sigma-rules/rules/linux at 450e84ffa28008eb2780ea21588af6e401d9deae - sigma-rules - GreySec Git

security-tools/sigma-rules

Files

T

History

Jonhnathan 05aac4f371 [Security Content] Add Investigation Guides to Windows rules (#2678 )

* [Security Content] Add Investigation Guides to Windows rules

* Update privilege_escalation_service_control_spawned_script_int.toml

* Update execution_reverse_shell_via_named_pipe.toml

* Apply suggestions from code review

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update execution_command_prompt_connecting_to_the_internet.toml

---------

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

2023-05-26 10:25:41 -03:00

..

command_and_control_connection_attempt_by_non_ssh_root_session.toml

[Rule Tuning] Ensure host information is in endpoint rule queries (#2593 )

2023-03-05 11:41:19 -07:00

command_and_control_linux_iodine_activity.toml

[Rule Tuning] Ensure host information is in endpoint rule queries (#2593 )

2023-03-05 11:41:19 -07:00

command_and_control_tunneling_via_earthworm.toml

[Rule Tuning] Ensure host information is in endpoint rule queries (#2593 )

2023-03-05 11:41:19 -07:00

credential_access_bruteforce_password_guessing.toml

[Rule Tuning] Ensure host information is in endpoint rule queries (#2593 )

2023-03-05 11:41:19 -07:00

credential_access_collection_sensitive_files.toml

[Rule Tuning] Ensure host information is in endpoint rule queries (#2593 )

2023-03-05 11:41:19 -07:00

credential_access_credential_dumping.toml

Correct Event Action to include endgame event schema (#2610 )

2023-04-20 17:28:01 +05:30

credential_access_potential_linux_ssh_bruteforce_external.toml

[Rule Tuning & Addition] Potential Linux SSH Brute Force (#2583 )

2023-05-25 12:00:44 +02:00

credential_access_potential_linux_ssh_bruteforce_internal.toml

[Rule Tuning & Addition] Potential Linux SSH Brute Force (#2583 )

2023-05-25 12:00:44 +02:00

credential_access_potential_linux_ssh_bruteforce_root.toml

[Rule Fix] Privileged SSH Brute Force Detected (#2595 )

2023-03-14 15:42:58 -04:00

credential_access_proc_credential_dumping.toml

Rule to detect Potential Linux Credential Dumping via Proc Filesystem (#2751 )

2023-05-05 22:23:15 +05:30

credential_access_ssh_backdoor_log.toml

[Rule Tuning] Ensure host information is in endpoint rule queries (#2593 )

2023-03-05 11:41:19 -07:00

defense_evasion_attempt_to_disable_iptables_or_firewall.toml

[Rule Tuning] Ensure host information is in endpoint rule queries (#2593 )

2023-03-05 11:41:19 -07:00

defense_evasion_attempt_to_disable_syslog_service.toml

[Rule Tuning] Ensure host information is in endpoint rule queries (#2593 )

2023-03-05 11:41:19 -07:00

defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml

[Rule Tuning] Ensure host information is in endpoint rule queries (#2593 )

2023-03-05 11:41:19 -07:00

defense_evasion_chattr_immutable_file.toml

Linux Rule Tuning (#2753 )

2023-05-02 19:12:13 +05:30

defense_evasion_disable_selinux_attempt.toml

[Rule Tuning] Ensure host information is in endpoint rule queries (#2593 )

2023-03-05 11:41:19 -07:00

defense_evasion_esxi_suspicious_timestomp_touch.toml

Detect Threat indicators for VMware ESXi servers (#2708 )

2023-04-25 20:17:16 +05:30

defense_evasion_file_deletion_via_shred.toml

[Rule Tuning] Ensure host information is in endpoint rule queries (#2593 )

2023-03-05 11:41:19 -07:00

defense_evasion_file_mod_writable_dir.toml

[Rule Tuning] Ensure host information is in endpoint rule queries (#2593 )

2023-03-05 11:41:19 -07:00

defense_evasion_hidden_file_dir_tmp.toml

[Rule Tuning] Ensure host information is in endpoint rule queries (#2593 )

2023-03-05 11:41:19 -07:00

defense_evasion_hidden_shared_object.toml

[Rule Tuning] Ensure host information is in endpoint rule queries (#2593 )

2023-03-05 11:41:19 -07:00

defense_evasion_kernel_module_removal.toml

[Rule Tuning] Ensure host information is in endpoint rule queries (#2593 )

2023-03-05 11:41:19 -07:00

defense_evasion_log_files_deleted.toml

[Rule Tuning] Ensure host information is in endpoint rule queries (#2593 )

2023-03-05 11:41:19 -07:00

defense_evasion_mount_execution.toml

Detect Mount Execution With Hidepid Parameter (#2706 )

2023-04-22 08:00:30 +05:30

defense_evasion_potential_proot_exploits.toml

New Rule to identify defense evasion via PRoot (#2625 )

2023-04-20 17:14:01 +05:30

defense_evasion_rename_esxi_files.toml

Detect Threat indicators for VMware ESXi servers (#2708 )

2023-04-25 20:17:16 +05:30

defense_evasion_rename_esxi_index_file.toml

Detect Threat indicators for VMware ESXi servers (#2708 )

2023-04-25 20:17:16 +05:30

discovery_esxi_software_via_find.toml

Detect Threat indicators for VMware ESXi servers (#2708 )

2023-04-25 20:17:16 +05:30

discovery_esxi_software_via_grep.toml

Detect Threat indicators for VMware ESXi servers (#2708 )

2023-04-25 20:17:16 +05:30

discovery_kernel_module_enumeration.toml

[Rule Tuning] Ensure host information is in endpoint rule queries (#2593 )

2023-03-05 11:41:19 -07:00

discovery_linux_hping_activity.toml

[Rule Tuning] Ensure host information is in endpoint rule queries (#2593 )

2023-03-05 11:41:19 -07:00

discovery_linux_nping_activity.toml

[Rule Tuning] Ensure host information is in endpoint rule queries (#2593 )

2023-03-05 11:41:19 -07:00

discovery_virtual_machine_fingerprinting.toml

[Rule Tuning] Ensure host information is in endpoint rule queries (#2593 )

2023-03-05 11:41:19 -07:00

execution_abnormal_process_id_file_created.toml

Update file path regex for /run (#2749 )

2023-04-26 14:02:16 +05:30

execution_file_transfer_or_listener_established_via_netcat.toml

[Rule Tuning] Ensure host information is in endpoint rule queries (#2593 )

2023-03-05 11:41:19 -07:00

execution_perl_tty_shell.toml

[Rule Tuning] Ensure host information is in endpoint rule queries (#2593 )

2023-03-05 11:41:19 -07:00

execution_process_started_from_process_id_file.toml

[Rule Tuning] Ensure host information is in endpoint rule queries (#2593 )

2023-03-05 11:41:19 -07:00

execution_process_started_in_shared_memory_directory.toml

[Rule Tuning] Ensure host information is in endpoint rule queries (#2593 )

2023-03-05 11:41:19 -07:00

execution_python_tty_shell.toml

[Rule Tuning] Interactive Terminal Spawned via Python (#2781 )

2023-05-26 10:19:35 -03:00

execution_reverse_shell_via_named_pipe.toml

[Security Content] Add Investigation Guides to Windows rules (#2678 )

2023-05-26 10:25:41 -03:00

execution_shell_evasion_linux_binary.toml

Tune Shell evasion Rule to incorporate GTFOArgs shell evasion (#2687 )

2023-04-20 18:35:18 +05:30

execution_suspicious_mining_process_creation_events.toml

New Rule: Suspicious Mining Process Creation Event (#2531 )

2023-03-21 16:35:25 +01:00

execution_tc_bpf_filter.toml

[Rule Tuning] Ensure host information is in endpoint rule queries (#2593 )

2023-03-05 11:41:19 -07:00

impact_esxi_process_kill.toml

Detect Threat indicators for VMware ESXi servers (#2708 )

2023-04-25 20:17:16 +05:30

impact_potential_linux_ransomware_file_encryption.toml

[New Rules] Ransomware Encryption & Note Creation (#2652 )

2023-05-16 11:30:00 +02:00

impact_potential_linux_ransomware_note_detected.toml

[New Rules] Ransomware Encryption & Note Creation (#2652 )

2023-05-16 11:30:00 +02:00

impact_process_kill_threshold.toml

[Rule Tuning] Ensure host information is in endpoint rule queries (#2593 )

2023-03-05 11:41:19 -07:00

lateral_movement_telnet_network_activity_external.toml

[Rule Tuning] Ensure host information is in endpoint rule queries (#2593 )

2023-03-05 11:41:19 -07:00

lateral_movement_telnet_network_activity_internal.toml

[Rule Tuning] Ensure host information is in endpoint rule queries (#2593 )

2023-03-05 11:41:19 -07:00

persistence_chkconfig_service_add.toml

[Rule Tuning] Ensure host information is in endpoint rule queries (#2593 )

2023-03-05 11:41:19 -07:00

persistence_credential_access_modify_ssh_binaries.toml

[Rule Tuning] Ensure host information is in endpoint rule queries (#2593 )

2023-03-05 11:41:19 -07:00

persistence_dynamic_linker_backup.toml

[Rule Tuning] Ensure host information is in endpoint rule queries (#2593 )

2023-03-05 11:41:19 -07:00

persistence_etc_file_creation.toml

Linux Rule Tuning (#2753 )

2023-05-02 19:12:13 +05:30

persistence_init_d_file_creation.toml

[New rule] Sus File Creation in init.d for Persistence Detected (#2653 )

2023-05-05 09:54:42 +02:00

persistence_insmod_kernel_module_load.toml

[Rule Tuning] Ensure host information is in endpoint rule queries (#2593 )

2023-03-05 11:41:19 -07:00

persistence_kde_autostart_modification.toml

[Rule Tuning] Ensure host information is in endpoint rule queries (#2593 )

2023-03-05 11:41:19 -07:00

persistence_linux_shell_activity_via_web_server.toml

[Rule Tuning] Potential Shell via Web Server (#2585 )

2023-05-05 09:47:49 +02:00

persistence_message_of_the_day_creation.toml

[New Rules] Persistence through MOTD (#2608 )

2023-05-05 10:29:15 +02:00

persistence_message_of_the_day_execution.toml

[New Rules] Persistence through MOTD (#2608 )

2023-05-05 10:29:15 +02:00

persistence_rc_script_creation.toml

[New Rule] RC Script Creation (#2607 )

2023-03-14 15:03:41 -04:00

privilege_escalation_ld_preload_shared_object_modif.toml

[Rule Tuning] Ensure host information is in endpoint rule queries (#2593 )

2023-03-05 11:41:19 -07:00

privilege_escalation_pkexec_envar_hijack.toml

[Rule Tuning] Ensure host information is in endpoint rule queries (#2593 )

2023-03-05 11:41:19 -07:00

privilege_escalation_shadow_file_read.toml

[Rule Tuning] Ensure host information is in endpoint rule queries (#2593 )

2023-03-05 11:41:19 -07:00

privilege_escalation_unshare_namespace_manipulation.toml

[Rule Tuning] Namespace Manipulation Using Unshare (#2599 )

2023-03-20 07:36:47 -03:00