security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,912 Commits 1 Branch 0 Tags
f66da9d35005eac1c8f88bc53614bb3f89018083
Commit Graph

1387 Commits

Author SHA1 Message Date
Terrance DeJesus b19541f0f8 [Rule Tuning] Tuning 'First Time Seen AWS Secret Value Accessed in Secrets Manager' (#3494) 
* tuning 'First Time Seen AWS Secret Value Accessed in Secrets Manager'

* reverting lookback window

* missing word in description

(cherry picked from commit f6e79944f2)
 2024-03-15 23:16:44 +00:00
Jonhnathan 18a34a15ff [Rule Tuning] Guided Onboarding Rule (#3502) 
* [Rule Tuning] Guided Onboarding Rule

* Update guided_onboarding_sample_rule.toml

* Revert "Update guided_onboarding_sample_rule.toml"

This reverts commit 18721277df7416534440a4708fa3b060f2775a27.

* Update guided_onboarding_sample_rule.toml

* Update guided_onboarding_sample_rule.toml

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit c610e19114)
 2024-03-14 14:04:20 +00:00
Ruben Groenewoud 9f234eecc7 [New Rules] mprotect() RWX Binary Execution (#3507) 
* [New Rules] mprotect() RWX Binary Execution

* Added rule names

* Update execution_netcon_from_rwx_mem_region_binary.toml

* Update execution_unknown_rwx_mem_region_binary_executed.toml

* Update execution_unknown_rwx_mem_region_binary_executed.toml

* Update execution_netcon_from_rwx_mem_region_binary.toml

* Update execution_netcon_from_rwx_mem_region_binary.toml

(cherry picked from commit 4179180fcb)
 2024-03-13 21:17:57 +00:00
Jonhnathan b43003c3f1 [Rule Tuning] Improve Compatibility in WIndows Detection Rules - Part 1 (#3501) 
* Initial commit

* Date bump

(cherry picked from commit f5254f3b5e)
 2024-03-13 13:32:43 +00:00
Ruben Groenewoud 578e86eeae [Tuning] event.action and event.type change (#3495) 
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

Removed changes from:
- rules/linux/discovery_process_capabilities.toml
- rules/linux/privilege_escalation_enlightenment_window_manager.toml
- rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml
- rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml
- rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml
- rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml
- rules_building_block/discovery_capnetraw_capability.toml
- rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

(selectively cherry picked from commit 9f8638a004)
 2024-03-13 09:16:15 +00:00
Jonhnathan b1989a921b [Security Content] Small tweaks on the setup guides (#3308) 
* [Security Content] Small tweaks on the setup guides

* Additional Fixes

* Avoid touching deprecated rules

Removed changes from:
- rules/integrations/beaconing/command_and_control_beaconing.toml
- rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml
- rules/linux/discovery_process_capabilities.toml
- rules/linux/privilege_escalation_dac_permissions.toml
- rules/linux/privilege_escalation_enlightenment_window_manager.toml
- rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml
- rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml
- rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml
- rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml
- rules_building_block/discovery_capnetraw_capability.toml
- rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

(selectively cherry picked from commit 458e67918a)
 2024-03-11 12:14:53 +00:00
Jonhnathan 5cec5b7f31 [Rule Tuning] DR Performance-Poor Rules (#3399) 
* [Rule Tuning] DR Performance

* .

* Update rules/cross-platform/lateral_movement_remote_file_creation_in_sensitive_directory.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/windows/persistence_registry_uncommon.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update lateral_movement_remote_file_creation_in_sensitive_directory.toml

* Update lateral_movement_remote_file_creation_in_sensitive_directory.toml

* Update persistence_startup_folder_scripts.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit edf4da8526)
 2024-03-11 11:55:35 +00:00
Leandro Maciel 4d071fe48d fix: correct the provider for the create, delete and modify routes in EC2 VPCs (#3500) 
(cherry picked from commit 709cfddcbe)
 2024-03-08 19:07:01 +00:00
Ruben Groenewoud 7c37deafc8 [Tuning] Linux Cross-Platform Tuning - Part 1 (#3468) 
* [Tuning] Linux Cross-Platform Tuning - Part 1

* Update defense_evasion_deletion_of_bash_command_line_history.toml

* Update defense_evasion_deletion_of_bash_command_line_history.toml

* Update defense_evasion_deletion_of_bash_command_line_history.toml

* Update defense_evasion_deletion_of_bash_command_line_history.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit a438052ff3)
 2024-03-07 17:25:49 +00:00
Ruben Groenewoud 2faa844301 [Tuning] Linux DR Tuning - Part 12 (#3464) 
* [Tuning] Linux DR Tuning - Part 12

* Update persistence_shared_object_creation.toml

* Update privilege_escalation_dac_permissions.toml

* Update privilege_escalation_enlightenment_window_manager.toml

* Update privilege_escalation_enlightenment_window_manager.toml

* Min stack rule-bending test

* formatting fix

* Revert "Merge branch 'linux-dr-tuning-12' of https://github.com/elastic/detection-rules into linux-dr-tuning-12"

This reverts commit 0170cddd905b4b983f8413eebbc11c9c7b3719ce, reversing
changes made to 29d4a747603faf0ac7c2d502786533b0cd93a5d5.

* Revert "Min stack rule-bending test"

This reverts commit 29d4a747603faf0ac7c2d502786533b0cd93a5d5.

* Update privilege_escalation_enlightenment_window_manager.toml

* Update privilege_escalation_chown_chmod_unauthorized_file_read.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

Removed changes from:
- rules/linux/privilege_escalation_dac_permissions.toml

(selectively cherry picked from commit 9c4ba4559d)
 2024-03-07 17:14:43 +00:00
Ruben Groenewoud e18bf43532 [Tuning] Linux BBR Tuning - Part 1 (#3469) 
* [Tuning] Linux BBR Tuning - Part 1

* [Tuning] Linux BBR Tuning - Part 1

* Update defense_evasion_processes_with_trailing_spaces.toml

* Update defense_evasion_processes_with_trailing_spaces.toml

* One more tuning

* Update collection_linux_suspicious_clipboard_activity.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit 3fd0358b73)
 2024-03-07 16:24:05 +00:00
Ruben Groenewoud 42dc87f2fb [Tuning] Linux DR Tuning - Part 14 (#3467) 
* [Tuning] Linux DR Tuning - Part 14

* Update privilege_escalation_sudo_cve_2019_14287.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit ed4a7fc15b)
 2024-03-07 15:50:43 +00:00
Ruben Groenewoud a4af210ce5 [Tuning] Linux DR Tuning - Part 13 (#3465) 
* [Tuning] Linux DR Tuning - Part 13

* updated date bump

* Update privilege_escalation_load_and_unload_of_kernel_via_kexec.toml

* Update privilege_escalation_netcon_via_sudo_binary.toml

* Update privilege_escalation_load_and_unload_of_kernel_via_kexec.toml

* Update rules/linux/privilege_escalation_shadow_file_read.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

(cherry picked from commit 60fda8d756)
 2024-03-07 15:33:19 +00:00
Ruben Groenewoud 3c1ecce6dc [Tuning] Linux DR Tuning - Part 11 (#3463) 
* [Tuning] Linux DR Tuning - Part 11

* Update persistence_message_of_the_day_creation.toml

* Update persistence_message_of_the_day_execution.toml

* Update rules/linux/persistence_message_of_the_day_execution.toml

* Update persistence_linux_user_added_to_privileged_group.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit ef66c57030)
 2024-03-07 11:25:29 +00:00
Ruben Groenewoud 5506f1bb26 [Tuning] Linux DR Tuning - Part 10 (#3462) 
* [Tuning] Linux DR Tuning - Part 10

* updated_date bump

* Update persistence_kworker_file_creation.toml

* Update persistence_linux_backdoor_user_creation.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit a76a3755d9)
 2024-03-07 10:49:53 +00:00
Ruben Groenewoud 6d7c604257 [Tuning] Linux DR Tuning - Part 9 (#3461) 
* [Tuning] Linux DR Tuning - Part 9

* Update persistence_credential_access_modify_ssh_binaries.toml

* Update lateral_movement_ssh_it_worm_download.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit fd84573212)
 2024-03-07 10:38:57 +00:00
Ruben Groenewoud aed3f6a735 [Tuning] Linux DR Tuning - Part 8 (#3460) 
* [Tuning] Linux DR Tuning - Part 8

* Update impact_esxi_process_kill.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit 08f946b394)
 2024-03-07 10:05:56 +00:00
Ruben Groenewoud 0950594b49 [Tuning] Linux DR Tuning - Part 7 (#3458) 
* [Tuning] Linux DR Tuning - Part 7

* Update execution_potential_hack_tool_executed.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit c537fb9c22)
 2024-03-07 09:51:37 +00:00
Ruben Groenewoud a0e8e5569d [Tuning] Linux DR Tuning - Part 6 (#3457) 
* [Tuning] Linux DR Tuning - Part 6

* Update discovery_ping_sweep_detected.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

Removed changes from:
- rules/linux/discovery_process_capabilities.toml

(selectively cherry picked from commit f37a3bfd48)
 2024-03-07 09:13:51 +00:00
Ruben Groenewoud fa13b92aca [Tuning] Linux DR Tuning - Part 5 (#3456) 
* [Tuning] Linux DR Tuning - Part 6

* Update discovery_dynamic_linker_via_od.toml

* Update discovery_esxi_software_via_find.toml

* Update discovery_esxi_software_via_grep.toml

* Update discovery_linux_hping_activity.toml

* Update discovery_linux_nping_activity.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit ae3f4737ab)
 2024-03-07 08:59:03 +00:00
Ruben Groenewoud 1136d2f3c7 [Tuning] Auditbeat event.action Compatibility (#3471) 
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit 83abf8d42c)
 2024-03-06 14:33:41 +00:00
Ruben Groenewoud 2bd89801ee [BBR Promotion] Linux BBR --> DR Promotion (#3472) 
* [BBR Promotion] Linux BBR --> DR Promotion

* [BBR Promotion] Linux BBR --> DR Promotion

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit 5a80423003)
 2024-03-06 13:54:31 +00:00
sbousseaden fc6c50418b [Tuning] Tuning Windows - 3 Rules (#3388) 
* Update privilege_escalation_newcreds_logon_rare_process.toml

* Update privilege_escalation_make_token_local.toml

* Update privilege_escalation_make_token_local.toml

* Update privilege_escalation_create_process_with_token_unpriv.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit 853e18950f)
 2024-02-20 16:01:23 +00:00
Ruben Groenewoud a04dfbd1ef [Tuning] Linux DR Tuning - Part 4 (#3455) 
* [Tuning] Linux DR Tuning - Part 4

* Update defense_evasion_file_mod_writable_dir.toml

* Update defense_evasion_hidden_file_dir_tmp.toml

(cherry picked from commit 089e6671aa)
 2024-02-20 14:43:36 +00:00
Ruben Groenewoud 3183bfea23 [Tuning] Event.dataset removal & Tag Addition (#3451) 
* [Tuning] Removed event.dataset and added tag

* [Tuning] Removed event.dataset and added tag

* fixed typo

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

Removed changes from:
- rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml

(selectively cherry picked from commit 3484cac7eb)
 2024-02-20 14:23:14 +00:00
Ruben Groenewoud bfe1fd6b20 [Tuning] Linux DR Tuning - Part 3 (#3454) 
(cherry picked from commit 5e6e4a359b)
 2024-02-20 13:55:44 +00:00
Ruben Groenewoud aefebccc06 [Tuning] Linux DR Tuning - Part 1 (#3452) 
* [Tuning] Linux DR Tuning - Part 1

* Update command_and_control_linux_tunneling_and_port_forwarding.toml

* Update command_and_control_cat_network_activity.toml

(cherry picked from commit 1dc7fd6a42)
 2024-02-20 13:43:33 +00:00
Ruben Groenewoud 24d4da7b5d [Tuning] Linux DR Tuning - Part 2 (#3453) 
* [Tuning] Linux DR Tuning - Part 2

* Update defense_evasion_binary_copied_to_suspicious_directory.toml

* Update defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml

(cherry picked from commit 0e48747aa6)
 2024-02-20 13:22:16 +00:00
Samirbous 1192e62006 [New] Suspicious Execution from INET Cache (#3445) 
* Create initial_access_execution_from_inetcache.toml

* Update initial_access_execution_from_inetcache.toml

(cherry picked from commit 4809de6584)
 2024-02-15 19:19:02 +00:00
Jonhnathan 9577e2a4d8 [Rule Tuning] Windows BBR Tuning - 5 (#3385) 
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit 97e49795ab)
 2024-02-14 13:27:51 +00:00
Jonhnathan adcf721ae3 [Rule Tuning] Windows BBR Tuning - 2 (#3381) 
* [Rule Tuning] Windows BBR Tuning - 2

* Update defense_evasion_masquerading_windows_system32_exe.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit ae00f30574)
 2024-02-14 13:03:13 +00:00
Jonhnathan d8dfbeade4 [Rule Tuning] Suspicious Antimalware Scan Interface DLL (#3432) 
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit 21b559c97f)
 2024-02-08 09:31:50 +00:00
Ruben Groenewoud fa29e4b2b1 [New Rules] DDExec Analysis (#3408) 
* [New Rules] DDExec Analysis

* Increased rule scope

* [New Rule] Dynamic Linker Discovery via od

* Revert "[New Rule] Dynamic Linker Discovery via od"

This reverts commit c58595b77f517d3f236a64a52c38804253db64cc.

* [New Rule] Dynamic Linker Discovery via od

* [New Rule] Potential Memory Seeking Activity

* [New BBR] Suspicious Memory grep Activity

* Added endgame + auditd_manager support

* Removed auditd_manager support for now

* Removed auditd_manager support for now

* Update discovery_suspicious_memory_grep_activity.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit d41855a2ac)
 2024-02-06 13:52:48 +00:00
Ruben Groenewoud 1db9de76b0 [New Rule] Executable Masquerading as Kernel Process (#3421) 
* [New Rule] Executable Masquerading as Kernel Proc

* Bumped dates

* Added endgame support

* Added auditd_manager support

* Removed auditd_manager support for now

(cherry picked from commit 90d64f0714)
 2024-02-06 09:54:24 +00:00
Ruben Groenewoud 103fa8d34a [New Rules] APT Package Manager Persistence (#3418) 
* [New Rule] apt Package Manager Persistence

* [New Rules] APT Package Manager Persistence

* [New Rules] APT Package Manager Persistence

(cherry picked from commit 208b2e999c)
 2024-02-06 09:34:07 +00:00
Ruben Groenewoud 6276d635b8 [New Rule] Suspicious Network Connection via systemd (#3420) 
* [New Rule] Network Connection via systemd

* Removed space from description

* Added updated query

(cherry picked from commit 4f303ab77e)
 2024-02-06 09:24:36 +00:00
Samirbous 3a3245f872 Update lateral_movement_remote_task_creation_winlog.toml (#3419) 
(cherry picked from commit 6906a27c3a)
 2024-02-05 18:41:20 +00:00
Jonhnathan 59bb8e5ce0 [Rule Tuning] Windows BBR Tuning - 1 (#3380) 
* [Rule Tuning] Windows BBR Tuning - 1

* .

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit 8274f9a816)
 2024-02-05 15:52:27 +00:00
Jonhnathan f58d793dca [Rule Tuning] Startup or Run Key Registry Modification (#3367) 
(cherry picked from commit edd3556b63)
 2024-02-05 15:33:05 +00:00
Samirbous 509ba1bf06 [New] Potential Enumeration via Active Directory Web Service (#3416) 
* Create discovery_active_directory_webservice.toml

* Update discovery_active_directory_webservice.toml

* Update discovery_active_directory_webservice.toml

* Update discovery_active_directory_webservice.toml

* Update discovery_active_directory_webservice.toml

(cherry picked from commit 5a68ccfd0d)
 2024-02-02 14:24:18 +00:00
Jonhnathan e626ee0a2b [Rule Tuning] Potential Modification of Accessibility Binaries (#3401) 
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit 50df6f3e9b)
 2024-02-01 14:31:32 +00:00
Samirbous 5d3b231e14 [Tuning] Suspicious File Downloaded from Google Drive (#3411) 
* Update command_and_control_google_drive_malicious_file_download.toml

* Update command_and_control_google_drive_malicious_file_download.toml

* Update command_and_control_google_drive_malicious_file_download.toml

(cherry picked from commit 4c74588c00)
 2024-01-31 16:59:42 +00:00
Samirbous 74182d5dfa [Tuning] DCSync Rules - 4662 event.action (#3410) 
* Update credential_access_dcsync_newterm_subjectuser.toml

* Update credential_access_dcsync_replication_rights.toml

(cherry picked from commit d7f4d7972e)
 2024-01-30 11:48:19 +00:00
Ruben Groenewoud ea7c83522b [New Rule] Suspicious Passwd File Event Action (#3396) 
* [New Rule] Suspicious Passwd File Event Action

* Description fix

* Pot. UT fix

* Pot. UT fix.

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit 381ccf43ed)
 2024-01-26 08:41:41 +00:00
Jonhnathan d121e74a3e [Rule Tuning] Windows DR Tuning - 15 (#3377) 
* [Rule Tuning] Windows DR Tuning - 15

* Update privilege_escalation_windows_service_via_unusual_client.toml

* Update privilege_escalation_windows_service_via_unusual_client.toml

* Update defense_evasion_msbuild_making_network_connections.toml

(cherry picked from commit 92804343bc)
 2024-01-23 19:53:28 +00:00
Jonhnathan 9f18adfdb1 [Rule Tuning] Direct Outbound SMB Connection (#3400) 
* [Rule Tuning] Direct Outbound SMB Connection

* Update lateral_movement_direct_outbound_smb_connection.toml

(cherry picked from commit e33389b2ef)
 2024-01-23 18:38:50 +00:00
Jonhnathan 4c9a6b1dcc [Rule Tuning] Host Files System Changes via Windows Subsystem for Linux (#3398) 
* [Rule Tuning] Host Files System Changes via Windows Subsystem for Linux

* Update defense_evasion_wsl_filesystem.toml

(cherry picked from commit e0bdb59deb)
 2024-01-22 21:52:44 +00:00
Isai f0028e1457 [New Rules] UEBA GItHub BBRs and Rules (#3174) 
* [New Rules] UEBA GItHub BBRs and Rules

A new set of BBRs and rules that will be used to trigger new UEBA GitHub threshold Rules.

* Update rules/integrations/github/impact_github_member_removed_from_organization.toml

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* edited BBR rules

-removed newly added member rule

* updated integration manifests and schemas

* Updated min_stack for some rules based on newest GitHub integration schema manifest

* testing min_stack bump to 8.8 for new fields

* removing offending rule to troubleshoot seperately

* added UEBA tags and created UEBA threshold rule

* updated non-ecs-schema to add signal.rule.tags

* updated non-ecs-schema with kibana.alert.workflow_status

* updated rule.threat.tactic

* added user.name to non-ecs-schema

* added quotes to kibana.alert.workflow_status value

* removed trailing space from rule name

* update tags and optimize query for UEBA threshold rule

* removed integration field from Higher-Order rule

* Apply suggestions from code review

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* adjusted new_terms order and rule types based on review feedback

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* remove user.name from detection_rules/etc/non-ecs-schema.json

* fix json formatting

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

(cherry picked from commit 442435830f)
 2024-01-22 17:53:12 +00:00
Ruben Groenewoud 1160a91bb9 [New Rule] Potential Buffer Overflow Attack Detected (#3312) 
* [New Rule] Potential Buffer Overflow Attack

* Added timestamp_override

* Update privilege_escalation_potential_bufferoverflow_attack.toml

* Update privilege_escalation_potential_bufferoverflow_attack.toml

* Update rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml

* Update rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

(cherry picked from commit 48d8b650e5)
 2024-01-22 15:33:29 +00:00
Ruben Groenewoud 469ddddafd [New Rule] Chroot Container Escape via Mount (#3387) 
* [New Rule] Chroot Container Escape via Mount

* description fix

(cherry picked from commit ec5f4d596c)
 2024-01-22 08:22:54 +00:00