13 02:34:43 +00:00
06ce0015df
Add new required_fields as a build-time restricted field ( #2059 )
...
* Add new `require_field` restricted field
* validate new fields against BaseRuleData schema and global constant
Co-authored-by: Terrance DeJesus <terrance.dejesus@elastic.co >
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
(cherry picked from commit c76a397969
2022-07-06 15:51:18 +00:00
de2a90090c
[New Rule] Domain Trust Enumeration via Nltest ( #2010 )
...
* adding detection rule
* removed changes from unrelated rule
* adjusted threat technique
* Update rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml
* Update rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 329530c8c3
2022-07-05 14:49:39 +00:00
45e804f3e5
Fixing doc bugs reported by QA. ( #2065 )
...
Co-authored-by: Craig Chamberlain <randomuserid@users.noreply.github.com >
(cherry picked from commit 13c63ceaef
2022-06-30 20:00:58 +00:00
8011420e71
Update discovery_privileged_localgroup_membership.toml ( #2046 )
...
(cherry picked from commit 853f8db8d0
2022-06-30 17:27:15 +00:00
b47e763949
user risk score docs ( #2055 )
...
* user risk score
initial create of user risk score docs
* add paragraph
adding another paragraph for explainabiltiy as suggested by pm
* Update docs/experimental-machine-learning/readme.md
Co-authored-by: Apoorva Joshi <30438249+ajosh0504@users.noreply.github.com >
* Update user-risk-score.md
fixes and suggestions
* Update user-risk-score.md
rm int script reference
* Update docs/experimental-machine-learning/user-risk-score.md
Co-authored-by: Apoorva Joshi <30438249+ajosh0504@users.noreply.github.com >
* Update user-risk-score.md
* Update user-risk-score.md
* Update user-risk-score.md
Co-authored-by: Apoorva Joshi <30438249+ajosh0504@users.noreply.github.com >
(cherry picked from commit 1bb2273c0c
2022-06-28 15:53:56 +00:00
cf952854d6
test automatically prevent future merges when a backport fails ( #1909 )
...
automatically prevent future merges when a backport fails
2022-06-27 11:31:49 -04:00
179a3bd284
Add support for restricted fields ( #2053 )
...
* Add support for restricted fields (fields valid only in min/max stack versions)
* add test to ensure rule backports wont exceed min compat
(cherry picked from commit cc01d3fb1a
2022-06-27 15:03:32 +00:00
eb6deea9ac
Update cli documentation for search-alerts ( #2051 )
...
* Add cli documentation for search-alerts and table fields
(cherry picked from commit 4ef1a1a627
2022-06-24 14:00:01 +00:00
6c5e101e6f
test automatically prevent future merges when a backport fails ( #1909 )
...
automatically prevent future merges when a backport fails
(cherry picked from commit 4fdd978183
2022-06-23 19:00:24 +00:00
fafe1e0ab6
Locked versions for releases: 7.16,8.0,8.1,8.2,8.3 ( #2041 )
...
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
(cherry picked from commit fd9c9f8abf
2022-06-17 15:44:35 +00:00
69237c4ed2
[Rule tuning] existing strace activity rule. ( #2028 )
...
* Update description and MITTRE Attack details
(cherry picked from commit 2ee23bd80f
2022-06-16 11:49:16 +00:00
0973ac07ef
Update discovery_remote_system_discovery_commands_windows.toml ( #2033 )
...
(cherry picked from commit c8ff1dc9cb
2022-06-14 13:52:02 +00:00
fa5fc6094e
[New Rule] Kubernetes execution_user_exec_to_pod ( #1979 )
...
* Create execution_user_exec_to_pod.toml
* Update execution_user_exec_to_pod.toml
* Update rules/integrations/kubernetes/execution_user_exec_to_pod.toml
* Update non-ecs-schema.json
* Update execution_user_exec_to_pod.toml
* Update rules/integrations/kubernetes/execution_user_exec_to_pod.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update execution_user_exec_to_pod.toml
* Update execution_user_exec_to_pod.toml
* Update execution_user_exec_to_pod.toml
* toml-linted file and add to false positive
toml-linted the file and added to the false positive description
* Create notepad.sct
Added this back into the repo, deleted by mistake.
* added min_stack_version based on integration
min stack version determined by integration support of necessary fields
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 63fda01fdd
2022-06-09 21:53:15 +00:00
8564185a7d
[Bug] resolves bug in Rule version methods ( #2021 )
...
* [Bug] resolves bug in Rule version methods
* comment out unused code with notes
(cherry picked from commit 744f56d98e
2022-06-07 23:41:40 +00:00
57194b8e59
[Rule Tuning] M365 - Remove event.outcome condition from Auth Events ( #2004 )
...
* Remove event.outcome condition
* Update credential_access_microsoft_365_brute_force_user_account_attempt.toml
* Revert "Update credential_access_microsoft_365_brute_force_user_account_attempt.toml"
This reverts commit c7e7c976174a62e6b50139291e8f7f1a34e7beab.
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 3aa53fc6c5
2022-06-03 17:24:48 +00:00
835b342a43
Update persistence_sdprop_exclusion_dsheuristics.toml ( #2017 )
...
(cherry picked from commit b6631f200e
2022-06-03 17:22:33 +00:00
a51d251e05
Adds logs-system.* index pattern ( #2016 )
...
(cherry picked from commit f857e009c5
2022-06-03 16:57:26 +00:00
c16442517e
[Bug] Fix test_matrix_to_lock_version_defaults test ( #2014 )
...
(cherry picked from commit e850f39526
2022-06-03 00:35:19 +00:00
3a1a5fe12b
Collapse unsupported previous version entries ( #2013 )
...
* Collapse unsupported previous version entries
* drop the last entry in the matrix test
(cherry picked from commit f57950a3c9
2022-06-02 23:18:45 +00:00
220996b1b8
Prep for Creation of 8.4 Branch ( #2001 )
...
* prepping for 8.4 branch
* adjusted schemas init file
* adjusted target matrix to only backport to 7.16, updated api schemas
* adjusted the lock-versions workflow to account for 7.16 and up support only
* Add test for version lock to schema map correlation
* decouple from static 7.13 references
* keep patch version for lock
* Update detection_rules/etc/packages.yml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
Removed changes from:
- detection_rules/etc/packages.yml
(selectively cherry picked from commit 35b1a69ff5
2022-06-02 18:59:56 +00:00
b12d1cb978
[Rule Tuning] Add MITRE Details to exisisting hpining activity rule. ( #2012 )
...
* Add MITRE Details to existing hping activity rule.
(cherry picked from commit f02325fe2f
2022-06-02 05:08:23 +00:00
821e04aaf8
Linux binary(s) ftp shell evasion threat ( #2007 )
...
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 98a85ddcee
2022-06-01 16:40:06 +00:00
29cf0c8f77
[New Rule] Suspicious Microsoft Diagnostics Wizard Execution ( #2005 )
...
* [New Rule] Suspicious Microsoft Diagnostics Wizard Execution
https://lolbas-project.github.io/lolbas/Binaries/Msdt/
https://twitter.com/nao_sec/status/1530196847679401984
* Update rules/windows/defense_evasion_proxy_execution_via_msdt.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit d6e96a83d5
2022-06-01 15:04:54 +00:00
1484c20795
[Security Content] 8.3 Add Investigation Guides - 3 ( #1990 )
...
* [Security Content] 8.3 Add Investigation Guides - 3
* bump date
* Apply suggestions from code review
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Apply suggestions from code review
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com >
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
(cherry picked from commit 27f5c2e695
2022-05-31 15:59:13 +00:00
d575fd4b3c
[Security Content] 8.3 - Add Investigation Guides 2 ( #1989 )
...
* [Security Content] 8.3 - Add Investigation Guides 2 - Initial Commit
* .
* Add Related rules
* Apply suggestions from code review
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Apply suggestions from code review
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com >
* .
* .
* Apply suggestions from code review
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com >
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
(cherry picked from commit e5d3c6329c
2022-05-31 15:56:50 +00:00
10c2d9de3d
[Rule Tuning] Suspicious MS Office Child Process ( #2003 )
...
added msdt.exe as a response to this in the wild 0day (works without vba and on latest office) ->
https://twitter.com/nao_sec/status/1530196847679401984
https://www.virustotal.com/gui/file/4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784/detection
(cherry picked from commit bfea11c99f
2022-05-31 12:23:08 +00:00
1d69a2bbae
[Promote Rule] Potential Invoke-Mimikatz PowerShell Script ( #1993 )
...
* Update credential_access_mimikatz_powershell_module.toml
* Update credential_access_mimikatz_powershell_module.toml
* Update credential_access_mimikatz_powershell_module.toml
* Update credential_access_mimikatz_powershell_module.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 1f8813d02f
2022-05-25 20:04:28 +00:00
6199bd4524
Refresh ECS/beats schemas up to 8.2 ( #1995 )
...
(cherry picked from commit 0428e161a8
2022-05-25 19:53:52 +00:00
3988b2ed5e
Skip previous validation on pre/post load/dump ( #1942 )
...
* Build out the dataclasses for a base entry and version lock explicitly
* Ensure previous field does not have a nested previous
* Test validation on version lock for previous fields.
(cherry picked from commit e1266a6fd3
2022-05-25 17:36:12 +00:00
75f8928d1f
[Rule tuning] Linux binary(s) shell evasion threat
...
* Linux binary(s) git shell evasion threat
(cherry picked from commit fd7a6d63b0
2022-05-25 13:53:22 +00:00
44046642e7
[Rule tuning] Linux binary(s) shell evasion threat ( #1957 )
...
* Linux binary(s) shell evasion threat
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 51b2d9da4b
2022-05-25 03:04:53 +00:00
c5e3312727
[Rule tuning] Whitespace Padding in Process Command Line ( #1967 )
...
* [Rule tuning] Whitespace Padding in Process Command Line
* bump updated_date
* update comment
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 72c186b30b
2022-05-23 19:35:44 +00:00
0796082300
[Rule tuning] Unusual Process Execution - Temp ( #1968 )
...
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 1840a638c8
2022-05-23 15:06:55 +00:00
e57cf31867
Modifying rules assoc w/ deprecation of v2 ML jobs ( #1846 )
...
* modifying rules assoc w/ deprecation of v2 ML jobs
* modified updated_date field
* fixed machine_learning_job_id and added min_stack_version
* replacing rest of deprecated jobs with new naming convention
* Update ml_suspicious_login_activity.toml
* removing rules assoc w/ deprecated ML jobs
* Update rules/ml/ml_linux_anomalous_compiler_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/ml/ml_linux_anomalous_compiler_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* updated ml job rules to reflect 8.3 changes
* updating min_stack_version for ml detection rules
Co-authored-by: Craig Chamberlain <randomuserid@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Apoorva Joshi <30438249+ajosh0504@users.noreply.github.com >
Removed changes from:
- rules/ml/ml_linux_anomalous_compiler_activity.toml
- rules/ml/ml_linux_anomalous_metadata_process.toml
- rules/ml/ml_linux_anomalous_metadata_user.toml
- rules/ml/ml_linux_anomalous_network_activity.toml
- rules/ml/ml_linux_anomalous_network_port_activity.toml
- rules/ml/ml_linux_anomalous_process_all_hosts.toml
- rules/ml/ml_linux_anomalous_sudo_activity.toml
- rules/ml/ml_linux_anomalous_user_name.toml
- rules/ml/ml_linux_system_information_discovery.toml
- rules/ml/ml_linux_system_network_configuration_discovery.toml
- rules/ml/ml_linux_system_network_connection_discovery.toml
- rules/ml/ml_linux_system_process_discovery.toml
- rules/ml/ml_linux_system_user_discovery.toml
- rules/ml/ml_rare_process_by_host_linux.toml
- rules/ml/ml_rare_process_by_host_windows.toml
- rules/ml/ml_suspicious_login_activity.toml
- rules/ml/ml_windows_anomalous_metadata_process.toml
- rules/ml/ml_windows_anomalous_metadata_user.toml
- rules/ml/ml_windows_anomalous_network_activity.toml
- rules/ml/ml_windows_anomalous_path_activity.toml
- rules/ml/ml_windows_anomalous_process_all_hosts.toml
- rules/ml/ml_windows_anomalous_process_creation.toml
- rules/ml/ml_windows_anomalous_script.toml
- rules/ml/ml_windows_anomalous_service.toml
- rules/ml/ml_windows_anomalous_user_name.toml
- rules/ml/ml_windows_rare_user_runas_event.toml
- rules/ml/ml_windows_rare_user_type10_remote_login.toml
(selectively cherry picked from commit 9a739b7e4c
2022-05-20 20:04:28 +00:00
a2dbfff31b
[Rule tuning] add support for osx, zsh, and expand tampering techniques ( #1974 )
...
* add support for osx, zsh, and expand tampering techniques
* migrate to cross-platform and add macOS tag
(cherry picked from commit 77966473d1
2022-05-20 15:12:56 +00:00
18277206f8
[Security Content] 8.3 - Add Investigation Guides ( #1937 )
...
* 8.3 - Add Investigation Guides
* Apply suggestions
* Apply the refactor
* Apply suggestions from Samir
* .
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit a1bdf2b564
2022-05-19 16:25:46 +00:00
128053a93e
[Rule tuning] check for anything found in the emondClient directory ( #1977 )
...
* check for anything found in the emondClient directory and add reference
(cherry picked from commit 92640f517a
2022-05-18 16:35:25 +00:00
7c90f1d4c4
[Security Content] Refactor Existing Investigation Guides ( #1959 )
...
* Initial commit
* Update Investigation guides - security-docs review
* Update command_and_control_dns_tunneling_nslookup.toml
* Update defense_evasion_amsienable_key_mod.toml
* Apply security-docs review
* Remove dot
* Update rules/windows/command_and_control_rdp_tunnel_plink.toml
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Apply changes from review
* Apply the suggestion
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com >
(cherry picked from commit 817b97f428
2022-05-18 16:01:50 +00:00
4817bf26c8
[Rule Tuning] Update Rule Name: Suspicious Network Connection Attempt Sequence by Root ( #1983 )
...
* [Rule Tuning] Update Rule Name
* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml
(cherry picked from commit d12f45c6ba
2022-05-17 22:43:06 +00:00
a440d87f67
[New Rule] Suspicious Outbound Network Connect Sequence by Root ( #1975 )
...
* adding initial rule
* adjusted UUID
* removed event.ingested as query is a sequence
* changed file name to match mitre ATT&CK tactic
* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml
* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml
* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml
* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml
* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml
* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml
* TOML linted
* Update command_and_control_connection_attempt_by_non_ssh_root_session.toml
Just edited a couple grammar things. Looks good
* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml
* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml
* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml
* added additional tactic for privilege escalation and linted
* formatted query to be more readable
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit c89f423961
2022-05-16 21:24:34 +00:00
f223e63030
Update command_and_control_common_webservices.toml ( #1970 )
...
(cherry picked from commit 27e6632ecd
2022-05-16 17:06:24 +00:00
c7d1ea428c
[New Rule] Abnormal Process ID File Creation ( #1964 )
...
* adding rule detection
* changed Rule ID
* Update rules/linux/execution_abnormal_process_id_file_created.toml
Adding reboot extension as well.
Reference: https://exatrack.com/public/Tricephalic_Hellkeeper.pdf
* Update rules/linux/execution_abnormal_process_id_file_created.toml
Adding reboot to description.
Reference: https://exatrack.com/public/Tricephalic_Hellkeeper.pdf
* Update rules/linux/execution_abnormal_process_id_file_created.toml
Added additional reference to similar threat.
* Update rules/linux/execution_abnormal_process_id_file_created.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_abnormal_process_id_file_created.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* added rule for a process starting where the executable's name represented a PID file
* Adjusted user.id value from integer to string
* Added simple investigation notes and osquery coverage
* TOML linting
* Updated date to reflect recent changes
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 1704924f7b
2022-05-12 14:40:34 +00:00
ca7a148f5a
[New rule] Remote Computer Account DnsHostName Update ( #1962 )
...
* [New rule] Remote Computer Account DnsHostName Update
Identifies remote update to a computer account DnsHostName attribute, if the new value is set a valid domain controller DNS hostname and the subject computer name is not a domain controller then it's high likely a preparation step to exploit CVE-2022-26923 in an attempt to elevate privileges from a standard domain user to domain admin privileges :
* added MS ref url
* Update rules/windows/privilege_escalation_suspicious_dnshostname_update.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/privilege_escalation_suspicious_dnshostname_update.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 19ff825a91
2022-05-11 17:42:44 +00:00
b5f473a444
[New Rule] Executable Launched from Shared Memory Directory ( #1961 )
...
* new rule to check for executables launched from shared memory directory
* added references and false positive instances
* Update rules/linux/execution_shared_memory_executable.toml
* Update rules/linux/execution_shared_memory_executable.toml
* Update rules/linux/execution_shared_memory_executable.toml
* adjusted process to account for var run and lock directories
* TOML lint and query formatting
* TOML lint and query formatting
* Update rules/linux/execution_process_started_in_shared_memory_directory.toml
* Update rules/linux/execution_process_started_in_shared_memory_directory.toml
* Update rules/linux/execution_process_started_in_shared_memory_directory.toml
* Update rules/linux/execution_process_started_in_shared_memory_directory.toml
* added BPFDoor tag to be threat specific
* TOML linting and adjusted risk because of root requirement
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 5f447a63a2
2022-05-11 16:22:41 +00:00
Terrance DeJesus