security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6e77f5176d087661765bf57dea423ef47aa6e136
sigma-rules/rules/linux
T
History
Andrew Stucki 6e77f5176d [New Rule] auditd login anomalies (#33) 
* Add auditd login anomaly rules

* Flip logic to start with less-specific filters

* remove event.category from queries and update metadata

* surround event.action with quotes to account for dash

* update tags

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
2021-02-10 14:24:55 -05:00
..
credential_access_collection_sensitive_files.toml
[New Rule] Sensitive Files Compression (#756)
2021-02-08 16:31:00 +01:00
credential_access_ssh_backdoor_log.toml
[New Rule] Potential OpenSSH Backdoor Logging Activity (#749)
2021-02-05 21:27:15 +01:00
credential_access_tcpdump_activity.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
defense_evasion_attempt_to_disable_iptables_or_firewall.toml
[Rule Tuning] Update ATT&CK threat mappings to reflect changes (#706)
2020-12-18 12:46:16 -09:00
defense_evasion_attempt_to_disable_syslog_service.toml
[Rule Tuning] Update ATT&CK threat mappings to reflect changes (#706)
2020-12-18 12:46:16 -09:00
defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml
Add ATT&CK sub-technique support to CLI (#614)
2020-12-08 21:56:55 -09:00
defense_evasion_base64_encoding_or_decoding_activity.toml
Add ATT&CK sub-technique support to CLI (#614)
2020-12-08 21:56:55 -09:00
defense_evasion_deletion_of_bash_command_line_history.toml
[Rule Tuning] Update rules using case sensitive wildcard function (#904)
2021-02-04 10:23:32 -05:00
defense_evasion_disable_selinux_attempt.toml
[Rule Tuning] Update ATT&CK threat mappings to reflect changes (#706)
2020-12-18 12:46:16 -09:00
defense_evasion_file_deletion_via_shred.toml
[Rule Tuning] Update ATT&CK threat mappings to reflect changes (#706)
2020-12-18 12:46:16 -09:00
defense_evasion_file_mod_writable_dir.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
defense_evasion_hex_encoding_or_decoding_activity.toml
Add ATT&CK sub-technique support to CLI (#614)
2020-12-08 21:56:55 -09:00
defense_evasion_hidden_file_dir_tmp.toml
[Rule Tuning] Update ATT&CK threat mappings to reflect changes (#706)
2020-12-18 12:46:16 -09:00
defense_evasion_kernel_module_removal.toml
[Rule Tuning] Update ATT&CK threat mappings to reflect changes (#706)
2020-12-18 12:46:16 -09:00
defense_evasion_log_files_deleted.toml
[New Rule] Linux System Log Files Deleted (#461)
2020-12-08 17:34:33 +01:00
defense_evasion_timestomp_touch.toml
[Rule Tuning] Update rules using case sensitive wildcard function (#904)
2021-02-04 10:23:32 -05:00
discovery_kernel_module_enumeration.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
discovery_virtual_machine_fingerprinting.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
discovery_whoami_commmand.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
execution_perl_tty_shell.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
execution_python_tty_shell.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
initial_access_login_failures.toml
[New Rule] auditd login anomalies (#33)
2021-02-10 14:24:55 -05:00
initial_access_login_location.toml
[New Rule] auditd login anomalies (#33)
2021-02-10 14:24:55 -05:00
initial_access_login_sessions.toml
[New Rule] auditd login anomalies (#33)
2021-02-10 14:24:55 -05:00
initial_access_login_time.toml
[New Rule] auditd login anomalies (#33)
2021-02-10 14:24:55 -05:00
lateral_movement_telnet_network_activity_external.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
lateral_movement_telnet_network_activity_internal.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
linux_hping_activity.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
linux_iodine_activity.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
linux_mknod_activity.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
linux_netcat_network_connection.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
linux_nmap_activity.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
linux_nping_activity.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
linux_process_started_in_temp_directory.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
linux_socat_activity.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
linux_strace_activity.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
persistence_credential_access_modify_ssh_binaries.toml
[New Rule] Modification of OpenSSH Binaries (#747)
2021-01-28 19:46:30 +01:00
persistence_kde_autostart_modification.toml
[New Rule] Persistence via KDE AutoStart Script or Desktop File Modif… (#809)
2021-02-09 10:47:05 +01:00
persistence_kernel_module_activity.toml
[Rule Tuning] Update ATT&CK threat mappings to reflect changes (#706)
2020-12-18 12:46:16 -09:00
persistence_shell_activity_by_web_server.toml
[Rule Tuning] Update ATT&CK threat mappings to reflect changes (#706)
2020-12-18 12:46:16 -09:00
privilege_escalation_ld_preload_shared_object_modif.toml
[New Rule] Modification of the Dynamic Linker Preload Shared Object (#921)
2021-02-08 16:11:37 +01:00