security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3fc4aaec0fc91538b39937cf39c66835efaf2246
sigma-rules/rules/linux
T
History
Samirbous 3fc4aaec0f [New Rule] Modification of OpenSSH Binaries (#747) 
* [New Rule] Modification of SSH Binaries

* Update persistence_credential_access_modify_ssh_binaries.toml

* exclude unrelated auditbeat FP events

* updated TIDs and Tactics

* fix order of TIDs and Tactics

* relinted

* added libkeyutils.so used by Ebury Backdoor

loaded by all OpenSSH processes

* renamed

* conv to kql and added one FP

* Update rules/linux/persistence_credential_access_modify_ssh_binaries.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/linux/persistence_credential_access_modify_ssh_binaries.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
2021-01-28 19:46:30 +01:00
..
credential_access_tcpdump_activity.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
defense_evasion_attempt_to_disable_iptables_or_firewall.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
defense_evasion_attempt_to_disable_syslog_service.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml
Add ATT&CK sub-technique support to CLI (#614)
2020-12-08 21:56:55 -09:00
defense_evasion_base64_encoding_or_decoding_activity.toml
Add ATT&CK sub-technique support to CLI (#614)
2020-12-08 21:56:55 -09:00
defense_evasion_deletion_of_bash_command_line_history.toml
[Rule Tuning] Deletion of Bash Command Line History (#752)
2021-01-26 08:48:06 +01:00
defense_evasion_disable_selinux_attempt.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
defense_evasion_file_deletion_via_shred.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
defense_evasion_file_mod_writable_dir.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
defense_evasion_hex_encoding_or_decoding_activity.toml
Add ATT&CK sub-technique support to CLI (#614)
2020-12-08 21:56:55 -09:00
defense_evasion_hidden_file_dir_tmp.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
defense_evasion_kernel_module_removal.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
defense_evasion_log_files_deleted.toml
[New Rule] Linux System Log Files Deleted (#461)
2020-12-08 17:34:33 +01:00
defense_evasion_timestomp_touch.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
discovery_kernel_module_enumeration.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
discovery_virtual_machine_fingerprinting.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
discovery_whoami_commmand.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
execution_perl_tty_shell.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
execution_python_tty_shell.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
lateral_movement_telnet_network_activity_external.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
lateral_movement_telnet_network_activity_internal.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
linux_hping_activity.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
linux_iodine_activity.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
linux_mknod_activity.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
linux_netcat_network_connection.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
linux_nmap_activity.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
linux_nping_activity.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
linux_process_started_in_temp_directory.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
linux_socat_activity.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
linux_strace_activity.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
persistence_credential_access_modify_ssh_binaries.toml
[New Rule] Modification of OpenSSH Binaries (#747)
2021-01-28 19:46:30 +01:00
persistence_kernel_module_activity.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
persistence_shell_activity_by_web_server.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
privilege_escalation_setgid_bit_set_via_chmod.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
privilege_escalation_setuid_bit_set_via_chmod.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
privilege_escalation_sudoers_file_mod.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00