security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5bf69b7967817a24eb5a7554e800d575ef278319
sigma-rules/rules/linux
T
History
Isai 1637f2dc79 [Rule Tuning] Shadow File Read via Command Line Utilities (#2403) 
* Update privilege_escalation_shadow_file_read.toml

description update, name update, query update, tags update, MITRE update

* Update privilege_escalation_shadow_file_read.toml

edited order of MITRE

* changed file name to match credential_access as primary tactic

changed file name to match credential_access as primary tactic

* excluded common executables, not related to "read", based on telemetry

excluded common executables, not related to "read", based on telemetry

* update cred access reference MITRE

* toml-lint file for final validation

* Rename credential_access_shadow_file_access.toml to privilege_escalation_shadow_file_access.toml

revert name back to privilege_escalation...

* Rename privilege_escalation_shadow_file_access.toml to privilege_escalation_shadow_file_read.toml

* update update_date

* Changed primary tactic back to privilege_escalation to match rule name 

Changed primary tactic back to privilege_escalation to match rule name
2022-11-21 11:25:39 -05:00
..
command_and_control_connection_attempt_by_non_ssh_root_session.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
command_and_control_linux_iodine_activity.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
command_and_control_tunneling_via_earthworm.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
credential_access_bruteforce_passowrd_guessing.toml
Add investigation guides (#2326)
2022-09-23 20:18:48 +05:30
credential_access_collection_sensitive_files.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
credential_access_potential_linux_ssh_bruteforce_root.toml
Add investigation guides (#2326)
2022-09-23 20:18:48 +05:30
credential_access_potential_linux_ssh_bruteforce.toml
[Rule Tuning] adjust duplicate ssh brute force rule names and add unit test (#2321)
2022-09-26 10:04:38 -04:00
credential_access_ssh_backdoor_log.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
defense_evasion_attempt_to_disable_syslog_service.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
defense_evasion_chattr_immutable_file.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
defense_evasion_disable_selinux_attempt.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
defense_evasion_file_deletion_via_shred.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
defense_evasion_file_mod_writable_dir.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
defense_evasion_hidden_file_dir_tmp.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
defense_evasion_hidden_shared_object.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
defense_evasion_kernel_module_removal.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
defense_evasion_log_files_deleted.toml
[Rule Tuning] System Log File Deletion (#2362)
2022-10-18 09:11:27 -04:00
discovery_kernel_module_enumeration.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
discovery_linux_hping_activity.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
discovery_linux_nping_activity.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
discovery_virtual_machine_fingerprinting.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
execution_abnormal_process_id_file_created.toml
[Rule Tuning] Add tags to flag Sysmon-only rules & Modify Investigation Guide-related tag (#2352)
2022-11-18 12:32:27 -03:00
execution_file_transfer_or_listener_established_via_netcat.toml
[Rule Tuning] Add tags to flag Sysmon-only rules & Modify Investigation Guide-related tag (#2352)
2022-11-18 12:32:27 -03:00
execution_perl_tty_shell.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
execution_process_started_from_process_id_file.toml
[Rule Tuning] Link Elastic Security Labs content to compatible rules (#2388)
2022-11-07 15:17:49 -05:00
execution_process_started_in_shared_memory_directory.toml
[Rule Tuning] Link Elastic Security Labs content to compatible rules (#2388)
2022-11-07 15:17:49 -05:00
execution_python_tty_shell.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
execution_reverse_shell_via_named_pipe.toml
[Rule Tuning] Add tags to flag Sysmon-only rules & Modify Investigation Guide-related tag (#2352)
2022-11-18 12:32:27 -03:00
execution_shell_evasion_linux_binary.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
execution_tc_bpf_filter.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
impact_process_kill_threshold.toml
[Rule Tuning] Add tags to flag Sysmon-only rules & Modify Investigation Guide-related tag (#2352)
2022-11-18 12:32:27 -03:00
lateral_movement_telnet_network_activity_external.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
lateral_movement_telnet_network_activity_internal.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
persistence_chkconfig_service_add.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
persistence_credential_access_modify_ssh_binaries.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
persistence_dynamic_linker_backup.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
persistence_etc_file_creation.toml
Rule Tuning as part of 8.6 (#2398)
2022-11-17 22:55:39 +05:30
persistence_insmod_kernel_module_load.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
persistence_kde_autostart_modification.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
persistence_shell_activity_by_web_server.toml
[Rule Tuning] Add tags to flag Sysmon-only rules & Modify Investigation Guide-related tag (#2352)
2022-11-18 12:32:27 -03:00
privilege_escalation_ld_preload_shared_object_modif.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
privilege_escalation_pkexec_envar_hijack.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
privilege_escalation_shadow_file_read.toml
[Rule Tuning] Shadow File Read via Command Line Utilities (#2403)
2022-11-21 11:25:39 -05:00
privilege_escalation_unshare_namesapce_manipulation.toml
[New Rule] Linux rule(s) to detect namespace manipulation,shadow file read (#2283)
2022-09-14 22:01:46 +05:30