sigma-rules/rules/_deprecated at 646c316b66016a97a124dbe932f73676850bc362 - sigma-rules - GreySec Git

security-tools/sigma-rules

Files

T

History

Ruben Groenewoud 646c316b66 [New Rules] Linux Reverse Shells (#2905 )

* [New Rules] Linux Reverse Shells

* [New Rules] Linux Reverse Shells

* Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_java_revshell_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_java_revshell_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_java_revshell_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_reverse_tcp_utility_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_reverse_tcp_utility_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Delete UDP rule to add in separate PR

* Update rules/linux/execution_shell_via_lolbin_interpreter_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_tcp_cli_utility_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_reverse_tcp_utility_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_tcp_cli_utility_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_tcp_cli_utility_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Deleted one rule and tuned the others

* Improved the rules' performance

* Added the reverse_tcp rule back after tuning

* Update execution_shell_via_lolbin_interpreter_linux.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

2023-07-06 15:27:57 +02:00

..

apm_null_user_agent.toml

[Rule Deprecation] Web Application Suspicious Activity: No User Agent (#2295 )

2022-09-19 10:56:03 -07:00

command_and_control_dns_directly_to_the_internet.toml

[Deprecation rule] DNS Activity to the Internet (#2221 )

2022-08-02 20:59:35 -05:00

command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.toml

[Deprecation] Deprecate inherently noisy rules based on testing (#1122 )

2021-04-21 15:10:06 -04:00

command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.toml

[Deprecation] Deprecate inherently noisy rules based on testing (#1122 )

2021-04-21 15:10:06 -04:00

command_and_control_port_8000_activity_to_the_internet.toml

[Deprecation] Deprecate inherently noisy rules based on testing (#1122 )

2021-04-21 15:10:06 -04:00

command_and_control_pptp_point_to_point_tunneling_protocol_activity.toml

[Deprecation] Deprecate inherently noisy rules based on testing (#1122 )

2021-04-21 15:10:06 -04:00

command_and_control_proxy_port_activity_to_the_internet.toml

[Deprecation] Deprecate inherently noisy rules based on testing (#1122 )

2021-04-21 15:10:06 -04:00

command_and_control_smtp_to_the_internet.toml

[Deprecation] Deprecate inherently noisy rules based on testing (#1122 )

2021-04-21 15:10:06 -04:00

command_and_control_sql_server_port_activity_to_the_internet.toml

[Deprecation] Deprecate inherently noisy rules based on testing (#1122 )

2021-04-21 15:10:06 -04:00

command_and_control_ssh_secure_shell_from_the_internet.toml

[Rule Tuning] Rule description tweaks (#1388 )

2021-07-29 10:56:13 -08:00

command_and_control_ssh_secure_shell_to_the_internet.toml

[Rule Tuning] Rule description tweaks (#1388 )

2021-07-29 10:56:13 -08:00

command_and_control_tor_activity_to_the_internet.toml

[Deprecation] Deprecate inherently noisy rules based on testing (#1122 )

2021-04-21 15:10:06 -04:00

credential_access_tcpdump_activity.toml

[Deprecation] Deprecate inherently noisy rules based on testing (#1122 )

2021-04-21 15:10:06 -04:00

defense_evasion_attempt_to_disable_iptables_or_firewall.toml

Rule(s) deprecation as part of Linux Detection Rule Review (#2163 )

2022-07-26 18:48:25 +05:30

defense_evasion_base64_encoding_or_decoding_activity.toml

[Deprecation] Deprecate inherently noisy rules based on testing (#1122 )

2021-04-21 15:10:06 -04:00

defense_evasion_code_injection_conhost.toml

Revert "[Security Content] Investigation Guides Line breaks refactor (#2412 )" (#2453 )

2023-01-09 10:44:54 -05:00

defense_evasion_execution_via_trusted_developer_utilities.toml

[Deprecation] Trusted Developer Application Usage (#1118 )

2021-04-15 22:15:38 +02:00

defense_evasion_hex_encoding_or_decoding_activity.toml

[Deprecation] Deprecate inherently noisy rules based on testing (#1122 )

2021-04-21 15:10:06 -04:00

defense_evasion_mshta_making_network_connections.toml

Add test for improper rule demotion (released production -> development) (#1555 )

2021-10-19 21:47:36 -08:00

defense_evasion_whitespace_padding_in_command_line.toml

Revert "[Security Content] Investigation Guides Line breaks refactor (#2412 )" (#2453 )

2023-01-09 10:44:54 -05:00

discovery_file_dir_discovery.toml

Revert "[Security Content] Investigation Guides Line breaks refactor (#2412 )" (#2453 )

2023-01-09 10:44:54 -05:00

discovery_process_discovery_via_tasklist_command.toml

[Deprecation] Process Discovery via Tasklist (#1116 )

2021-04-15 22:18:56 +02:00

discovery_query_registry_via_reg.toml

[Deprecation] Deprecate inherently noisy rules based on testing (#1122 )

2021-04-21 15:10:06 -04:00

discovery_whoami_commmand.toml

[Deprecation] Deprecate inherently noisy rules based on testing (#1122 )

2021-04-21 15:10:06 -04:00

execution_apt_binary.toml

[Rule tuning] Linux binary(s) shell evasion threat (#1957 )

2022-05-25 08:32:53 +05:30

execution_awk_binary_shell.toml

[Rule tuning] Linux binary(s) shell evasion threat (#1957 )

2022-05-25 08:32:53 +05:30

execution_busybox_binary.toml

[Rule tuning] Linux binary(s) shell evasion threat (#1957 )

2022-05-25 08:32:53 +05:30

execution_c89_c99_binary.toml

[Rule tuning] Linux binary(s) shell evasion threat (#1957 )

2022-05-25 08:32:53 +05:30

execution_command_shell_started_by_powershell.toml

[Deprecation] Deprecate inherently noisy rules based on testing (#1122 )

2021-04-21 15:10:06 -04:00

execution_cpulimit_binary.toml

[Rule tuning] Linux binary(s) shell evasion threat (#1957 )

2022-05-25 08:32:53 +05:30

execution_crash_binary.toml

[Rule tuning] Linux binary(s) shell evasion threat (#1957 )

2022-05-25 08:32:53 +05:30

execution_env_binary.toml

[Rule tuning] Linux binary(s) shell evasion threat (#1957 )

2022-05-25 08:32:53 +05:30

execution_expect_binary.toml

[Rule tuning] Linux binary(s) shell evasion threat (#1957 )

2022-05-25 08:32:53 +05:30

execution_find_binary.toml

[Rule tuning] Linux binary(s) shell evasion threat (#1957 )

2022-05-25 08:32:53 +05:30

execution_flock_binary.toml

[Rule tuning] Linux binary(s) shell evasion threat (#1957 )

2022-05-25 08:32:53 +05:30

execution_gcc_binary.toml

[Rule tuning] Linux binary(s) shell evasion threat (#1957 )

2022-05-25 08:32:53 +05:30

execution_linux_process_started_in_temp_directory.toml

Rule(s) deprecation as part of Linux Detection Rule Review (#2163 )

2022-07-26 18:48:25 +05:30

execution_mysql_binary.toml

[Rule tuning] Linux binary(s) shell evasion threat (#1957 )

2022-05-25 08:32:53 +05:30

execution_reverse_shell_via_named_pipe.toml

[New Rules] Linux Reverse Shells (#2905 )

2023-07-06 15:27:57 +02:00

execution_ssh_binary.toml

[Rule tuning] Linux binary(s) shell evasion threat (#1957 )

2022-05-25 08:32:53 +05:30

execution_vi_binary.toml

[Rule tuning] Linux binary(s) shell evasion threat (#1957 )

2022-05-25 08:32:53 +05:30

execution_via_net_com_assemblies.toml

[Rule Tuning] Merge and Delete duplicate rules for Registration Utilities (#1028 )

2021-03-19 10:05:09 +01:00

exfiltration_rds_snapshot_export.toml

[Bug] Tighten definitions validation patterns (#1396 )

2021-10-26 10:26:20 -05:00

initial_access_login_failures.toml

Rule(s) deprecation as part of Linux Detection Rule Review (#2163 )

2022-07-26 18:48:25 +05:30

initial_access_login_location.toml

Rule(s) deprecation as part of Linux Detection Rule Review (#2163 )

2022-07-26 18:48:25 +05:30

initial_access_login_sessions.toml

Rule(s) deprecation as part of Linux Detection Rule Review (#2163 )

2022-07-26 18:48:25 +05:30

initial_access_login_time.toml

Rule(s) deprecation as part of Linux Detection Rule Review (#2163 )

2022-07-26 18:48:25 +05:30

initial_access_rdp_remote_desktop_protocol_to_the_internet.toml

[Rule Tuning] Rule description tweaks (#1388 )

2021-07-29 10:56:13 -08:00

linux_mknod_activity.toml

[Deprecation] Deprecate inherently noisy rules based on testing (#1122 )

2021-04-21 15:10:06 -04:00

linux_nmap_activity.toml

[Deprecation] Deprecate inherently noisy rules based on testing (#1122 )

2021-04-21 15:10:06 -04:00

linux_socat_activity.toml

[Deprecation] Deprecate inherently noisy rules based on testing (#1122 )

2021-04-21 15:10:06 -04:00

persistence_cron_jobs_creation_and_runtime.toml

[Deprecation] Deprecate inherently noisy rules based on testing (#1122 )

2021-04-21 15:10:06 -04:00

persistence_google_workspace_user_group_access_modified_to_allow_external_access.toml

deprecate 'Google Workspace User Group Access Modified to Allow External Access' (#2576 )

2023-03-02 11:29:14 -05:00

persistence_kernel_module_activity.toml

[Deprecation] Deprecate inherently noisy rules based on testing (#1122 )

2021-04-21 15:10:06 -04:00

persistence_shell_activity_by_web_server.toml

[Rule Tuning] Potential Shell via Web Server (#2585 )

2023-05-05 09:47:49 +02:00

privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml

[Deprecation] GCP Kubernetes Rolebindings Created or Patched (#2340 )

2022-11-09 12:51:52 -05:00

privilege_escalation_krbrelayup_suspicious_logon.toml

[Deprecated Rule] Potential Privilege Escalation via Local Kerberos R… (#2209 )

2022-08-01 18:28:26 +02:00

privilege_escalation_linux_strace_activity.toml

Rule tuning as part of Linux Detection Rules Review (#2170 )

2022-07-29 21:55:49 +05:30

privilege_escalation_printspooler_malicious_driver_file_changes.toml

Deprecate PrintNightmare Rules (#1852 )

2022-03-17 19:39:36 -03:00

privilege_escalation_printspooler_malicious_registry_modification.toml

Deprecate PrintNightmare Rules (#1852 )

2022-03-17 19:39:36 -03:00

privilege_escalation_setgid_bit_set_via_chmod.toml

Add tests to ensure rules are properly deprecated (#1050 )

2021-03-16 21:31:33 -08:00

threat_intel_filebeat7x.toml

Revert "[Security Content] Investigation Guides Line breaks refactor (#2412 )" (#2453 )

2023-01-09 10:44:54 -05:00