sigma-rules

Author	SHA1	Message	Date
shashank-elastic	d2c2987d72	Setup information for Linux Rules - Set3 (#3178 )	2023-10-17 18:37:20 +05:30
shashank-elastic	1801a4ee7e	Setup information for Linux Rules - Set2 (#3177 )	2023-10-17 18:25:55 +05:30
shashank-elastic	15718ea09e	Improve exsisting setup configurations for Linux (#3141 )	2023-10-13 13:39:03 +05:30
Ruben Groenewoud	89cfdcd440	[New Rule] Potential curl CVE-2023-38545 Exploitation (#3168 ) * [New Rule] Potential curl CVE-2023-38545 Exploitation * Added setup guide * Update execution_curl_CVE_2023_38545.toml * File name change * File name change * Update dates * Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml * Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>	2023-10-11 11:42:25 -03:00
Ruben Groenewoud	a46797b987	[New Rule] Pot. Rev. Shell via Background Process (#3114 )	2023-10-06 23:14:39 +02:00
Ruben Groenewoud	c3cc01333a	[Tuning] CVE-2023-4911 (#3160 )	2023-10-06 13:13:17 +02:00
Ruben Groenewoud	f4ad1f28e3	[New Rule] PE via CVE-2023-4911 (Looney Tunables) (#3158 ) * [New Rule] PE via CVE-2023-4911 (Looney Tunables) * Update rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml * Update rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml	2023-10-05 16:41:11 +02:00
Ruben Groenewoud	b291317ea6	[New Rule] Network Activity Detected via cat (#3069 ) * [New Rule] Network Activity via cat * Update command_and_control_cat_network_activity.toml --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-09-18 09:51:20 +02:00
Ruben Groenewoud	f8f3576971	[New Rule] Potential UDP Reverse Shell (#2906 ) * [New Rule] Potential UDP Reverse Shell Detected * Title change * Update execution_shell_via_udp_cli_utility_linux.toml * Update execution_shell_via_udp_cli_utility_linux.toml * Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * updated non-ecs-schema to update unmapped fields * Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Removed netcat, added destination ip list * Update execution_shell_via_udp_cli_utility_linux.toml * Added precautionary exclusions * Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml * replaced schema files * Update execution_shell_via_udp_cli_utility_linux.toml * Update execution_shell_via_udp_cli_utility_linux.toml * Update execution_shell_via_udp_cli_utility_linux.toml --------- Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2023-09-07 17:13:22 +02:00
Ruben Groenewoud	15e71ec2e8	[New Rule] Potential Meterpreter Reverse Shell (#3007 ) * [New Rule] Potential Meterpreter Reverse Shell * Update execution_shell_via_meterpreter_linux.toml * Update execution_shell_via_meterpreter_linux.toml * Update rules/linux/execution_shell_via_meterpreter_linux.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>	2023-09-07 17:04:06 +02:00
Jonhnathan	4233fef238	[Security Content] Include "Data Source: Elastic Defend" tag (#3002 ) * win folder * Other folders * Update test_all_rules.py * . * updated missing elastic defend tags --------- Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>	2023-09-05 14:22:01 -04:00
Ruben Groenewoud	6115a68aba	[Rule Tuning] Small Linux DR Tuning (#3074 ) * [Rule tuning] Adressing community issue * Changed title * Changed IG title	2023-09-05 14:20:57 +02:00
Ruben Groenewoud	3c64b454fb	[New Rule] Sus User Privilege Enumeration via id (#3049 )	2023-08-31 18:13:42 +02:00
Ruben Groenewoud	f7d8d4752a	[New Rules] GDB Secret Dumping (#3060 ) * [New Rules] GDB Secret Dumping * Added references to BBR * Update rules/linux/credential_access_gdb_init_memory_dump.toml * Update rules_building_block/credential_access_gdb_memory_dump.toml * Update rules_building_block/credential_access_gdb_memory_dump.toml * Update rules_building_block/credential_access_gdb_memory_dump.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-08-31 17:41:22 +02:00
Ruben Groenewoud	b6ed215958	[New Rule] File Creation, Exec and Self-Deletion (#3045 ) * [New Rule] File Creation, Exec and Self-Deletion * Update execution_file_execution_followed_by_deletion.toml * Update execution_file_execution_followed_by_deletion.toml * Update execution_file_execution_followed_by_deletion.toml * Update execution_file_execution_followed_by_deletion.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2023-08-31 17:32:17 +02:00
Ruben Groenewoud	3588600d57	[Rule Tuning] 3 tunings to reduce FPs (#3058 ) * [Rule Tuning] 2 tunings to reduce FPs back to 0 * Added one more tune for community issue #3041 * Update rules/linux/execution_abnormal_process_id_file_created.toml * Update rules/linux/execution_abnormal_process_id_file_created.toml	2023-08-31 17:16:57 +02:00
Ruben Groenewoud	2eaaf27f1e	[New Rule] Potential Disabling of AppArmor (#3046 ) * [New Rule] Potential Disabling of AppArmor * Update rules/linux/defense_evasion_disable_apparmor_attempt.toml * Update rules/linux/defense_evasion_disable_apparmor_attempt.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-08-31 17:06:15 +02:00
Ruben Groenewoud	d838a3352f	[New Rule] Binary Copied and/or Moved to Suspicious Directory (#3048 ) * [New Rule] Binary Copied and/or Moved to sus dir * Update rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-08-31 13:46:41 +02:00
Ruben Groenewoud	a5b5d513af	[New Rule] Potential Sudo Privilege Escalation via CVE-2019-14287 (#3057 ) * [New Rule] Sudo PE via CVE-2019-14287 * Added Elastic Defend Data Source tag * Update rules/linux/privilege_escalation_sudo_cve_2019_14287.toml * Update rules/linux/privilege_escalation_sudo_cve_2019_14287.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-08-31 13:11:34 +02:00
Ruben Groenewoud	a395f54054	[New Rules] sus program compilation activity (#3043 )	2023-08-31 09:30:56 +02:00
Ruben Groenewoud	32abdb95f7	[New Rules] Linux Tunneling and Port Forwarding (#3028 ) * Removed iodine rule due to new tunneling rule * [New Rules] Linux Tunneling and Port Forwarding * added ash * Fixed description styling * Changed rule name * Update command_and_control_linux_suspicious_proxychains_activity.toml * Added deprecation note & name change * Changed deprecation status * Removed deprecation date * Fixed unit testing * Update rules_building_block/command_and_control_linux_ssh_x11_forwarding.toml --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2023-08-30 22:12:19 +02:00
Ruben Groenewoud	a1716bd673	[Rule Tuning] Several rule tunings (#3024 ) * [Rule Tuning] Several rule tunings * Added 1 more * optimized ransomware encryption rules * Update rules/linux/impact_potential_linux_ransomware_file_encryption.toml * Update rules/linux/impact_potential_linux_ransomware_note_detected.toml * Added 2 more tunings based on todays telemetry * Some tunings * Tuning * Tuning * fixed user.id comparison * Something went wrong with deprecation * Something went wrong with deprecation * Update rules/linux/impact_potential_linux_ransomware_file_encryption.toml * Update rules/linux/discovery_linux_nping_activity.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/discovery_linux_hping_activity.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Dedeprecated the rule to deprecate later --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-08-25 14:03:29 +02:00
Ruben Groenewoud	e938ed28a0	[Rule Tuning] added additional event action (#3008 )	2023-08-10 16:59:07 +02:00
Ruben Groenewoud	4cbfd7c4ae	[Rule Tuning] Restricted Shell Breakout (#2999 )	2023-08-04 19:30:18 +02:00
Ruben Groenewoud	e904ebb760	[New Rule] PE via Container Misconfiguration (#2983 ) * [New Rule] PE via Container Misconfiguration * fixed boolean comparison unit test error * Update privilege_escalation_container_util_misconfiguration.toml * Update rules/linux/privilege_escalation_container_util_misconfiguration.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>	2023-08-04 16:39:40 +02:00
Ruben Groenewoud	ef49709c7d	[New Rules] Linux Wildcard Injection (#2973 ) * [New Rules] Linux Wildcard Injection * Update rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml * Update rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml --------- Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2023-08-04 16:32:34 +02:00
Ruben Groenewoud	c6eba3e4e6	[New Rule] Suspicious Symbolic Link Created (#2969 ) * [New Rule] Suspicious Symbolic Link Created * Update rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * fixed unit testing issues after suggestion commit --------- Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2023-08-03 23:23:23 +02:00
Ruben Groenewoud	4bcec3397c	[New Rule] Potential Suspicious DebugFS Root Device Access (#2982 ) * [New Rule] Potential DebugFS Privilege Escalation * Changed rule name * Update rules/linux/privilege_escalation_sda_disk_mount_non_root.toml --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2023-08-03 16:13:34 +02:00
Ruben Groenewoud	207d94e51c	[New Rule] Potential Sudo Token Manipulation via Process Injection (#2984 ) * [New Rule] Sudo Token Access via Process Injection * [New Rule] Sudo Token Manipulation via Proc Inject * Update rules/linux/privilege_escalation_sudo_token_via_process_injection.toml * Update privilege_escalation_sudo_token_via_process_injection.toml --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2023-08-03 15:58:25 +02:00
Ruben Groenewoud	7cc841cc87	[New Rule] PE via UID INT_MAX Bug (#2971 ) * [New Rule] PE via UID INT_MAX Bug * changed file name * Should be more decisive * fix * Update rules/linux/privilege_escalation_linux_uid_int_max_bug.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules/linux/privilege_escalation_linux_uid_int_max_bug.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules/linux/privilege_escalation_linux_uid_int_max_bug.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> --------- Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2023-08-03 15:51:06 +02:00
Ruben Groenewoud	a7ff449fbc	[Rule Tuning] Some Tunings of several 8.9 rules (#2985 ) * [Rule Tuning] Doing some quick tunings * updated_date bump * Update rules/linux/discovery_linux_modprobe_enumeration.toml * Update rules/linux/discovery_linux_modprobe_enumeration.toml * Update rules/linux/discovery_linux_sysctl_enumeration.toml * Update rules/linux/persistence_init_d_file_creation.toml * Update rules/linux/persistence_rc_script_creation.toml * Update rules/linux/persistence_shared_object_creation.toml * deprecate rule * deprecate rule * Update execution_abnormal_process_id_file_created.toml * Update discovery_kernel_module_enumeration_via_proc.toml * Update discovery_linux_modprobe_enumeration.toml * Update execution_remote_code_execution_via_postgresql.toml * Update discovery_potential_syn_port_scan_detected.toml * Added 2 tunings, sorry I missed those.. * One more tune * Update discovery_suspicious_proc_enumeration.toml	2023-08-03 15:25:33 +02:00
Ruben Groenewoud	03110fb24c	[New Rule] SUID/SGUID Enumeration Detected (#2956 ) * [New Rule] SUID/SGUID Enumeration Detected * Remove endgame compatibility * readded endgame support after troubleshooting * Update discovery_suid_sguid_enumeration.toml * Update rules/linux/discovery_suid_sguid_enumeration.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> --------- Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>	2023-08-03 09:57:30 +02:00
Ruben Groenewoud	716b621af2	[New Rule] Potential Sudo Hijacking Detected (#2966 ) * [New Rule] Potential Sudo Hijacking Detected * Update privilege_escalation_sudo_hijacking.toml	2023-08-03 09:49:14 +02:00
Ruben Groenewoud	18c2214956	[New Rule] Sudo Command Enumeration Detected (#2946 ) * [New Rule] Sudo Command Enumeration Detected * Update discovery_sudo_allowed_command_enumeration.toml * revert endgame support due to unit testing fail * Update discovery_sudo_allowed_command_enumeration.toml * Update discovery_sudo_allowed_command_enumeration.toml * Update rules/linux/discovery_sudo_allowed_command_enumeration.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules/linux/discovery_sudo_allowed_command_enumeration.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> --------- Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>	2023-08-03 09:39:16 +02:00
Ruben Groenewoud	b8bb2da932	[New Rule] Potential Privilege Escalation via OverlayFS (#2974 ) * [New Rule] Privilege Escalation via OverlayFS * Layout change * Revert "[New Rule] Privilege Escalation via OverlayFS" This reverts commit f3262d179bc5f54ae5380ffa50d67041fb141c26. * Made rule broader * Update privilege_escalation_overlayfs_local_privesc.toml * Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml * Update user.id to strings --------- Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>	2023-07-31 19:15:11 +02:00
Ruben Groenewoud	bbb24704b6	[New Rule] PE through Writable Docker Socket (#2958 ) * [New Rule] PE through Writable Docker Socket * simplified query * Update privilege_escalation_writable_docker_socket.toml * Update privilege_escalation_writable_docker_socket.toml * Update rules/linux/privilege_escalation_writable_docker_socket.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-07-27 10:01:29 +02:00
Ruben Groenewoud	0666b594c6	[New Rule] Linux Local Account Brute Force (#2965 )	2023-07-27 09:43:53 +02:00
Ruben Groenewoud	b330cf9438	[New Rule] Pspy Process Monitoring Detected (#2945 ) * [New Rule] Pspy Process Monitoring Detected * Update rules/linux/discovery_pspy_process_monitoring_detected.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/discovery_pspy_process_monitoring_detected.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/discovery_pspy_process_monitoring_detected.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-07-26 15:58:33 +02:00
shashank-elastic	6527eb0500	Rule Tuning File Permission Modification in Writable Directory (#2961 )	2023-07-26 17:47:00 +05:30
Ruben Groenewoud	056db6003e	[Security Content] Added Compatibility note to all IGs (#2943 ) * added investigation guide note * added ig notes * Update rules/linux/persistence_init_d_file_creation.toml Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> * implemented note feedback * Update rules/linux/persistence_init_d_file_creation.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --------- Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-07-26 12:54:50 +02:00
Ruben Groenewoud	dbd7ed65a9	[Tuning] Reverse Shell Rules (#2959 ) * [Rule Tuning] Reverse Shell Rule destination.ip tuning * Updated updated_date	2023-07-25 14:55:56 +02:00
Ruben Groenewoud	8de2684498	[Security Content] Add Investigation Guides to Linux DRs 8.9 (#2868 ) * [Investigation Guide] 10 new Linux IG's 8.9 * Added 4 more IG tags * Update rules/linux/persistence_init_d_file_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_init_d_file_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_init_d_file_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_init_d_file_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_init_d_file_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_rc_script_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_rc_script_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_systemd_scheduled_timer_created.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_systemd_scheduled_timer_created.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_systemd_scheduled_timer_created.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_init_d_file_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_linux_backdoor_user_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_linux_backdoor_user_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_linux_backdoor_user_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_linux_shell_activity_via_web_server.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_linux_user_account_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_linux_user_added_to_privileged_group.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_message_of_the_day_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_message_of_the_day_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_message_of_the_day_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_message_of_the_day_execution.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_message_of_the_day_execution.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_rc_script_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_rc_script_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_rc_script_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_message_of_the_day_execution.toml * Update rules/linux/persistence_init_d_file_creation.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_init_d_file_creation.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_linux_shell_activity_via_web_server.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_rc_script_creation.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_systemd_scheduled_timer_created.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_systemd_scheduled_timer_created.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * implemented feedback --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-07-19 17:13:24 +02:00
shashank-elastic	3ed8c56942	DR Linux Rule Tuning 8.9 (#2859 ) Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>	2023-07-10 20:02:42 +05:30
Ruben Groenewoud	e5d6d6e4a7	[New Rule] sus cmds executed by unknown executable (#2858 ) * [New Rule] sus cmds executed by unknown executable * added an event.action filter * Added endgame support, fixed stack version comment * Update execution_suspicious_executable_running_system_commands.toml * Update rules/linux/execution_suspicious_executable_running_system_commands.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update execution_suspicious_executable_running_system_commands.toml --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-07-06 17:32:56 +02:00
Ruben Groenewoud	4e0b7427b7	[New Rules] ftp/rdp bruteforce (#2910 ) * [New Rules] ftp/rdp bruteforce * Update credential_access_potential_successful_linux_ftp_bruteforce.toml * Update credential_access_potential_successful_linux_rdp_bruteforce.toml * Update non-ecs-schema.json * Update rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-07-06 17:16:01 +02:00
Ruben Groenewoud	d5dee5a6c8	[New Rules] sysctl and modprobe enumeration (#2844 ) * [New Rules] sysctl and modprobe enumeration * Update discovery_linux_modprobe_enumeration.toml * Update discovery_linux_sysctl_enumeration.toml * reverted manifest/schema update * updated tags * Update discovery_linux_modprobe_enumeration.toml	2023-07-06 16:46:54 +02:00
Ruben Groenewoud	64b3fa8d1d	[New Rule] Kernel Load/Unload via Kexec Detected (#2846 ) * [New Rule] Kernel Load/Unload via Kexec * Added additional references * changed rule name * changed the query to be more precise * Update rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * changed description based on feedback * Update rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com> * Update privilege_escalation_load_and_unload_of_kernel_via_kexec.toml --------- Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com>	2023-07-06 16:03:27 +02:00
Ruben Groenewoud	646c316b66	[New Rules] Linux Reverse Shells (#2905 ) * [New Rules] Linux Reverse Shells * [New Rules] Linux Reverse Shells * Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_java_revshell_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_java_revshell_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_java_revshell_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_reverse_tcp_utility_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_reverse_tcp_utility_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Delete UDP rule to add in separate PR * Update rules/linux/execution_shell_via_lolbin_interpreter_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_tcp_cli_utility_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_reverse_tcp_utility_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_tcp_cli_utility_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_tcp_cli_utility_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Deleted one rule and tuned the others * Improved the rules' performance * Added the reverse_tcp rule back after tuning * Update execution_shell_via_lolbin_interpreter_linux.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2023-07-06 15:27:57 +02:00
Ruben Groenewoud	78055bbeee	[New Rule] Suspicious Proc Enumeration (#2845 ) * [New Rule] Suspicious Proc Enumeration * Update rules/linux/discovery_suspicious_proc_enumeration.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules/linux/discovery_suspicious_proc_enumeration.toml Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com> * fix tags --------- Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com>	2023-07-04 11:34:56 +02:00
Ruben Groenewoud	7a1f376a34	[New Rules] Conversion of deprecated ERs over to DRs (#2877 ) * [Conversion] Data Encrypted via OpenSSL * [Conversion] sus funzip extraction/decompression * [Conversion] LD_PRELOAD env var process injection * fix unit testing failure * suspecting endgame incompatibility * fixed typo * added LD_LIBRARY_PATH * Update defense_evasion_ld_preload_env_variable_process_injection.toml * Update defense_evasion_ld_preload_env_variable_process_injection.toml * Added exclusions for FPs * Update rules/linux/defense_evasion_ld_preload_env_variable_process_injection.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/impact_data_encrypted_via_openssl.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2023-07-02 10:39:44 +02:00

1 2 3 4 5

215 Commits