sigma-rules

Files

T

Ruben Groenewoud 646c316b66 [New Rules] Linux Reverse Shells (#2905 )

* [New Rules] Linux Reverse Shells

* [New Rules] Linux Reverse Shells

* Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_java_revshell_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_java_revshell_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_java_revshell_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_reverse_tcp_utility_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_reverse_tcp_utility_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Delete UDP rule to add in separate PR

* Update rules/linux/execution_shell_via_lolbin_interpreter_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_tcp_cli_utility_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_reverse_tcp_utility_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_tcp_cli_utility_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_tcp_cli_utility_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Deleted one rule and tuned the others

* Improved the rules' performance

* Added the reverse_tcp rule back after tuning

* Update execution_shell_via_lolbin_interpreter_linux.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

2023-07-06 15:27:57 +02:00

command_and_control_connection_attempt_by_non_ssh_root_session.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

command_and_control_linux_iodine_activity.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

command_and_control_suspicious_network_activity_from_unknown_executable.toml

[BUG] test_all_rule_queries_optimized does not run on rules (#2823 )

2023-06-23 10:58:31 -04:00

command_and_control_tunneling_via_earthworm.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

credential_access_bruteforce_password_guessing.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

credential_access_collection_sensitive_files.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

credential_access_credential_dumping.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

credential_access_potential_linux_ssh_bruteforce_external.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

credential_access_potential_linux_ssh_bruteforce_internal.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

credential_access_potential_linux_ssh_bruteforce_root.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

credential_access_proc_credential_dumping.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

credential_access_ssh_backdoor_log.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

defense_evasion_attempt_to_disable_iptables_or_firewall.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

defense_evasion_attempt_to_disable_syslog_service.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

defense_evasion_chattr_immutable_file.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

defense_evasion_disable_selinux_attempt.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

defense_evasion_esxi_suspicious_timestomp_touch.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

defense_evasion_file_deletion_via_shred.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

defense_evasion_file_mod_writable_dir.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

defense_evasion_hidden_file_dir_tmp.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

defense_evasion_hidden_shared_object.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

defense_evasion_kernel_module_removal.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

defense_evasion_ld_preload_env_variable_process_injection.toml

[New Rules] Conversion of deprecated ERs over to DRs (#2877 )

2023-07-02 10:39:44 +02:00

defense_evasion_log_files_deleted.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

defense_evasion_mount_execution.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

defense_evasion_potential_proot_exploits.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

defense_evasion_rename_esxi_files.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

defense_evasion_rename_esxi_index_file.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

discovery_esxi_software_via_find.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

discovery_esxi_software_via_grep.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

discovery_kernel_module_enumeration_via_proc.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

discovery_kernel_module_enumeration.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

discovery_linux_hping_activity.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

discovery_linux_nping_activity.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

discovery_suspicious_proc_enumeration.toml

[New Rule] Suspicious Proc Enumeration (#2845 )

2023-07-04 11:34:56 +02:00

discovery_virtual_machine_fingerprinting.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

execution_abnormal_process_id_file_created.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

execution_file_transfer_or_listener_established_via_netcat.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

execution_perl_tty_shell.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

execution_process_started_from_process_id_file.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

execution_process_started_in_shared_memory_directory.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

execution_python_tty_shell.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

execution_remote_code_execution_via_postgresql.toml

[New Rule] Postgresql Code Execution (#2863 )

2023-06-30 13:17:24 +02:00

execution_shell_evasion_linux_binary.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

execution_shell_suspicious_parent_child_revshell_linux.toml

[New Rules] Linux Reverse Shells (#2905 )

2023-07-06 15:27:57 +02:00

execution_shell_via_java_revshell_linux.toml

[New Rules] Linux Reverse Shells (#2905 )

2023-07-06 15:27:57 +02:00

execution_shell_via_lolbin_interpreter_linux.toml

[New Rules] Linux Reverse Shells (#2905 )

2023-07-06 15:27:57 +02:00

execution_shell_via_suspicious_binary.toml

[New Rules] Linux Reverse Shells (#2905 )

2023-07-06 15:27:57 +02:00

execution_shell_via_tcp_cli_utility_linux.toml

[New Rules] Linux Reverse Shells (#2905 )

2023-07-06 15:27:57 +02:00

execution_sus_extraction_or_decrompression_via_funzip.toml

[New Rules] Conversion of deprecated ERs over to DRs (#2877 )

2023-07-02 10:39:44 +02:00

execution_suspicious_mining_process_creation_events.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

execution_tc_bpf_filter.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

impact_data_encrypted_via_openssl.toml

[New Rules] Conversion of deprecated ERs over to DRs (#2877 )

2023-07-02 10:39:44 +02:00

impact_esxi_process_kill.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

impact_potential_linux_ransomware_file_encryption.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

impact_potential_linux_ransomware_note_detected.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

impact_process_kill_threshold.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

lateral_movement_telnet_network_activity_external.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

lateral_movement_telnet_network_activity_internal.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

persistence_chkconfig_service_add.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

persistence_credential_access_modify_ssh_binaries.toml

[BUG] test_all_rule_queries_optimized does not run on rules (#2823 )

2023-06-23 10:58:31 -04:00

persistence_cron_job_creation.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

persistence_dynamic_linker_backup.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

persistence_etc_file_creation.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

persistence_init_d_file_creation.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

persistence_insmod_kernel_module_load.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

persistence_kde_autostart_modification.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

persistence_linux_backdoor_user_creation.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

persistence_linux_group_creation.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

persistence_linux_shell_activity_via_web_server.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

persistence_linux_user_account_creation.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

persistence_linux_user_added_to_privileged_group.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

persistence_message_of_the_day_creation.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

persistence_message_of_the_day_execution.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

persistence_rc_script_creation.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

persistence_shared_object_creation.toml

[BUG] test_all_rule_queries_optimized does not run on rules (#2823 )

2023-06-23 10:58:31 -04:00

persistence_systemd_scheduled_timer_created.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

persistence_systemd_service_creation.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

privilege_escalation_ld_preload_shared_object_modif.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

privilege_escalation_pkexec_envar_hijack.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

privilege_escalation_shadow_file_read.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00

privilege_escalation_unshare_namespace_manipulation.toml

[Security Content] Tags Reform (#2725 )

2023-06-22 18:38:56 -03:00