security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a1716bd67349c7bf464303a1b63fbc4dbeac4c62
sigma-rules/rules/linux
T
History
Ruben Groenewoud a1716bd673 [Rule Tuning] Several rule tunings (#3024) 
* [Rule Tuning] Several rule tunings

* Added 1 more

* optimized ransomware encryption rules

* Update rules/linux/impact_potential_linux_ransomware_file_encryption.toml

* Update rules/linux/impact_potential_linux_ransomware_note_detected.toml

* Added 2 more tunings based on todays telemetry

* Some tunings

* Tuning

* Tuning

* fixed user.id comparison

* Something went wrong with deprecation

* Something went wrong with deprecation

* Update rules/linux/impact_potential_linux_ransomware_file_encryption.toml

* Update rules/linux/discovery_linux_nping_activity.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/discovery_linux_hping_activity.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Dedeprecated the rule to deprecate later

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
2023-08-25 14:03:29 +02:00
..
command_and_control_linux_iodine_activity.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
command_and_control_suspicious_network_activity_from_unknown_executable.toml
[Rule Tuning] Some Tunings of several 8.9 rules (#2985)
2023-08-03 15:25:33 +02:00
command_and_control_tunneling_via_earthworm.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
credential_access_bruteforce_password_guessing.toml
DR Linux Rule Tuning 8.9 (#2859)
2023-07-10 20:02:42 +05:30
credential_access_collection_sensitive_files.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
credential_access_credential_dumping.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
credential_access_potential_linux_local_account_bruteforce.toml
[Rule Tuning] Several rule tunings (#3024)
2023-08-25 14:03:29 +02:00
credential_access_potential_linux_ssh_bruteforce_external.toml
DR Linux Rule Tuning 8.9 (#2859)
2023-07-10 20:02:42 +05:30
credential_access_potential_linux_ssh_bruteforce_internal.toml
DR Linux Rule Tuning 8.9 (#2859)
2023-07-10 20:02:42 +05:30
credential_access_potential_successful_linux_ftp_bruteforce.toml
[New Rules] ftp/rdp bruteforce (#2910)
2023-07-06 17:16:01 +02:00
credential_access_potential_successful_linux_rdp_bruteforce.toml
[New Rules] ftp/rdp bruteforce (#2910)
2023-07-06 17:16:01 +02:00
credential_access_proc_credential_dumping.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
credential_access_ssh_backdoor_log.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
defense_evasion_attempt_to_disable_iptables_or_firewall.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
defense_evasion_attempt_to_disable_syslog_service.toml
DR Linux Rule Tuning 8.9 (#2859)
2023-07-10 20:02:42 +05:30
defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
defense_evasion_chattr_immutable_file.toml
[Rule Tuning] Several rule tunings (#3024)
2023-08-25 14:03:29 +02:00
defense_evasion_disable_selinux_attempt.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
defense_evasion_esxi_suspicious_timestomp_touch.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
defense_evasion_file_deletion_via_shred.toml
[Rule Tuning] Several rule tunings (#3024)
2023-08-25 14:03:29 +02:00
defense_evasion_file_mod_writable_dir.toml
Rule Tuning File Permission Modification in Writable Directory (#2961)
2023-07-26 17:47:00 +05:30
defense_evasion_hidden_file_dir_tmp.toml
[Rule Tuning] Several rule tunings (#3024)
2023-08-25 14:03:29 +02:00
defense_evasion_hidden_shared_object.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
defense_evasion_kernel_module_removal.toml
[Rule Tuning] Several rule tunings (#3024)
2023-08-25 14:03:29 +02:00
defense_evasion_ld_preload_env_variable_process_injection.toml
[Rule Tuning] Several rule tunings (#3024)
2023-08-25 14:03:29 +02:00
defense_evasion_log_files_deleted.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
defense_evasion_mount_execution.toml
[Rule Tuning] Several rule tunings (#3024)
2023-08-25 14:03:29 +02:00
defense_evasion_potential_proot_exploits.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
defense_evasion_rename_esxi_files.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
defense_evasion_rename_esxi_index_file.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
discovery_esxi_software_via_find.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
discovery_esxi_software_via_grep.toml
[Rule Tuning] Several rule tunings (#3024)
2023-08-25 14:03:29 +02:00
discovery_kernel_module_enumeration.toml
[Rule Tuning] Several rule tunings (#3024)
2023-08-25 14:03:29 +02:00
discovery_linux_hping_activity.toml
[Rule Tuning] Several rule tunings (#3024)
2023-08-25 14:03:29 +02:00
discovery_linux_nping_activity.toml
[Rule Tuning] Several rule tunings (#3024)
2023-08-25 14:03:29 +02:00
discovery_pspy_process_monitoring_detected.toml
[New Rule] Pspy Process Monitoring Detected (#2945)
2023-07-26 15:58:33 +02:00
discovery_sudo_allowed_command_enumeration.toml
[New Rule] Sudo Command Enumeration Detected (#2946)
2023-08-03 09:39:16 +02:00
discovery_suid_sguid_enumeration.toml
[New Rule] SUID/SGUID Enumeration Detected (#2956)
2023-08-03 09:57:30 +02:00
discovery_virtual_machine_fingerprinting.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
execution_abnormal_process_id_file_created.toml
[Rule Tuning] Several rule tunings (#3024)
2023-08-25 14:03:29 +02:00
execution_file_transfer_or_listener_established_via_netcat.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
execution_perl_tty_shell.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
execution_process_started_from_process_id_file.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
execution_process_started_in_shared_memory_directory.toml
[Rule Tuning] Several rule tunings (#3024)
2023-08-25 14:03:29 +02:00
execution_python_tty_shell.toml
DR Linux Rule Tuning 8.9 (#2859)
2023-07-10 20:02:42 +05:30
execution_remote_code_execution_via_postgresql.toml
[Rule Tuning] Some Tunings of several 8.9 rules (#2985)
2023-08-03 15:25:33 +02:00
execution_shell_evasion_linux_binary.toml
[Rule Tuning] Restricted Shell Breakout (#2999)
2023-08-04 19:30:18 +02:00
execution_shell_suspicious_parent_child_revshell_linux.toml
[Rule Tuning] added additional event action (#3008)
2023-08-10 16:59:07 +02:00
execution_shell_via_java_revshell_linux.toml
[Tuning] Reverse Shell Rules (#2959)
2023-07-25 14:55:56 +02:00
execution_shell_via_lolbin_interpreter_linux.toml
[Rule Tuning] added additional event action (#3008)
2023-08-10 16:59:07 +02:00
execution_shell_via_suspicious_binary.toml
[Rule Tuning] added additional event action (#3008)
2023-08-10 16:59:07 +02:00
execution_shell_via_tcp_cli_utility_linux.toml
[Rule Tuning] added additional event action (#3008)
2023-08-10 16:59:07 +02:00
execution_sus_extraction_or_decrompression_via_funzip.toml
[New Rules] Conversion of deprecated ERs over to DRs (#2877)
2023-07-02 10:39:44 +02:00
execution_suspicious_executable_running_system_commands.toml
[Rule Tuning] Several rule tunings (#3024)
2023-08-25 14:03:29 +02:00
execution_suspicious_mining_process_creation_events.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
execution_tc_bpf_filter.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
impact_data_encrypted_via_openssl.toml
[New Rules] Conversion of deprecated ERs over to DRs (#2877)
2023-07-02 10:39:44 +02:00
impact_esxi_process_kill.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
impact_potential_linux_ransomware_file_encryption.toml
[Rule Tuning] Several rule tunings (#3024)
2023-08-25 14:03:29 +02:00
impact_potential_linux_ransomware_note_detected.toml
[Rule Tuning] Several rule tunings (#3024)
2023-08-25 14:03:29 +02:00
impact_process_kill_threshold.toml
DR Linux Rule Tuning 8.9 (#2859)
2023-07-10 20:02:42 +05:30
lateral_movement_telnet_network_activity_external.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
lateral_movement_telnet_network_activity_internal.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
persistence_chkconfig_service_add.toml
[Rule Tuning] Several rule tunings (#3024)
2023-08-25 14:03:29 +02:00
persistence_credential_access_modify_ssh_binaries.toml
[Rule Tuning] Several rule tunings (#3024)
2023-08-25 14:03:29 +02:00
persistence_cron_job_creation.toml
[Rule Tuning] Some Tunings of several 8.9 rules (#2985)
2023-08-03 15:25:33 +02:00
persistence_dynamic_linker_backup.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
persistence_etc_file_creation.toml
[Rule Tuning] Several rule tunings (#3024)
2023-08-25 14:03:29 +02:00
persistence_init_d_file_creation.toml
[Rule Tuning] Several rule tunings (#3024)
2023-08-25 14:03:29 +02:00
persistence_insmod_kernel_module_load.toml
[Rule Tuning] Several rule tunings (#3024)
2023-08-25 14:03:29 +02:00
persistence_kde_autostart_modification.toml
[Rule Tuning] Several rule tunings (#3024)
2023-08-25 14:03:29 +02:00
persistence_linux_backdoor_user_creation.toml
[Security Content] Added Compatibility note to all IGs (#2943)
2023-07-26 12:54:50 +02:00
persistence_linux_group_creation.toml
[Security Content] Added Compatibility note to all IGs (#2943)
2023-07-26 12:54:50 +02:00
persistence_linux_shell_activity_via_web_server.toml
[Rule Tuning] Several rule tunings (#3024)
2023-08-25 14:03:29 +02:00
persistence_linux_user_account_creation.toml
[Security Content] Added Compatibility note to all IGs (#2943)
2023-07-26 12:54:50 +02:00
persistence_linux_user_added_to_privileged_group.toml
[Security Content] Added Compatibility note to all IGs (#2943)
2023-07-26 12:54:50 +02:00
persistence_message_of_the_day_creation.toml
[Rule Tuning] Some Tunings of several 8.9 rules (#2985)
2023-08-03 15:25:33 +02:00
persistence_message_of_the_day_execution.toml
[Rule Tuning] Several rule tunings (#3024)
2023-08-25 14:03:29 +02:00
persistence_rc_script_creation.toml
[Rule Tuning] Several rule tunings (#3024)
2023-08-25 14:03:29 +02:00
persistence_shared_object_creation.toml
[Rule Tuning] Some Tunings of several 8.9 rules (#2985)
2023-08-03 15:25:33 +02:00
persistence_systemd_scheduled_timer_created.toml
[Rule Tuning] Several rule tunings (#3024)
2023-08-25 14:03:29 +02:00
persistence_systemd_service_creation.toml
[Rule Tuning] Some Tunings of several 8.9 rules (#2985)
2023-08-03 15:25:33 +02:00
privilege_escalation_chown_chmod_unauthorized_file_read.toml
[New Rules] Linux Wildcard Injection (#2973)
2023-08-04 16:32:34 +02:00
privilege_escalation_container_util_misconfiguration.toml
[New Rule] PE via Container Misconfiguration (#2983)
2023-08-04 16:39:40 +02:00
privilege_escalation_ld_preload_shared_object_modif.toml
DR Linux Rule Tuning 8.9 (#2859)
2023-07-10 20:02:42 +05:30
privilege_escalation_linux_suspicious_symbolic_link.toml
[Rule Tuning] Several rule tunings (#3024)
2023-08-25 14:03:29 +02:00
privilege_escalation_linux_uid_int_max_bug.toml
[New Rule] PE via UID INT_MAX Bug (#2971)
2023-08-03 15:51:06 +02:00
privilege_escalation_load_and_unload_of_kernel_via_kexec.toml
[Rule Tuning] Some Tunings of several 8.9 rules (#2985)
2023-08-03 15:25:33 +02:00
privilege_escalation_overlayfs_local_privesc.toml
[New Rule] Potential Privilege Escalation via OverlayFS (#2974)
2023-07-31 19:15:11 +02:00
privilege_escalation_pkexec_envar_hijack.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
privilege_escalation_potential_wildcard_shell_spawn.toml
[New Rules] Linux Wildcard Injection (#2973)
2023-08-04 16:32:34 +02:00
privilege_escalation_sda_disk_mount_non_root.toml
[New Rule] Potential Suspicious DebugFS Root Device Access (#2982)
2023-08-03 16:13:34 +02:00
privilege_escalation_shadow_file_read.toml
DR Linux Rule Tuning 8.9 (#2859)
2023-07-10 20:02:42 +05:30
privilege_escalation_sudo_hijacking.toml
[New Rule] Potential Sudo Hijacking Detected (#2966)
2023-08-03 09:49:14 +02:00
privilege_escalation_sudo_token_via_process_injection.toml
[New Rule] Potential Sudo Token Manipulation via Process Injection (#2984)
2023-08-03 15:58:25 +02:00
privilege_escalation_unshare_namespace_manipulation.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
privilege_escalation_writable_docker_socket.toml
[New Rule] PE through Writable Docker Socket (#2958)
2023-07-27 10:01:29 +02:00