sigma-rules

Author	SHA1	Message	Date
shashank-elastic	19d9a7eb87	Rule tuning as part of Linux Detection Rules Review (#2210 )	2022-08-02 17:46:57 +05:30
shashank-elastic	b2b5c170dd	Rule(s) to identify potential mining activities (#2185 )	2022-07-29 23:00:18 +05:30
shashank-elastic	8afded11e7	Rule tuning as part of Linux Detection Rules Review (#2170 )	2022-07-29 21:55:49 +05:30
shashank-elastic	e9267e544c	Rule(s) deprecation as part of Linux Detection Rule Review (#2163 )	2022-07-26 18:48:25 +05:30
Colson Wilhoit	c222d4528d	[New Rule] File made Immutable by Chattr (#2161 ) * [New Rule] File made Immutable by Chattr * Update rules/linux/defense_evasion_chattr_immutable_file.toml	2022-07-25 13:11:45 -05:00
Colson Wilhoit	146f59f4bd	[New Rule] Chkconfig Service Add (#2159 ) * [New Rule] Chkconfig Service Add * Update rules/linux/persistence_chkconfig_service_add.toml	2022-07-25 11:43:03 -05:00
Colson Wilhoit	1746897359	[New Rule] Suspcious Etc File Creation (#2160 ) * [New Rule] Suspcious Etc File Creation * Update rules/linux/persistence_etc_file_creation.toml * Update MITRE syntax * Update rules/linux/persistence_etc_file_creation.toml * Update rules/linux/persistence_etc_file_creation.toml * Update rules/linux/persistence_etc_file_creation.toml	2022-07-25 08:48:19 -05:00
Terrance DeJesus	e8c39d19a7	[Rule Tuning] Missing MITRE ATT&CK Mappings (#2073 ) * initial commit with eggshell mitre mapping added * adding updated rules * [Rule Tuning] MITRE for GCP rules I've added Mitre references for the 4 GCP rules missing. Changed 3 of the rules from "Impact" to "Defense Evasion" based on the technique used and it's matched tactic. * [Rule Tuning] Endgame Rule name updates for Mitre Updated Endgame rule names for those with Mitre tactics to match the tactics. * Update rules/integrations/aws/persistence_redshift_instance_creation.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/integrations/aws/exfiltration_rds_snapshot_restored.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * adding 10 updated rules for google_workspace, ml and o365 * adding 22 rule updates for mitre att&ck mappings * adding 24 rule updates related mainly to ML rules * adding 3 rules related to detection via ML * adding adjustments * adding adjustments with solutions to recent pytest errors * removed tabs from tags * adjusted mappings and added techniques * adjusted endgame rule mappings per review * adjusted names to match different tactics * added execution and defense evasion tag * adjustments to address errors from merging with main * added newlines to rules missing them at the end of the file Co-authored-by: imays11 <59296946+imays11@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2022-07-22 14:30:34 -04:00
Colson Wilhoit	98d93bc21e	[New Rule] Hidden so file (#2131 ) * [New Rule] Hidden Shared Object File * [Rule Tuning] Hidden File from Tmp * Update updated_date * Update rules/linux/defense_evasion_hidden_shared_object.toml * Update rules/linux/defense_evasion_hidden_shared_object.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/defense_evasion_hidden_shared_object.toml * Update rules/linux/defense_evasion_hidden_shared_object.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2022-07-22 11:37:47 -05:00
Mika Ayenson	a52751494e	2058 add setup field to metadata (#2061 ) * Convert config header to setup in note field * Parse note field into separate setup and note field with marko gfm * only validate and parse note on elastic authored rules and add CLI description for new DR_BYPASS_NOTE_VALIDATION_AND_PARSE environment variable Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>	2022-07-18 15:41:32 -04:00
Colson Wilhoit	9995558b2a	[New Rule] Dynamic Linker Copy (#2099 ) * [New Rule] Dynamic Linker Copy * Update rules/linux/persistence_dynamic_linker_backup.toml * Update rules/linux/persistence_dynamic_linker_backup.toml * Update rules/linux/persistence_dynamic_linker_backup.toml	2022-07-13 10:17:46 -05:00
Colson Wilhoit	58ad0823ca	[New Rule] Tc BPF Filter (#2091 ) * tc bpf filter * Update rules/linux/execution_tc_bpf_filter.toml	2022-07-13 09:41:46 -05:00
Colson Wilhoit	d7d0466344	[New Rule] Insmod kernel module load (#2093 ) * insmod kernel module load * Update rules/linux/persistence_insmod_kernel_module_load.toml * Update rules/linux/persistence_insmod_kernel_module_load.toml	2022-07-13 09:22:21 -05:00
shashank-elastic	2ee23bd80f	[Rule tuning] existing strace activity rule. (#2028 ) * Update description and MITTRE Attack details	2022-06-16 17:18:48 +05:30
shashank-elastic	f02325fe2f	[Rule Tuning] Add MITRE Details to exisisting hpining activity rule. (#2012 ) * Add MITRE Details to existing hping activity rule.	2022-06-02 10:36:23 +05:30
shashank-elastic	98a85ddcee	Linux binary(s) ftp shell evasion threat (#2007 ) Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2022-06-01 22:07:52 +05:30
shashank-elastic	fd7a6d63b0	[Rule tuning] Linux binary(s) shell evasion threat * Linux binary(s) git shell evasion threat	2022-05-25 19:21:08 +05:30
shashank-elastic	51b2d9da4b	[Rule tuning] Linux binary(s) shell evasion threat (#1957 ) * Linux binary(s) shell evasion threat Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>	2022-05-25 08:32:53 +05:30
Justin Ibarra	1840a638c8	[Rule tuning] Unusual Process Execution - Temp (#1968 ) Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>	2022-05-23 11:04:35 -04:00
Mika Ayenson	77966473d1	[Rule tuning] add support for osx, zsh, and expand tampering techniques (#1974 ) * add support for osx, zsh, and expand tampering techniques * migrate to cross-platform and add macOS tag	2022-05-20 11:10:56 -04:00
Colson Wilhoit	d12f45c6ba	[Rule Tuning] Update Rule Name: Suspicious Network Connection Attempt Sequence by Root (#1983 ) * [Rule Tuning] Update Rule Name * Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml	2022-05-17 17:41:05 -05:00
Terrance DeJesus	c89f423961	[New Rule] Suspicious Outbound Network Connect Sequence by Root (#1975 ) * adding initial rule * adjusted UUID * removed event.ingested as query is a sequence * changed file name to match mitre ATT&CK tactic * Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml * Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml * Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml * Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml * Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml * Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml * TOML linted * Update command_and_control_connection_attempt_by_non_ssh_root_session.toml Just edited a couple grammar things. Looks good * Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml * Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml * Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml * added additional tactic for privilege escalation and linted * formatted query to be more readable Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2022-05-16 16:22:33 -05:00
Terrance DeJesus	1704924f7b	[New Rule] Abnormal Process ID File Creation (#1964 ) * adding rule detection * changed Rule ID * Update rules/linux/execution_abnormal_process_id_file_created.toml Adding reboot extension as well. Reference: https://exatrack.com/public/Tricephalic_Hellkeeper.pdf * Update rules/linux/execution_abnormal_process_id_file_created.toml Adding reboot to description. Reference: https://exatrack.com/public/Tricephalic_Hellkeeper.pdf * Update rules/linux/execution_abnormal_process_id_file_created.toml Added additional reference to similar threat. * Update rules/linux/execution_abnormal_process_id_file_created.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_abnormal_process_id_file_created.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * added rule for a process starting where the executable's name represented a PID file * Adjusted user.id value from integer to string * Added simple investigation notes and osquery coverage * TOML linting * Updated date to reflect recent changes Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2022-05-12 10:38:27 -04:00
Terrance DeJesus	5f447a63a2	[New Rule] Executable Launched from Shared Memory Directory (#1961 ) * new rule to check for executables launched from shared memory directory * added references and false positive instances * Update rules/linux/execution_shared_memory_executable.toml * Update rules/linux/execution_shared_memory_executable.toml * Update rules/linux/execution_shared_memory_executable.toml * adjusted process to account for var run and lock directories * TOML lint and query formatting * TOML lint and query formatting * Update rules/linux/execution_process_started_in_shared_memory_directory.toml * Update rules/linux/execution_process_started_in_shared_memory_directory.toml * Update rules/linux/execution_process_started_in_shared_memory_directory.toml * Update rules/linux/execution_process_started_in_shared_memory_directory.toml * added BPFDoor tag to be threat specific * TOML linting and adjusted risk because of root requirement Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2022-05-11 12:18:55 -04:00
Terrance DeJesus	e9f5585a9f	[Rule Tuning] Update Rule Content Changes from Security Docs Team (#1945 ) * updated content to reflect changes from Security Docs team * Update rules/linux/execution_flock_binary.toml * Update rules/linux/execution_expect_binary.toml * TOML linting * added escape for crdential_access_spn_attribute_modified.toml	2022-05-06 13:21:12 -04:00
Justin Ibarra	6bdfddac8e	Expand timestamp override tests (#1907 ) * Expand timestamp_override tests * removed timestamp_override from eql sequence rules * add config entry for eql rules with beats index and t_o * add timestamp_override to missing fields	2022-04-01 15:27:08 -08:00
Terrance DeJesus	93edc44284	[Rule Tuning] Timeline Templates For Windows and Linux (#1892 ) * added comprehensive file timeline to Hosts File Modified rule * added Comprehensive Process Timeline to Interactive Terminal Spawned via Python rule * updated rules to have generic instead of comprehensive * updated several rules with timeline ID and timeline title values * changed updated_date for threat intel fleet integrations * added missing templates to timeline_templates dict in definitions.py * added comprehensive timeline templates to alerts after definitions.py was updated * updated rules with comprehensive timeline templates and added min stack comments and versions * removing timeline template changes which is tracked in #1904 * Update rules/linux/execution_python_tty_shell.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Delete Pipfile Removing pipfile * Delete Pipfile.lock deleting pipfile.lock * Update rules/windows/execution_command_shell_started_by_svchost.toml updating title Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2022-04-01 13:44:35 -04:00
Justin Ibarra	8d09bca633	Re-add c89 rules (#1900 )	2022-03-29 15:01:48 -08:00
Justin Ibarra	507a23ba01	temp remove rule to readd with backport (#1898 )	2022-03-29 14:52:04 -08:00
Colson Wilhoit	bcec8a4479	Linux Shell Evasion Rule Tuning (#1878 ) * Linux Shell Evasion Rule Tuning * Update execution_python_tty_shell.toml * Update rules/linux/execution_apt_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_apt_binary.toml * Update rules/linux/execution_awk_binary_shell.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_awk_binary_shell.toml * Update rules/linux/execution_c89_c99_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_c89_c99_binary.toml * Update rules/linux/execution_cpulimit_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_cpulimit_binary.toml * Update rules/linux/execution_expect_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_expect_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_expect_binary.toml * Update rules/linux/execution_find_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_find_binary.toml * Update rules/linux/execution_gcc_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_gcc_binary.toml * Update rules/linux/execution_mysql_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_mysql_binary.toml * Update rules/linux/execution_nice_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_nice_binary.toml * Update rules/linux/execution_ssh_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_ssh_binary.toml * Update execution_perl_tty_shell.toml * Update execution_python_tty_shell.toml * Update rules/linux/execution_apt_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_awk_binary_shell.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_c89_c99_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_cpulimit_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_expect_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_find_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_gcc_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_mysql_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_nice_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_ssh_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2022-03-29 09:16:21 -05:00
shashank-elastic	fb40a4a8c7	Description updation across multiple rules (#1893 ) Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2022-03-28 22:54:37 +05:30
shashank-elastic	3474f8c8e4	flock shell evasion threat (#1863 ) * flock shell evasion threat * Update rules/linux/execution_flock_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_flock_binary.toml * Update rules/linux/execution_flock_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2022-03-24 15:52:18 -05:00
shashank-elastic	152477904f	vim shell evasion threat (#1865 ) * vim shell evasion threat * Update rules/linux/execution_vi_binary.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_vi_binary.toml * Update rules/linux/execution_vi_binary.toml * Update rules/linux/execution_vi_binary.toml Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2022-03-24 15:37:20 -05:00
shashank-elastic	22367d3702	crash shell evasion threat (#1861 )	2022-03-22 18:46:05 +05:30
shashank-elastic	2ab5a1f44a	[New Rule] cpulimit shell evasion threat (#1851 ) * cpulimit shell evasion threat * Update rules/linux/execution_cpulimit_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_cpulimit_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2022-03-21 12:16:53 -05:00
shashank-elastic	7feebc2c10	Updation of Mitre Tactic and Threats (#1850 ) Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2022-03-18 15:06:24 +05:30
shashank-elastic	b492258fb0	[New Rule] busybox shell evasion threat (#1842 ) * busybox shell evasion threat Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2022-03-17 09:54:46 +05:30
shashank-elastic	f7735df1d5	[New Rule] c89/c99 shell evasion threat (#1840 ) * c88/c99 shell evasion threat	2022-03-16 23:06:34 +05:30
shashank-elastic	c05f3c8aa3	gcc shell evasion threat (#1824 )	2022-03-10 22:41:31 +05:30
shashank-elastic	b49cce9fcb	ssh shell evasion threat (#1827 )	2022-03-10 22:39:05 +05:30
shashank-elastic	ddbc1de45c	mysql shell evasion threat (#1823 )	2022-03-10 22:36:35 +05:30
shashank-elastic	334aa12aaf	expect shell evasion threat (#1817 ) * expect shell evasion threat * expect shell evasion threat * Update rules/linux/defense_evasion_expect_binary.toml Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2022-03-07 14:22:56 -06:00
shashank-elastic	2b6a357a4b	nice shell evasion threat (#1820 ) * nice shell evasion threat * Update rules/linux/defense_evasion_nice_binary.toml Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2022-03-07 13:59:16 -06:00
shashank-elastic	f9503f2096	[Rule Tuning] Rule description updates (#1811 ) Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2022-03-07 19:33:11 +05:30
shashank-elastic	2a82f18e43	[New Rule] Linux Restricted Shell Breakout via the Vi command (#1809 ) * new:rule:issue-1808 vi shell evasion threat * Update rules/linux/defense_evasion_vi_binary.toml * Update rules/linux/defense_evasion_vi_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * new:rule:issue-1808 vi shell evasion threat * new:rule:issue-1808 vi shell evasion threat * new:rule:issue-1808 vi shell evasion threat * Update rules/linux/defense_evasion_vi_binary.toml Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2022-03-04 13:46:19 -06:00
shashank-elastic	283cbca702	find shell evasion threat(#1801 ) * new:rule:issue-1800 Adding new rule for find shell evasion * new:rule:issue-1800 Adding new rule for find shell evasion * new:rule:issue-1800 Adding new rule for find shell evasion * Update rules/linux/privilege_escalation_find_binary.toml * Update rules/linux/privilege_escalation_find_binary.toml * new:rule:issue-1800 Adding Mittre Attack Techniques * Update rules/linux/privilege_escalation_find_binary.toml * Update rules/linux/privilege_escalation_find_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/privilege_escalation_find_binary.toml * Update rules/linux/privilege_escalation_find_binary.toml * Update rules/linux/privilege_escalation_find_binary.toml * Update rules/linux/privilege_escalation_find_binary.toml * new:rule:issue-1800 Review Comments Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2022-03-02 22:00:29 +05:30
shashank-elastic	c9dd047966	apt binary shell evasion threat (#1792 ) * new:rule:issue-1782 Adding a new Rule for apt binary shell evasion threat * new:rule:issue-1782 Review Comments * Update rules/linux/apt_binary_shell_evasion.toml * new:rule:issue-1782 Adding Mittre Attack Techniques * new:rule:issue-1782 Adding Mittre Attack Techniques * new:rule:issue-1782 Adding Mittre Attack Techniques * new:rule:issue-1782 Adding Mittre Attack Techniques * new:rule:issue-1782 Adding Mittre Attack Techniques * Update rules/linux/privilege_escalation_apt_binary.toml * Update rules/linux/privilege_escalation_apt_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/privilege_escalation_apt_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/privilege_escalation_apt_binary.toml * Update rules/linux/privilege_escalation_apt_binary.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/privilege_escalation_apt_binary.toml * Update rules/linux/privilege_escalation_apt_binary.toml * Update rules/linux/privilege_escalation_apt_binary.toml * Update rules/linux/privilege_escalation_apt_binary.toml * Update rules/linux/privilege_escalation_apt_binary.toml * new:rule:issue-1782 Review Comments Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2022-03-02 21:57:40 +05:30
shashank-elastic	e004a2f4a5	awk binary shell evasion threat (#1794 ) * new:rule:issue-1785 Adding a new Rule for awk binary shell evasion threat * Update rules/linux/awk_binary_shell_evasion.toml * Update rules/linux/awk_binary_shell_evasion.toml * new:rule:issue-1785 Adding Mittre Attack Techniques * new:rule:issue-1785 Adding Mittre Attack Techniques * new:rule:issue-1785 Adding Mittre Attack Techniques * Update rules/linux/privilege_escalation_awk_binary_shell.toml * Update rules/linux/privilege_escalation_awk_binary_shell.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/privilege_escalation_awk_binary_shell.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/privilege_escalation_awk_binary_shell.toml * Update rules/linux/privilege_escalation_awk_binary_shell.toml * Update rules/linux/privilege_escalation_awk_binary_shell.toml * Update rules/linux/privilege_escalation_awk_binary_shell.toml * Update rules/linux/privilege_escalation_awk_binary_shell.toml * new:rule:issue-1785 Review Comments * new:rule:issue-1785 Review Comments Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2022-03-02 21:53:49 +05:30
shashank-elastic	758784d4d5	env binary shell evasion threat (#1793 ) * new:rule:issue-1786 Adding a new Rule for env binary shell evasion threat * new:rule:issue-1786 Adding a new Rule for env binary shell evasion threat * Update rules/linux/env_binary_shell_evasion.toml * Update rules/linux/env_binary_shell_evasion.toml * new:rule:issue-1786 Adding Mittre Attack Techniques * new:rule:issue-1786 Adding Mittre Attack Techniques * new:rule:issue-1786 Adding Mittre Attack Techniques * new:rule:issue-1786 Adding Mittre Attack Techniques * new:rule:issue-1786 Adding Mittre Attack Techniques * Update rules/linux/privilege_escalation_env_binary.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/privilege_escalation_env_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/privilege_escalation_env_binary.toml * Update rules/linux/privilege_escalation_env_binary.toml * new:rule:issue-1786 Review Comments * Update rules/linux/defense_evasion_env_binary.toml Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2022-03-02 21:47:01 +05:30
Jonhnathan	1c50f35aed	[Security Content] Update rules based on docs review (#1803 ) * Adds suggestions from security-docs * Update rules/windows/lateral_movement_powershell_remoting_target.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>	2022-03-01 21:39:30 -03:00

1 2 3

103 Commits