security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4d071fe48d14633597ea3a66727a1b0c6e5d16e6
sigma-rules/rules/linux
T
History
Ruben Groenewoud 2faa844301 [Tuning] Linux DR Tuning - Part 12 (#3464) 
* [Tuning] Linux DR Tuning - Part 12

* Update persistence_shared_object_creation.toml

* Update privilege_escalation_dac_permissions.toml

* Update privilege_escalation_enlightenment_window_manager.toml

* Update privilege_escalation_enlightenment_window_manager.toml

* Min stack rule-bending test

* formatting fix

* Revert "Merge branch 'linux-dr-tuning-12' of https://github.com/elastic/detection-rules into linux-dr-tuning-12"

This reverts commit 0170cddd905b4b983f8413eebbc11c9c7b3719ce, reversing
changes made to 29d4a747603faf0ac7c2d502786533b0cd93a5d5.

* Revert "Min stack rule-bending test"

This reverts commit 29d4a747603faf0ac7c2d502786533b0cd93a5d5.

* Update privilege_escalation_enlightenment_window_manager.toml

* Update privilege_escalation_chown_chmod_unauthorized_file_read.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

Removed changes from:
- rules/linux/privilege_escalation_dac_permissions.toml

(selectively cherry picked from commit 9c4ba4559d)
2024-03-07 17:14:43 +00:00
..
command_and_control_cat_network_activity.toml
[Tuning] Linux DR Tuning - Part 1 (#3452)
2024-02-20 13:43:33 +00:00
command_and_control_linux_chisel_client_activity.toml
[Security Content] Add Investigation Guides to Linux C2 Rules (#3247)
2023-12-18 16:07:23 +00:00
command_and_control_linux_chisel_server_activity.toml
[Security Content] Add Investigation Guides to Linux C2 Rules (#3247)
2023-12-18 16:07:23 +00:00
command_and_control_linux_kworker_netcon.toml
[Rule Tuning] Linux DR Tuning - Part 1 (#3316)
2024-01-08 08:55:01 +00:00
command_and_control_linux_proxychains_activity.toml
[BBR Promotion] Linux BBR --> DR Promotion (#3472)
2024-03-06 13:54:31 +00:00
command_and_control_linux_suspicious_proxychains_activity.toml
[Tuning] Auditbeat event.action Compatibility (#3471)
2024-03-06 14:33:41 +00:00
command_and_control_linux_tunneling_and_port_forwarding.toml
[Tuning] Linux DR Tuning - Part 1 (#3452)
2024-02-20 13:43:33 +00:00
command_and_control_suspicious_network_activity_from_unknown_executable.toml
[Rule Tuning] Linux DR Tuning - Part 1 (#3316)
2024-01-08 08:55:01 +00:00
command_and_control_tunneling_via_earthworm.toml
[Security Content] Add Investigation Guides to Linux C2 Rules (#3247)
2023-12-18 16:07:23 +00:00
credential_access_collection_sensitive_files.toml
Enhance Setup Guide information (#3256)
2023-11-03 13:41:40 +00:00
credential_access_credential_dumping.toml
[Tuning] Linux DR Tuning - Part 1 (#3452)
2024-02-20 13:43:33 +00:00
credential_access_gdb_init_process_hooking.toml
[BBR Promotion] Linux BBR --> DR Promotion (#3472)
2024-03-06 13:54:31 +00:00
credential_access_gdb_process_hooking.toml
[BBR Promotion] Linux BBR --> DR Promotion (#3472)
2024-03-06 13:54:31 +00:00
credential_access_potential_linux_local_account_bruteforce.toml
[Tuning] Linux DR Tuning - Part 2 (#3453)
2024-02-20 13:22:16 +00:00
credential_access_potential_linux_ssh_bruteforce_external.toml
Enhance Setup Guide information (#3256)
2023-11-03 13:41:40 +00:00
credential_access_potential_linux_ssh_bruteforce_internal.toml
Enhance Setup Guide information (#3256)
2023-11-03 13:41:40 +00:00
credential_access_potential_successful_linux_ftp_bruteforce.toml
[Tuning] Event.dataset removal & Tag Addition (#3451)
2024-02-20 14:23:14 +00:00
credential_access_potential_successful_linux_rdp_bruteforce.toml
[Tuning] Event.dataset removal & Tag Addition (#3451)
2024-02-20 14:23:14 +00:00
credential_access_potential_successful_linux_ssh_bruteforce.toml
Enhance Setup Guide information (#3256)
2023-11-03 13:41:40 +00:00
credential_access_proc_credential_dumping.toml
[Tuning] Linux DR Tuning - Part 2 (#3453)
2024-02-20 13:22:16 +00:00
credential_access_ssh_backdoor_log.toml
Enhance Setup Guide information (#3256)
2023-11-03 13:41:40 +00:00
defense_evasion_attempt_to_disable_iptables_or_firewall.toml
[Tuning] Linux DR Tuning - Part 3 (#3454)
2024-02-20 13:55:44 +00:00
defense_evasion_attempt_to_disable_syslog_service.toml
Enhance Setup Guide information (#3256)
2023-11-03 13:41:40 +00:00
defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml
[Tuning] Auditbeat event.action Compatibility (#3471)
2024-03-06 14:33:41 +00:00
defense_evasion_binary_copied_to_suspicious_directory.toml
[Tuning] Linux DR Tuning - Part 2 (#3453)
2024-02-20 13:22:16 +00:00
defense_evasion_chattr_immutable_file.toml
Linux Rule Tuning (#3379)
2024-01-11 12:41:49 +00:00
defense_evasion_clear_kernel_ring_buffer.toml
[Tuning] Auditbeat event.action Compatibility (#3471)
2024-03-06 14:33:41 +00:00
defense_evasion_disable_apparmor_attempt.toml
[Tuning] Auditbeat event.action Compatibility (#3471)
2024-03-06 14:33:41 +00:00
defense_evasion_disable_selinux_attempt.toml
[Tuning] Auditbeat event.action Compatibility (#3471)
2024-03-06 14:33:41 +00:00
defense_evasion_esxi_suspicious_timestomp_touch.toml
[Tuning] Auditbeat event.action Compatibility (#3471)
2024-03-06 14:33:41 +00:00
defense_evasion_file_deletion_via_shred.toml
[Tuning] Linux DR Tuning - Part 3 (#3454)
2024-02-20 13:55:44 +00:00
defense_evasion_file_mod_writable_dir.toml
[Tuning] Linux DR Tuning - Part 4 (#3455)
2024-02-20 14:43:36 +00:00
defense_evasion_hidden_file_dir_tmp.toml
[Tuning] Linux DR Tuning - Part 4 (#3455)
2024-02-20 14:43:36 +00:00
defense_evasion_hidden_shared_object.toml
[Tuning] Linux DR Tuning - Part 4 (#3455)
2024-02-20 14:43:36 +00:00
defense_evasion_kernel_module_removal.toml
[Tuning] Linux DR Tuning - Part 4 (#3455)
2024-02-20 14:43:36 +00:00
defense_evasion_kthreadd_masquerading.toml
[New Rule] Executable Masquerading as Kernel Process (#3421)
2024-02-06 09:54:24 +00:00
defense_evasion_log_files_deleted.toml
Enhance Setup Guide information (#3256)
2023-11-03 13:41:40 +00:00
defense_evasion_mount_execution.toml
[Tuning] Auditbeat event.action Compatibility (#3471)
2024-03-06 14:33:41 +00:00
defense_evasion_potential_proot_exploits.toml
[Tuning] Linux DR Tuning - Part 4 (#3455)
2024-02-20 14:43:36 +00:00
defense_evasion_rename_esxi_files.toml
Enhance Setup Guide information (#3256)
2023-11-03 13:41:40 +00:00
defense_evasion_rename_esxi_index_file.toml
Enhance Setup Guide information (#3256)
2023-11-03 13:41:40 +00:00
defense_evasion_sus_utility_executed_via_tmux_or_screen.toml
[BBR Promotion] Linux BBR --> DR Promotion (#3472)
2024-03-06 13:54:31 +00:00
discovery_dynamic_linker_via_od.toml
[Tuning] Linux DR Tuning - Part 5 (#3456)
2024-03-07 08:59:03 +00:00
discovery_esxi_software_via_find.toml
[Tuning] Linux DR Tuning - Part 5 (#3456)
2024-03-07 08:59:03 +00:00
discovery_esxi_software_via_grep.toml
[Tuning] Linux DR Tuning - Part 5 (#3456)
2024-03-07 08:59:03 +00:00
discovery_kernel_module_enumeration.toml
[Tuning] Linux DR Tuning - Part 5 (#3456)
2024-03-07 08:59:03 +00:00
discovery_linux_hping_activity.toml
[Tuning] Linux DR Tuning - Part 5 (#3456)
2024-03-07 08:59:03 +00:00
discovery_linux_nping_activity.toml
[Tuning] Linux DR Tuning - Part 5 (#3456)
2024-03-07 08:59:03 +00:00
discovery_ping_sweep_detected.toml
[Tuning] Linux DR Tuning - Part 6 (#3457)
2024-03-07 09:13:51 +00:00
discovery_proc_maps_read.toml
[New Rules] DDExec Analysis (#3408)
2024-02-06 13:52:48 +00:00
discovery_pspy_process_monitoring_detected.toml
[Tuning] Event.dataset removal & Tag Addition (#3451)
2024-02-20 14:23:14 +00:00
discovery_sudo_allowed_command_enumeration.toml
[Tuning] Linux DR Tuning - Part 6 (#3457)
2024-03-07 09:13:51 +00:00
discovery_suid_sguid_enumeration.toml
Enhance Setup Guide information (#3256)
2023-11-03 13:41:40 +00:00
discovery_suspicious_which_command_execution.toml
[BBR Promotion] Linux BBR --> DR Promotion (#3472)
2024-03-06 13:54:31 +00:00
discovery_unusual_user_enumeration_via_id.toml
Enhance Setup Guide information (#3256)
2023-11-03 13:41:40 +00:00
discovery_virtual_machine_fingerprinting.toml
Enhance Setup Guide information (#3256)
2023-11-03 13:41:40 +00:00
execution_abnormal_process_id_file_created.toml
[Tuning] Linux DR Tuning - Part 6 (#3457)
2024-03-07 09:13:51 +00:00
execution_curl_cve_2023_38545_heap_overflow.toml
[Tuning] Linux DR Tuning - Part 6 (#3457)
2024-03-07 09:13:51 +00:00
execution_file_execution_followed_by_deletion.toml
Enhance Setup Guide information (#3256)
2023-11-03 13:41:40 +00:00
execution_file_transfer_or_listener_established_via_netcat.toml
Enhance Setup Guide information (#3256)
2023-11-03 13:41:40 +00:00
execution_interpreter_tty_upgrade.toml
Enhance Setup Guide information (#3256)
2023-11-03 13:41:40 +00:00
execution_nc_listener_via_rlwrap.toml
[Tuning] Linux DR Tuning - Part 7 (#3458)
2024-03-07 09:51:37 +00:00
execution_network_event_post_compilation.toml
[Rule Tuning] Linux DR Tuning - Part 2 (#3321)
2024-01-08 09:12:16 +00:00
execution_perl_tty_shell.toml
Enhance Setup Guide information (#3256)
2023-11-03 13:41:40 +00:00
execution_potential_hack_tool_executed.toml
[Tuning] Linux DR Tuning - Part 7 (#3458)
2024-03-07 09:51:37 +00:00
execution_process_started_from_process_id_file.toml
[Tuning] Linux DR Tuning - Part 7 (#3458)
2024-03-07 09:51:37 +00:00
execution_process_started_in_shared_memory_directory.toml
[Rule Tuning] Linux DR Tuning - Part 2 (#3321)
2024-01-08 09:12:16 +00:00
execution_python_tty_shell.toml
[Tuning] Linux DR Tuning - Part 7 (#3458)
2024-03-07 09:51:37 +00:00
execution_remote_code_execution_via_postgresql.toml
Enhance Setup Guide information (#3256)
2023-11-03 13:41:40 +00:00
execution_shell_evasion_linux_binary.toml
Enhance Setup Guide information (#3256)
2023-11-03 13:41:40 +00:00
execution_shell_via_background_process.toml
[Tuning] Linux DR Tuning - Part 7 (#3458)
2024-03-07 09:51:37 +00:00
execution_shell_via_child_tcp_utility_linux.toml
[Tuning & New Rule] Linux Reverse Shell & DR Tuning (#3254)
2023-12-18 08:41:02 +00:00
execution_shell_via_java_revshell_linux.toml
[Rule Tuning] Linux DR Tuning - Part 2 (#3321)
2024-01-08 09:12:16 +00:00
execution_shell_via_lolbin_interpreter_linux.toml
[Rule Tuning] Linux DR Tuning - Part 2 (#3321)
2024-01-08 09:12:16 +00:00
execution_shell_via_meterpreter_linux.toml
[Tuning] Event.dataset removal & Tag Addition (#3451)
2024-02-20 14:23:14 +00:00
execution_shell_via_suspicious_binary.toml
[Tuning & New Rule] Linux Reverse Shell & DR Tuning (#3254)
2023-12-18 08:41:02 +00:00
execution_shell_via_tcp_cli_utility_linux.toml
[Tuning & New Rule] Linux Reverse Shell & DR Tuning (#3254)
2023-12-18 08:41:02 +00:00
execution_shell_via_udp_cli_utility_linux.toml
[Tuning] Event.dataset removal & Tag Addition (#3451)
2024-02-20 14:23:14 +00:00
execution_sus_extraction_or_decrompression_via_funzip.toml
Enhance Setup Guide information (#3256)
2023-11-03 13:41:40 +00:00
execution_suspicious_executable_running_system_commands.toml
Enhance Setup Guide information (#3256)
2023-11-03 13:41:40 +00:00
execution_suspicious_mining_process_creation_events.toml
Enhance Setup Guide information (#3256)
2023-11-03 13:41:40 +00:00
execution_tc_bpf_filter.toml
[Tuning] Linux DR Tuning - Part 8 (#3460)
2024-03-07 10:05:56 +00:00
impact_data_encrypted_via_openssl.toml
Enhance Setup Guide information (#3256)
2023-11-03 13:41:40 +00:00
impact_esxi_process_kill.toml
[Tuning] Linux DR Tuning - Part 8 (#3460)
2024-03-07 10:05:56 +00:00
impact_potential_linux_ransomware_file_encryption.toml
[Tuning] Linux DR Tuning - Part 8 (#3460)
2024-03-07 10:05:56 +00:00
impact_potential_linux_ransomware_note_detected.toml
[Tuning] Linux DR Tuning - Part 8 (#3460)
2024-03-07 10:05:56 +00:00
impact_process_kill_threshold.toml
[Tuning] Linux DR Tuning - Part 8 (#3460)
2024-03-07 10:05:56 +00:00
lateral_movement_ssh_it_worm_download.toml
[Tuning] Linux DR Tuning - Part 9 (#3461)
2024-03-07 10:38:57 +00:00
lateral_movement_telnet_network_activity_external.toml
[Tuning] Linux DR Tuning - Part 9 (#3461)
2024-03-07 10:38:57 +00:00
lateral_movement_telnet_network_activity_internal.toml
[Tuning] Linux DR Tuning - Part 9 (#3461)
2024-03-07 10:38:57 +00:00
persistence_apt_package_manager_execution.toml
[New Rules] APT Package Manager Persistence (#3418)
2024-02-06 09:34:07 +00:00
persistence_apt_package_manager_netcon.toml
[New Rules] APT Package Manager Persistence (#3418)
2024-02-06 09:34:07 +00:00
persistence_chkconfig_service_add.toml
[Rule Tuning] Linux DR Tuning - Part 3 (#3322)
2024-01-08 09:21:32 +00:00
persistence_credential_access_modify_ssh_binaries.toml
[Tuning] Linux DR Tuning - Part 9 (#3461)
2024-03-07 10:38:57 +00:00
persistence_cron_job_creation.toml
[Tuning] Linux DR Tuning - Part 9 (#3461)
2024-03-07 10:38:57 +00:00
persistence_dynamic_linker_backup.toml
[Security Content] Add Investigation Guides to Linux Persistence Rules - 2 (#3350)
2024-01-20 18:41:15 +00:00
persistence_etc_file_creation.toml
[Tuning] Linux DR Tuning - Part 10 (#3462)
2024-03-07 10:49:53 +00:00
persistence_init_d_file_creation.toml
[Tuning] Linux DR Tuning - Part 10 (#3462)
2024-03-07 10:49:53 +00:00
persistence_insmod_kernel_module_load.toml
[Tuning] Linux DR Tuning - Part 10 (#3462)
2024-03-07 10:49:53 +00:00
persistence_kde_autostart_modification.toml
[Security Content] Add Investigation Guides to Linux Persistence Rules - 2 (#3350)
2024-01-20 18:41:15 +00:00
persistence_kernel_driver_load_by_non_root.toml
[Tuning] Event.dataset removal & Tag Addition (#3451)
2024-02-20 14:23:14 +00:00
persistence_kernel_driver_load.toml
[BBR Promotion] Linux BBR --> DR Promotion (#3472)
2024-03-06 13:54:31 +00:00
persistence_kworker_file_creation.toml
[Tuning] Linux DR Tuning - Part 10 (#3462)
2024-03-07 10:49:53 +00:00
persistence_linux_backdoor_user_creation.toml
[Tuning] Linux DR Tuning - Part 10 (#3462)
2024-03-07 10:49:53 +00:00
persistence_linux_group_creation.toml
Enhance Setup Guide information (#3256)
2023-11-03 13:41:40 +00:00
persistence_linux_shell_activity_via_web_server.toml
[Tuning] Linux DR Tuning - Part 11 (#3463)
2024-03-07 11:25:29 +00:00
persistence_linux_user_account_creation.toml
Enhance Setup Guide information (#3256)
2023-11-03 13:41:40 +00:00
persistence_linux_user_added_to_privileged_group.toml
[Tuning] Linux DR Tuning - Part 11 (#3463)
2024-03-07 11:25:29 +00:00
persistence_message_of_the_day_creation.toml
[Tuning] Linux DR Tuning - Part 11 (#3463)
2024-03-07 11:25:29 +00:00
persistence_message_of_the_day_execution.toml
[Tuning] Linux DR Tuning - Part 11 (#3463)
2024-03-07 11:25:29 +00:00
persistence_rc_script_creation.toml
[Rule Tuning] Update timestamp_override Unit Tests and Fix Rules Missing Field (#3368)
2024-01-17 19:19:45 +00:00
persistence_setuid_setgid_capability_set.toml
[Tuning] Linux DR Tuning - Part 11 (#3463)
2024-03-07 11:25:29 +00:00
persistence_shared_object_creation.toml
[Tuning] Linux DR Tuning - Part 12 (#3464)
2024-03-07 17:14:43 +00:00
persistence_suspicious_file_opened_through_editor.toml
[BBR Promotion] Linux BBR --> DR Promotion (#3472)
2024-03-06 13:54:31 +00:00
persistence_systemd_netcon.toml
[New Rule] Suspicious Network Connection via systemd (#3420)
2024-02-06 09:24:36 +00:00
persistence_systemd_scheduled_timer_created.toml
[Rule Tuning] Linux DR Tuning - Part 3 (#3322)
2024-01-08 09:21:32 +00:00
persistence_systemd_service_creation.toml
[Rule Tuning] Linux DR Tuning - Part 3 (#3322)
2024-01-08 09:21:32 +00:00
persistence_tainted_kernel_module_load.toml
[BBR Promotion] Linux BBR --> DR Promotion (#3472)
2024-03-06 13:54:31 +00:00
persistence_tainted_kernel_module_out_of_tree_load.toml
[BBR Promotion] Linux BBR --> DR Promotion (#3472)
2024-03-06 13:54:31 +00:00
persistence_udev_rule_creation.toml
[BBR Promotion] Linux BBR --> DR Promotion (#3472)
2024-03-06 13:54:31 +00:00
privilege_escalation_chown_chmod_unauthorized_file_read.toml
[Tuning] Linux DR Tuning - Part 12 (#3464)
2024-03-07 17:14:43 +00:00
privilege_escalation_container_util_misconfiguration.toml
Enhance Setup Guide information (#3256)
2023-11-03 13:41:40 +00:00
privilege_escalation_docker_mount_chroot_container_escape.toml
[New Rule] Chroot Container Escape via Mount (#3387)
2024-01-22 08:22:54 +00:00
privilege_escalation_kworker_uid_elevation.toml
[Tuning] Linux DR Tuning - Part 12 (#3464)
2024-03-07 17:14:43 +00:00
privilege_escalation_ld_preload_shared_object_modif.toml
[Tuning] Linux DR Tuning - Part 13 (#3465)
2024-03-07 15:33:19 +00:00
privilege_escalation_linux_suspicious_symbolic_link.toml
Enhance Setup Guide information (#3256)
2023-11-03 13:41:40 +00:00
privilege_escalation_linux_uid_int_max_bug.toml
[Tuning] Linux DR Tuning - Part 13 (#3465)
2024-03-07 15:33:19 +00:00
privilege_escalation_load_and_unload_of_kernel_via_kexec.toml
[Tuning] Linux DR Tuning - Part 13 (#3465)
2024-03-07 15:33:19 +00:00
privilege_escalation_looney_tunables_cve_2023_4911.toml
Enhance Setup Guide information (#3256)
2023-11-03 13:41:40 +00:00
privilege_escalation_netcon_via_sudo_binary.toml
[Tuning] Linux DR Tuning - Part 13 (#3465)
2024-03-07 15:33:19 +00:00
privilege_escalation_overlayfs_local_privesc.toml
Enhance Setup Guide information (#3256)
2023-11-03 13:41:40 +00:00
privilege_escalation_pkexec_envar_hijack.toml
Enhance Setup Guide information (#3256)
2023-11-03 13:41:40 +00:00
privilege_escalation_potential_bufferoverflow_attack.toml
[New Rule] Potential Buffer Overflow Attack Detected (#3312)
2024-01-22 15:33:29 +00:00
privilege_escalation_potential_wildcard_shell_spawn.toml
Enhance Setup Guide information (#3256)
2023-11-03 13:41:40 +00:00
privilege_escalation_sda_disk_mount_non_root.toml
Enhance Setup Guide information (#3256)
2023-11-03 13:41:40 +00:00
privilege_escalation_shadow_file_read.toml
[Tuning] Linux DR Tuning - Part 13 (#3465)
2024-03-07 15:33:19 +00:00
privilege_escalation_sudo_cve_2019_14287.toml
[Tuning] Linux DR Tuning - Part 14 (#3467)
2024-03-07 15:50:43 +00:00
privilege_escalation_sudo_hijacking.toml
[Tuning] Linux DR Tuning - Part 14 (#3467)
2024-03-07 15:50:43 +00:00
privilege_escalation_sudo_token_via_process_injection.toml
Enhance Setup Guide information (#3256)
2023-11-03 13:41:40 +00:00
privilege_escalation_suspicious_cap_setuid_python_execution.toml
Enhance Setup Guide information (#3256)
2023-11-03 13:41:40 +00:00
privilege_escalation_suspicious_passwd_file_write.toml
[Tuning] Event.dataset removal & Tag Addition (#3451)
2024-02-20 14:23:14 +00:00
privilege_escalation_uid_change_post_compilation.toml
Enhance Setup Guide information (#3256)
2023-11-03 13:41:40 +00:00
privilege_escalation_uid_elevation_from_unknown_executable.toml
[Tuning] Linux DR Tuning - Part 14 (#3467)
2024-03-07 15:50:43 +00:00
privilege_escalation_unshare_namespace_manipulation.toml
[Tuning] Linux DR Tuning - Part 14 (#3467)
2024-03-07 15:50:43 +00:00
privilege_escalation_writable_docker_socket.toml
Enhance Setup Guide information (#3256)
2023-11-03 13:41:40 +00:00