5c5d1b214b
Setup information for Linux Rules - Set8 ( #3200 )
2023-10-30 20:58:40 +05:30
618a1dbe06
[New Rule] Attempt to Clear Kernel Ring Buffer ( #3217 )
...
* [New Rule] Attempt to Clear Kernel Ring Buffer
* Update defense_evasion_clear_kernel_ring_buffer.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-10-30 09:37:11 +01:00
1ac3775743
[New Rule] Network Activity Detected via kworker ( #3202 )
...
* [New Rule] Potential curl CVE-2023-38545 Exploitation
* Revert "[New Rule] Potential curl CVE-2023-38545 Exploitation"
This reverts commit 9c04d1b53d3d63678289f43ec0c7b617d26f1ce0.
* [New Rule] Network Activity Detected via kworker
* White space
* Update rules/linux/command_and_control_linux_kworker_netcon.toml
* Update rules/linux/command_and_control_linux_kworker_netcon.toml
* Update rules/linux/command_and_control_linux_kworker_netcon.toml
* Update command_and_control_linux_kworker_netcon.toml
* Update rules/linux/command_and_control_linux_kworker_netcon.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/command_and_control_linux_kworker_netcon.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update command_and_control_linux_kworker_netcon.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-10-25 15:24:55 +02:00
3855dd06d8
[New Rule] Potential Linux Hack Tool Launched ( #3125 )
...
* [New Rule] Potential Linux Hack Tool Launched
* changed description slightly
* Updated description
* Update rules/linux/execution_potential_hack_tool_executed.toml
* Update rules/linux/execution_potential_hack_tool_executed.toml
2023-10-23 21:35:43 +02:00
ff268cc6a0
[New Rule] Netcat Listener Established via rlwrap ( #3124 )
...
* [New Rule] Netcat Listener Established via rlwrap
* Update rules/linux/execution_nc_listener_via_rlwrap.toml
2023-10-23 17:31:26 +02:00
020fff3aea
[Rule Tuning] Linux Rules ( #3092 )
...
* [Rule Tuning] [WIP] Linux DR
* Update defense_evasion_binary_copied_to_suspicious_directory.toml
* Fixed tag
* Added additional tuning
* unit test fix
* Additional tuning
* tuning
* added max signals
* Added max_signals=1 to brute force rules
* Cross-Platform Tuning
* Small fix
* new_terms conversion
* typo
* new_terms conversion
* Ransomware rule tuning
* performance tuning
* new_terms conversion for auditd_manager
* tune
* Need coffee
* kql/eql stuff
* formatting improvement
* new_terms sudo hijacking conversion
* exclusion
* Deprecations that were added last tuning
* Deprecations that were added last tuning
* Increased max timespan for brute force rules
* version bump
* added domain tag
* Two tunings
* More tuning
* Additional tuning
* updated_date bump
* query optimization
* Tuning
* Readded the exclusions for this one
* Changed int comparison
* Some tunings
* Update persistence_systemd_scheduled_timer_created.toml
* Update rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* [New Rule] Potential curl CVE-2023-38545 Exploitation
* Revert "[New Rule] Potential curl CVE-2023-38545 Exploitation"
This reverts commit 9c04d1b53d3d63678289f43ec0c7b617d26f1ce0.
* Update rules/cross-platform/command_and_control_non_standard_ssh_port.toml
* Update rules/linux/command_and_control_cat_network_activity.toml
* Update persistence_message_of_the_day_execution.toml
* Changed max_signals
* Revert "Merge branch 'main' into rule-tuning-ongoing-dr"
This reverts commit 1106b5d2eba1a3529eff325226d6baabfd4b0bf3, reversing
changes made to 5ff510757f25b0cb32e1ef18e9e2c34c8ec325a8.
* Revertable merge
* Update defense_evasion_ld_preload_env_variable_process_injection.toml
* File name change
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-10-23 16:28:58 +02:00
7254c582c5
Move Setup information into setup filed ( #3206 )
2023-10-23 19:28:18 +05:30
9f41c9f35c
[New Rule] Upgrade of Non-interactive Shell ( #3113 )
...
* [New Rule] Upgrade of Non-interactive Shell
* Changed numbers to int
* Changed severity
* [New Rule] Pot. Rev Shell via Background Process
* Revert "[New Rule] Pot. Rev Shell via Background Process"
This reverts commit bbb36eae26561dbef4bf57f6c1388cebe7a8b88d.
* Update rules/linux/execution_interpreter_tty_upgrade.toml
2023-10-18 16:47:07 +02:00
6ea11cd9ad
[New Rules] cap_setuid/cap_setgid privesc ( #3075 )
...
* [New Rules] cap_setuid/cap_setgid privesc
* Update persistence_setuid_setgid_capability_set.toml
* Update rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update privilege_escalation_suspicious_cap_setuid_python_execution.toml
* Update rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml
* Update privilege_escalation_suspicious_cap_setuid_python_execution.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-10-18 16:24:01 +02:00
4190c3a6a7
[New Rule] Potential SSH-IT SSH Worm Downloaded ( #3121 )
...
* [New Rule]
* Fixed grammar mistake
* Update rules/linux/lateral_movement_ssh_it_worm_download.toml
* Update rules/linux/lateral_movement_ssh_it_worm_download.toml
2023-10-18 16:08:25 +02:00
7d674db11e
[New Rule] Pot. Network Scan Executed from Host ( #3070 )
2023-10-18 15:46:31 +02:00
276c0f9cd3
Setup information for Linux Rules - Set7 ( #3190 )
2023-10-17 19:45:01 +05:30
5a98208b53
Setup information for Linux Rules - Set6 ( #3189 )
2023-10-17 19:33:07 +05:30
2a48db0598
Setup information for Linux Rules - Set5 ( #3188 )
2023-10-17 19:11:20 +05:30
25b527c149
Setup information for Linux Rules - Set4 ( #3179 )
2023-10-17 18:59:31 +05:30
d2c2987d72
Setup information for Linux Rules - Set3 ( #3178 )
2023-10-17 18:37:20 +05:30
1801a4ee7e
Setup information for Linux Rules - Set2 ( #3177 )
2023-10-17 18:25:55 +05:30
15718ea09e
Improve exsisting setup configurations for Linux ( #3141 )
2023-10-13 13:39:03 +05:30
89cfdcd440
[New Rule] Potential curl CVE-2023-38545 Exploitation ( #3168 )
...
* [New Rule] Potential curl CVE-2023-38545 Exploitation
* Added setup guide
* Update execution_curl_CVE_2023_38545.toml
* File name change
* File name change
* Update dates
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2023-10-11 11:42:25 -03:00
a46797b987
[New Rule] Pot. Rev. Shell via Background Process ( #3114 )
2023-10-06 23:14:39 +02:00
c3cc01333a
[Tuning] CVE-2023-4911 ( #3160 )
2023-10-06 13:13:17 +02:00
f4ad1f28e3
[New Rule] PE via CVE-2023-4911 (Looney Tunables) ( #3158 )
...
* [New Rule] PE via CVE-2023-4911 (Looney Tunables)
* Update rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml
* Update rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml
2023-10-05 16:41:11 +02:00
b291317ea6
[New Rule] Network Activity Detected via cat ( #3069 )
...
* [New Rule] Network Activity via cat
* Update command_and_control_cat_network_activity.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-09-18 09:51:20 +02:00
f8f3576971
[New Rule] Potential UDP Reverse Shell ( #2906 )
...
* [New Rule] Potential UDP Reverse Shell Detected
* Title change
* Update execution_shell_via_udp_cli_utility_linux.toml
* Update execution_shell_via_udp_cli_utility_linux.toml
* Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* updated non-ecs-schema to update unmapped fields
* Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Removed netcat, added destination ip list
* Update execution_shell_via_udp_cli_utility_linux.toml
* Added precautionary exclusions
* Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml
* replaced schema files
* Update execution_shell_via_udp_cli_utility_linux.toml
* Update execution_shell_via_udp_cli_utility_linux.toml
* Update execution_shell_via_udp_cli_utility_linux.toml
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-09-07 17:13:22 +02:00
15e71ec2e8
[New Rule] Potential Meterpreter Reverse Shell ( #3007 )
...
* [New Rule] Potential Meterpreter Reverse Shell
* Update execution_shell_via_meterpreter_linux.toml
* Update execution_shell_via_meterpreter_linux.toml
* Update rules/linux/execution_shell_via_meterpreter_linux.toml
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-09-07 17:04:06 +02:00
4233fef238
[Security Content] Include "Data Source: Elastic Defend" tag ( #3002 )
...
* win folder
* Other folders
* Update test_all_rules.py
* .
* updated missing elastic defend tags
---------
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
2023-09-05 14:22:01 -04:00
6115a68aba
[Rule Tuning] Small Linux DR Tuning ( #3074 )
...
* [Rule tuning] Adressing community issue
* Changed title
* Changed IG title
2023-09-05 14:20:57 +02:00
3c64b454fb
[New Rule] Sus User Privilege Enumeration via id ( #3049 )
2023-08-31 18:13:42 +02:00
f7d8d4752a
[New Rules] GDB Secret Dumping ( #3060 )
...
* [New Rules] GDB Secret Dumping
* Added references to BBR
* Update rules/linux/credential_access_gdb_init_memory_dump.toml
* Update rules_building_block/credential_access_gdb_memory_dump.toml
* Update rules_building_block/credential_access_gdb_memory_dump.toml
* Update rules_building_block/credential_access_gdb_memory_dump.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-08-31 17:41:22 +02:00
b6ed215958
[New Rule] File Creation, Exec and Self-Deletion ( #3045 )
...
* [New Rule] File Creation, Exec and Self-Deletion
* Update execution_file_execution_followed_by_deletion.toml
* Update execution_file_execution_followed_by_deletion.toml
* Update execution_file_execution_followed_by_deletion.toml
* Update execution_file_execution_followed_by_deletion.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-08-31 17:32:17 +02:00
3588600d57
[Rule Tuning] 3 tunings to reduce FPs ( #3058 )
...
* [Rule Tuning] 2 tunings to reduce FPs back to 0
* Added one more tune for community issue #3041
* Update rules/linux/execution_abnormal_process_id_file_created.toml
* Update rules/linux/execution_abnormal_process_id_file_created.toml
2023-08-31 17:16:57 +02:00
2eaaf27f1e
[New Rule] Potential Disabling of AppArmor ( #3046 )
...
* [New Rule] Potential Disabling of AppArmor
* Update rules/linux/defense_evasion_disable_apparmor_attempt.toml
* Update rules/linux/defense_evasion_disable_apparmor_attempt.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-08-31 17:06:15 +02:00
d838a3352f
[New Rule] Binary Copied and/or Moved to Suspicious Directory ( #3048 )
...
* [New Rule] Binary Copied and/or Moved to sus dir
* Update rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-08-31 13:46:41 +02:00
a5b5d513af
[New Rule] Potential Sudo Privilege Escalation via CVE-2019-14287 ( #3057 )
...
* [New Rule] Sudo PE via CVE-2019-14287
* Added Elastic Defend Data Source tag
* Update rules/linux/privilege_escalation_sudo_cve_2019_14287.toml
* Update rules/linux/privilege_escalation_sudo_cve_2019_14287.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-08-31 13:11:34 +02:00
a395f54054
[New Rules] sus program compilation activity ( #3043 )
2023-08-31 09:30:56 +02:00
32abdb95f7
[New Rules] Linux Tunneling and Port Forwarding ( #3028 )
...
* Removed iodine rule due to new tunneling rule
* [New Rules] Linux Tunneling and Port Forwarding
* added ash
* Fixed description styling
* Changed rule name
* Update command_and_control_linux_suspicious_proxychains_activity.toml
* Added deprecation note & name change
* Changed deprecation status
* Removed deprecation date
* Fixed unit testing
* Update rules_building_block/command_and_control_linux_ssh_x11_forwarding.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-08-30 22:12:19 +02:00
a1716bd673
[Rule Tuning] Several rule tunings ( #3024 )
...
* [Rule Tuning] Several rule tunings
* Added 1 more
* optimized ransomware encryption rules
* Update rules/linux/impact_potential_linux_ransomware_file_encryption.toml
* Update rules/linux/impact_potential_linux_ransomware_note_detected.toml
* Added 2 more tunings based on todays telemetry
* Some tunings
* Tuning
* Tuning
* fixed user.id comparison
* Something went wrong with deprecation
* Something went wrong with deprecation
* Update rules/linux/impact_potential_linux_ransomware_file_encryption.toml
* Update rules/linux/discovery_linux_nping_activity.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/discovery_linux_hping_activity.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Dedeprecated the rule to deprecate later
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-08-25 14:03:29 +02:00
e938ed28a0
[Rule Tuning] added additional event action ( #3008 )
2023-08-10 16:59:07 +02:00
4cbfd7c4ae
[Rule Tuning] Restricted Shell Breakout ( #2999 )
2023-08-04 19:30:18 +02:00
e904ebb760
[New Rule] PE via Container Misconfiguration ( #2983 )
...
* [New Rule] PE via Container Misconfiguration
* fixed boolean comparison unit test error
* Update privilege_escalation_container_util_misconfiguration.toml
* Update rules/linux/privilege_escalation_container_util_misconfiguration.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2023-08-04 16:39:40 +02:00
ef49709c7d
[New Rules] Linux Wildcard Injection ( #2973 )
...
* [New Rules] Linux Wildcard Injection
* Update rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml
* Update rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-08-04 16:32:34 +02:00
c6eba3e4e6
[New Rule] Suspicious Symbolic Link Created ( #2969 )
...
* [New Rule] Suspicious Symbolic Link Created
* Update rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* fixed unit testing issues after suggestion commit
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-08-03 23:23:23 +02:00
4bcec3397c
[New Rule] Potential Suspicious DebugFS Root Device Access ( #2982 )
...
* [New Rule] Potential DebugFS Privilege Escalation
* Changed rule name
* Update rules/linux/privilege_escalation_sda_disk_mount_non_root.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-08-03 16:13:34 +02:00
207d94e51c
[New Rule] Potential Sudo Token Manipulation via Process Injection ( #2984 )
...
* [New Rule] Sudo Token Access via Process Injection
* [New Rule] Sudo Token Manipulation via Proc Inject
* Update rules/linux/privilege_escalation_sudo_token_via_process_injection.toml
* Update privilege_escalation_sudo_token_via_process_injection.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-08-03 15:58:25 +02:00
7cc841cc87
[New Rule] PE via UID INT_MAX Bug ( #2971 )
...
* [New Rule] PE via UID INT_MAX Bug
* changed file name
* Should be more decisive
* fix
* Update rules/linux/privilege_escalation_linux_uid_int_max_bug.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_linux_uid_int_max_bug.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_linux_uid_int_max_bug.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-08-03 15:51:06 +02:00
a7ff449fbc
[Rule Tuning] Some Tunings of several 8.9 rules ( #2985 )
...
* [Rule Tuning] Doing some quick tunings
* updated_date bump
* Update rules/linux/discovery_linux_modprobe_enumeration.toml
* Update rules/linux/discovery_linux_modprobe_enumeration.toml
* Update rules/linux/discovery_linux_sysctl_enumeration.toml
* Update rules/linux/persistence_init_d_file_creation.toml
* Update rules/linux/persistence_rc_script_creation.toml
* Update rules/linux/persistence_shared_object_creation.toml
* deprecate rule
* deprecate rule
* Update execution_abnormal_process_id_file_created.toml
* Update discovery_kernel_module_enumeration_via_proc.toml
* Update discovery_linux_modprobe_enumeration.toml
* Update execution_remote_code_execution_via_postgresql.toml
* Update discovery_potential_syn_port_scan_detected.toml
* Added 2 tunings, sorry I missed those..
* One more tune
* Update discovery_suspicious_proc_enumeration.toml
2023-08-03 15:25:33 +02:00
03110fb24c
[New Rule] SUID/SGUID Enumeration Detected ( #2956 )
...
* [New Rule] SUID/SGUID Enumeration Detected
* Remove endgame compatibility
* readded endgame support after troubleshooting
* Update discovery_suid_sguid_enumeration.toml
* Update rules/linux/discovery_suid_sguid_enumeration.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2023-08-03 09:57:30 +02:00
716b621af2
[New Rule] Potential Sudo Hijacking Detected ( #2966 )
...
* [New Rule] Potential Sudo Hijacking Detected
* Update privilege_escalation_sudo_hijacking.toml
2023-08-03 09:49:14 +02:00
18c2214956
[New Rule] Sudo Command Enumeration Detected ( #2946 )
...
* [New Rule] Sudo Command Enumeration Detected
* Update discovery_sudo_allowed_command_enumeration.toml
* revert endgame support due to unit testing fail
* Update discovery_sudo_allowed_command_enumeration.toml
* Update discovery_sudo_allowed_command_enumeration.toml
* Update rules/linux/discovery_sudo_allowed_command_enumeration.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/discovery_sudo_allowed_command_enumeration.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2023-08-03 09:39:16 +02:00
b8bb2da932
[New Rule] Potential Privilege Escalation via OverlayFS ( #2974 )
...
* [New Rule] Privilege Escalation via OverlayFS
* Layout change
* Revert "[New Rule] Privilege Escalation via OverlayFS"
This reverts commit f3262d179bc5f54ae5380ffa50d67041fb141c26.
* Made rule broader
* Update privilege_escalation_overlayfs_local_privesc.toml
* Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml
* Update user.id to strings
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2023-07-31 19:15:11 +02:00
shashank-elastic