sigma-rules/rules/linux at a440d87f6700eb6c1ca61e1cd041f934c752d331 - sigma-rules - GreySec Git

security-tools/sigma-rules

Files

T

History

Terrance DeJesus a440d87f67 [New Rule] Suspicious Outbound Network Connect Sequence by Root (#1975 )

* adding initial rule

* adjusted UUID

* removed event.ingested as query is a sequence

* changed file name to match mitre ATT&CK tactic

* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml

* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml

* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml

* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml

* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml

* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml

* TOML linted

* Update command_and_control_connection_attempt_by_non_ssh_root_session.toml

Just edited a couple grammar things. Looks good

* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml

* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml

* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml

* added additional tactic for privilege escalation and linted

* formatted query to be more readable

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit c89f423961)

2022-05-16 21:24:34 +00:00

..

command_and_control_connection_attempt_by_non_ssh_root_session.toml

[New Rule] Suspicious Outbound Network Connect Sequence by Root (#1975 )

2022-05-16 21:24:34 +00:00

command_and_control_tunneling_via_earthworm.toml

Expand timestamp override tests (#1907 )

2022-04-01 23:28:54 +00:00

credential_access_collection_sensitive_files.toml

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00

credential_access_ssh_backdoor_log.toml

Expand timestamp override tests (#1907 )

2022-04-01 23:28:54 +00:00

defense_evasion_attempt_to_disable_iptables_or_firewall.toml

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00

defense_evasion_attempt_to_disable_syslog_service.toml

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00

defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00

defense_evasion_deletion_of_bash_command_line_history.toml

Expand timestamp override tests (#1907 )

2022-04-01 23:28:54 +00:00

defense_evasion_disable_selinux_attempt.toml

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00

defense_evasion_file_deletion_via_shred.toml

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00

defense_evasion_file_mod_writable_dir.toml

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00

defense_evasion_hidden_file_dir_tmp.toml

Expand timestamp override tests (#1907 )

2022-04-01 23:28:54 +00:00

defense_evasion_kernel_module_removal.toml

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00

defense_evasion_log_files_deleted.toml

Expand timestamp override tests (#1907 )

2022-04-01 23:28:54 +00:00

discovery_kernel_module_enumeration.toml

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00

discovery_virtual_machine_fingerprinting.toml

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00

execution_abnormal_process_id_file_created.toml

[New Rule] Abnormal Process ID File Creation (#1964 )

2022-05-12 14:40:34 +00:00

execution_apt_binary.toml

Expand timestamp override tests (#1907 )

2022-04-01 23:28:54 +00:00

execution_awk_binary_shell.toml

Expand timestamp override tests (#1907 )

2022-04-01 23:28:54 +00:00

execution_busybox_binary.toml

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00

execution_c89_c99_binary.toml

Expand timestamp override tests (#1907 )

2022-04-01 23:28:54 +00:00

execution_cpulimit_binary.toml

Expand timestamp override tests (#1907 )

2022-04-01 23:28:54 +00:00

execution_crash_binary.toml

[Rule Tuning] Update Rule Content Changes from Security Docs Team (#1945 )

2022-05-06 17:23:22 +00:00

execution_env_binary.toml

[Rule Tuning] Update Rule Content Changes from Security Docs Team (#1945 )

2022-05-06 17:23:22 +00:00

execution_expect_binary.toml

[Rule Tuning] Update Rule Content Changes from Security Docs Team (#1945 )

2022-05-06 17:23:22 +00:00

execution_find_binary.toml

[Rule Tuning] Update Rule Content Changes from Security Docs Team (#1945 )

2022-05-06 17:23:22 +00:00

execution_flock_binary.toml

[Rule Tuning] Update Rule Content Changes from Security Docs Team (#1945 )

2022-05-06 17:23:22 +00:00

execution_gcc_binary.toml

[Rule Tuning] Update Rule Content Changes from Security Docs Team (#1945 )

2022-05-06 17:23:22 +00:00

execution_mysql_binary.toml

[Rule Tuning] Update Rule Content Changes from Security Docs Team (#1945 )

2022-05-06 17:23:22 +00:00

execution_nice_binary.toml

Expand timestamp override tests (#1907 )

2022-04-01 23:28:54 +00:00

execution_perl_tty_shell.toml

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00

execution_process_started_from_process_id_file.toml

[New Rule] Abnormal Process ID File Creation (#1964 )

2022-05-12 14:40:34 +00:00

execution_process_started_in_shared_memory_directory.toml

[New Rule] Executable Launched from Shared Memory Directory (#1961 )

2022-05-11 16:22:41 +00:00

execution_python_tty_shell.toml

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00

execution_ssh_binary.toml

[Rule Tuning] Update Rule Content Changes from Security Docs Team (#1945 )

2022-05-06 17:23:22 +00:00

execution_vi_binary.toml

[Rule Tuning] Update Rule Content Changes from Security Docs Team (#1945 )

2022-05-06 17:23:22 +00:00

initial_access_login_failures.toml

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00

initial_access_login_location.toml

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00

initial_access_login_sessions.toml

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00

initial_access_login_time.toml

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00

lateral_movement_telnet_network_activity_external.toml

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00

lateral_movement_telnet_network_activity_internal.toml

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00

linux_hping_activity.toml

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00

linux_iodine_activity.toml

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00

linux_netcat_network_connection.toml

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00

linux_nping_activity.toml

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00

linux_process_started_in_temp_directory.toml

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00

linux_strace_activity.toml

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00

persistence_credential_access_modify_ssh_binaries.toml

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00

persistence_kde_autostart_modification.toml

Expand timestamp override tests (#1907 )

2022-04-01 23:28:54 +00:00

persistence_shell_activity_by_web_server.toml

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00

privilege_escalation_ld_preload_shared_object_modif.toml

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00

privilege_escalation_pkexec_envar_hijack.toml

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00