Ruben Groenewoud
09719dd0c5
* tuned web shell logic, and converted to EQL * Removed old, created new rule to bypass "type" bug * Revert "Removed old, created new rule to bypass "type" bug" This reverts commit e994b62ecb838f73fa56d145e529169ebd2f5133. * Revert "tuned web shell logic, and converted to EQL" This reverts commit 28bda94b846cbb4ae1a084e707db2b6df458a7ca. * Deprecated old rule, added new * formatting fix * removed endgame index * Fixed changes captured as edited, not created * Update rules/linux/persistence_shell_activity_through_web_server.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * fix conflict * added host.os.type==linux for unit testing * removed wildcards in process.args * Update rules/linux/persistence_shell_activity_via_web_server.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * fixed conflict by changing file name and changes * Trying to resolve the GH conflict * attempt to fix GH conflict #2 * Update persistence_shell_activity_by_web_server.toml * Added endgame support * Added OSQuery to investigation guide * Update rules/linux/persistence_linux_shell_activity_via_web_server.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_linux_shell_activity_via_web_server.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * removed investigation guide to add in future PR --------- Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
rules/
Rules within this folder are organized by solution or platform. The structure is flattened out, because nested file hierarchies are hard to navigate and find what you're looking for. Each directory contains several .toml files, and the primary ATT&CK tactic is included in the file name when it's relevant (i.e. windows/execution_via_compiled_html_file.toml)
| folder | description |
|---|---|
. |
Root directory where rules are stored |
apm/ |
Rules that use Application Performance Monitoring (APM) data sources |
cross-platform/ |
Rules that apply to multiple platforms, such as Windows and Linux |
integrations/ |
Rules organized by Fleet integration |
linux/ |
Rules for Linux or other Unix based operating systems |
macos/ |
Rules for macOS |
ml/ |
Rules that use machine learning jobs (ML) |
network/ |
Rules that use network data sources |
promotions/ |
Rules that promote external alerts into detection engine alerts |
windows/ |
Rules for the Microsoft Windows Operating System |
Integration specific rules are stored in the integrations/ directory:
| folder | integration |
|---|---|
aws/ |
Amazon Web Services (AWS) |
azure/ |
Microsoft Azure |
cyberarkpas/ |
Cyber Ark Privileged Access Security |
endpoint/ |
Elastic Endpoint Security |
gcp/ |
Google Cloud Platform (GCP) |
google_workspace/ |
Google Workspace (formerly GSuite) |
o365/ |
Microsoft Office |
okta/ |
Oka |