security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0d1fca454adf3f7f047a2a3989cc756519f837e2
sigma-rules/rules/linux
T
History
Ruben Groenewoud 0d1fca454a New Rule: Suspicious Mining Process Creation Event (#2531) 
* New Rule: Suspicious Mining Process Creation Event

* added host.os.type==linux

* trying to fix unit testing

* Revert "trying to fix unit testing"

This reverts commit ab3f371300fa400baa287b54e5f38b4855fc6512.

* unit testing fix attempt

* Revert "unit testing fix attempt"

This reverts commit 8b59343a5923a004423cf665b167611ef0129a9d.

* added endgame support

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
2023-03-21 16:35:25 +01:00
..
command_and_control_connection_attempt_by_non_ssh_root_session.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
command_and_control_linux_iodine_activity.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
command_and_control_tunneling_via_earthworm.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
credential_access_bruteforce_password_guessing.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
credential_access_collection_sensitive_files.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
credential_access_credential_dumping.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
credential_access_potential_linux_ssh_bruteforce_root.toml
[Rule Fix] Privileged SSH Brute Force Detected (#2595)
2023-03-14 15:42:58 -04:00
credential_access_potential_linux_ssh_bruteforce.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
credential_access_ssh_backdoor_log.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
defense_evasion_attempt_to_disable_iptables_or_firewall.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
defense_evasion_attempt_to_disable_syslog_service.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
defense_evasion_chattr_immutable_file.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
defense_evasion_disable_selinux_attempt.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
defense_evasion_file_deletion_via_shred.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
defense_evasion_file_mod_writable_dir.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
defense_evasion_hidden_file_dir_tmp.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
defense_evasion_hidden_shared_object.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
defense_evasion_kernel_module_removal.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
defense_evasion_log_files_deleted.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
discovery_kernel_module_enumeration.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
discovery_linux_hping_activity.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
discovery_linux_nping_activity.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
discovery_virtual_machine_fingerprinting.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
execution_abnormal_process_id_file_created.toml
[Rule Tuning] Abnormal PID or Lock File Created (#2600)
2023-03-14 14:37:00 -04:00
execution_file_transfer_or_listener_established_via_netcat.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
execution_perl_tty_shell.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
execution_process_started_from_process_id_file.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
execution_process_started_in_shared_memory_directory.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
execution_python_tty_shell.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
execution_reverse_shell_via_named_pipe.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
execution_shell_evasion_linux_binary.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
execution_suspicious_mining_process_creation_events.toml
New Rule: Suspicious Mining Process Creation Event (#2531)
2023-03-21 16:35:25 +01:00
execution_tc_bpf_filter.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
impact_process_kill_threshold.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
lateral_movement_telnet_network_activity_external.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
lateral_movement_telnet_network_activity_internal.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
persistence_chkconfig_service_add.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
persistence_credential_access_modify_ssh_binaries.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
persistence_dynamic_linker_backup.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
persistence_etc_file_creation.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
persistence_insmod_kernel_module_load.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
persistence_kde_autostart_modification.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
persistence_rc_script_creation.toml
[New Rule] RC Script Creation (#2607)
2023-03-14 15:03:41 -04:00
persistence_shell_activity_by_web_server.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
privilege_escalation_ld_preload_shared_object_modif.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
privilege_escalation_pkexec_envar_hijack.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
privilege_escalation_shadow_file_read.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
privilege_escalation_unshare_namespace_manipulation.toml
[Rule Tuning] Namespace Manipulation Using Unshare (#2599)
2023-03-20 07:36:47 -03:00