security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7c5f17e30c55c267db9421fc5bd035ef202551cc
sigma-rules/rules/linux
T
History
Ruben Groenewoud 7c5f17e30c [New Rules] User / Group Creation & Privileged Group Addition (#2546) 
* [New Rules] user/group creation

* Update rules/linux/persistence_linux_group_creation.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/persistence_linux_user_account_creation.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/persistence_linux_user_added_to_privileged_group.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* added backdoor user account

* added host.os.type == linux for unit testing fix

* unit testing fixes

* Update rules/linux/persistence_linux_backdoor_user_creation.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/persistence_linux_backdoor_user_creation.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Added OSQuery to Investigation Guides

* Update rules/linux/persistence_linux_backdoor_user_creation.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/persistence_linux_backdoor_user_creation.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* removed investigation guides to add in future PR

* Fixed some issues with the rules

* fixed typo

* Update rules/linux/persistence_linux_backdoor_user_creation.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/persistence_linux_user_account_creation.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/persistence_linux_user_added_to_privileged_group.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/persistence_linux_group_creation.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
2023-06-22 15:15:48 +02:00
..
command_and_control_connection_attempt_by_non_ssh_root_session.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
command_and_control_linux_iodine_activity.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
command_and_control_suspicious_network_activity_from_unknown_executable.toml
[New Rule] Sus Network Activity from Unknown Executable (#2856)
2023-06-14 23:27:29 +02:00
command_and_control_tunneling_via_earthworm.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
credential_access_bruteforce_password_guessing.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
credential_access_collection_sensitive_files.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
credential_access_credential_dumping.toml
Correct Event Action to include endgame event schema (#2610)
2023-04-20 17:28:01 +05:30
credential_access_potential_linux_ssh_bruteforce_external.toml
[Rule Tuning & Addition] Potential Linux SSH Brute Force (#2583)
2023-05-25 12:00:44 +02:00
credential_access_potential_linux_ssh_bruteforce_internal.toml
[Rule Tuning & Addition] Potential Linux SSH Brute Force (#2583)
2023-05-25 12:00:44 +02:00
credential_access_potential_linux_ssh_bruteforce_root.toml
[Rule Fix] Privileged SSH Brute Force Detected (#2595)
2023-03-14 15:42:58 -04:00
credential_access_proc_credential_dumping.toml
Rule to detect Potential Linux Credential Dumping via Proc Filesystem (#2751)
2023-05-05 22:23:15 +05:30
credential_access_ssh_backdoor_log.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
defense_evasion_attempt_to_disable_iptables_or_firewall.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
defense_evasion_attempt_to_disable_syslog_service.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
defense_evasion_chattr_immutable_file.toml
Linux Rule Tuning (#2753)
2023-05-02 19:12:13 +05:30
defense_evasion_disable_selinux_attempt.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
defense_evasion_esxi_suspicious_timestomp_touch.toml
Detect Threat indicators for VMware ESXi servers (#2708)
2023-04-25 20:17:16 +05:30
defense_evasion_file_deletion_via_shred.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
defense_evasion_file_mod_writable_dir.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
defense_evasion_hidden_file_dir_tmp.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
defense_evasion_hidden_shared_object.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
defense_evasion_kernel_module_removal.toml
[Rule tunings / New Rule] Kernel Unload and Enumeration (#2838)
2023-06-22 10:11:52 +02:00
defense_evasion_log_files_deleted.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
defense_evasion_mount_execution.toml
Detect Mount Execution With Hidepid Parameter (#2706)
2023-04-22 08:00:30 +05:30
defense_evasion_potential_proot_exploits.toml
New Rule to identify defense evasion via PRoot (#2625)
2023-04-20 17:14:01 +05:30
defense_evasion_rename_esxi_files.toml
Detect Threat indicators for VMware ESXi servers (#2708)
2023-04-25 20:17:16 +05:30
defense_evasion_rename_esxi_index_file.toml
Detect Threat indicators for VMware ESXi servers (#2708)
2023-04-25 20:17:16 +05:30
discovery_esxi_software_via_find.toml
Detect Threat indicators for VMware ESXi servers (#2708)
2023-04-25 20:17:16 +05:30
discovery_esxi_software_via_grep.toml
Detect Threat indicators for VMware ESXi servers (#2708)
2023-04-25 20:17:16 +05:30
discovery_kernel_module_enumeration_via_proc.toml
[Rule tunings / New Rule] Kernel Unload and Enumeration (#2838)
2023-06-22 10:11:52 +02:00
discovery_kernel_module_enumeration.toml
[Rule tunings / New Rule] Kernel Unload and Enumeration (#2838)
2023-06-22 10:11:52 +02:00
discovery_linux_hping_activity.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
discovery_linux_nping_activity.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
discovery_virtual_machine_fingerprinting.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
execution_abnormal_process_id_file_created.toml
Update file path regex for /run (#2749)
2023-04-26 14:02:16 +05:30
execution_file_transfer_or_listener_established_via_netcat.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
execution_perl_tty_shell.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
execution_process_started_from_process_id_file.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
execution_process_started_in_shared_memory_directory.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
execution_python_tty_shell.toml
[Rule Tuning] Interactive Terminal Spawned via Python (#2781)
2023-05-26 10:19:35 -03:00
execution_reverse_shell_via_named_pipe.toml
[Security Content] Add Investigation Guides to Windows rules (#2678)
2023-05-26 10:25:41 -03:00
execution_shell_evasion_linux_binary.toml
Tune Shell evasion Rule to incorporate GTFOArgs shell evasion (#2687)
2023-04-20 18:35:18 +05:30
execution_suspicious_mining_process_creation_events.toml
New Rule: Suspicious Mining Process Creation Event (#2531)
2023-03-21 16:35:25 +01:00
execution_tc_bpf_filter.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
impact_esxi_process_kill.toml
Detect Threat indicators for VMware ESXi servers (#2708)
2023-04-25 20:17:16 +05:30
impact_potential_linux_ransomware_file_encryption.toml
[New Rules] Ransomware Encryption & Note Creation (#2652)
2023-05-16 11:30:00 +02:00
impact_potential_linux_ransomware_note_detected.toml
[New Rules] Ransomware Encryption & Note Creation (#2652)
2023-05-16 11:30:00 +02:00
impact_process_kill_threshold.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
lateral_movement_telnet_network_activity_external.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
lateral_movement_telnet_network_activity_internal.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
persistence_chkconfig_service_add.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
persistence_credential_access_modify_ssh_binaries.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
persistence_cron_job_creation.toml
[New Rules] Cron Job / Systemd Service Creation (#2847)
2023-06-13 09:44:44 +02:00
persistence_dynamic_linker_backup.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
persistence_etc_file_creation.toml
Linux Rule Tuning (#2753)
2023-05-02 19:12:13 +05:30
persistence_init_d_file_creation.toml
[New rule] Sus File Creation in init.d for Persistence Detected (#2653)
2023-05-05 09:54:42 +02:00
persistence_insmod_kernel_module_load.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
persistence_kde_autostart_modification.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
persistence_linux_backdoor_user_creation.toml
[New Rules] User / Group Creation & Privileged Group Addition (#2546)
2023-06-22 15:15:48 +02:00
persistence_linux_group_creation.toml
[New Rules] User / Group Creation & Privileged Group Addition (#2546)
2023-06-22 15:15:48 +02:00
persistence_linux_shell_activity_via_web_server.toml
[Rule Tuning] Potential Shell via Web Server (#2585)
2023-05-05 09:47:49 +02:00
persistence_linux_user_account_creation.toml
[New Rules] User / Group Creation & Privileged Group Addition (#2546)
2023-06-22 15:15:48 +02:00
persistence_linux_user_added_to_privileged_group.toml
[New Rules] User / Group Creation & Privileged Group Addition (#2546)
2023-06-22 15:15:48 +02:00
persistence_message_of_the_day_creation.toml
[New Rules] Persistence through MOTD (#2608)
2023-05-05 10:29:15 +02:00
persistence_message_of_the_day_execution.toml
[New Rules] Persistence through MOTD (#2608)
2023-05-05 10:29:15 +02:00
persistence_rc_script_creation.toml
[Rule Tuning] Potential Persistence Through Run Control Detected (#2857)
2023-06-22 13:39:36 +02:00
persistence_shared_object_creation.toml
[New Rule] Shared Object Created (#2848)
2023-06-13 22:51:07 +02:00
persistence_systemd_scheduled_timer_created.toml
[New Rule] New Systemd Timer Created (#2601)
2023-06-13 09:15:47 +02:00
persistence_systemd_service_creation.toml
[New Rules] Cron Job / Systemd Service Creation (#2847)
2023-06-13 09:44:44 +02:00
privilege_escalation_ld_preload_shared_object_modif.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
privilege_escalation_pkexec_envar_hijack.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
privilege_escalation_shadow_file_read.toml
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593)
2023-03-05 11:41:19 -07:00
privilege_escalation_unshare_namespace_manipulation.toml
[Rule Tuning] Namespace Manipulation Using Unshare (#2599)
2023-03-20 07:36:47 -03:00