security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a6fba3c728b3ae36c46cd25cb6afd18c2471feb4
sigma-rules/rules/linux
T
History
Samirbous bf49a90eb0 [New] Sensitive Identity File Open by Suspicious Process via Auditd (#5982) 
* [New] Sensitive Identity File Open by Suspicious Process via Auditd

Detects Auditd opened-file reads on sensitive root and cluster paths (Kubernetes token mounts, kubelet and admin kubeconfig, PKI material, shadow, root SSH keys, root cloud CLI and Docker config) when the process looks like common copy or scripting utilities or the binary runs from temp or run staging. User home paths are excluded so file watches
stay explicit and aligned with auditd:

* ++

* Update credential_access_auditd_sensitive_cloud_and_host_identity_file_open.toml

* Update credential_access_auditd_sensitive_cloud_and_host_identity_file_open.toml

* Update rules/linux/credential_access_auditd_sensitive_cloud_and_host_identity_file_open.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Apply suggestion from @imays11

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Apply suggestion from @Mikaayenson

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
2026-05-03 11:24:43 +01:00
..
collection_linux_clipboard_activity.toml
[Rule Tuning] agent.id --> host.id new_terms Key Modification (#5802)
2026-03-02 13:24:25 +01:00
collection_potential_audio_recording_activity.toml
[Rule Tuning] agent.id --> host.id new_terms Key Modification (#5802)
2026-03-02 13:24:25 +01:00
collection_potential_video_recording_or_screenshot_activity.toml
[Rule Tuning] agent.id --> host.id new_terms Key Modification (#5802)
2026-03-02 13:24:25 +01:00
command_and_control_auditd_curl_wget_from_container.toml
[New] Curl or Wget Execution from Container Context (#5975)
2026-05-02 11:08:29 +01:00
command_and_control_aws_cli_endpoint_url_used.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_cat_network_activity.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_cupsd_foomatic_rip_netcon.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_curl_socks_proxy_detected.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_frequent_egress_netcon_from_sus_executable.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
command_and_control_git_repo_or_file_download_to_sus_dir.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_ip_forwarding_activity.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_linux_chisel_client_activity.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_linux_kworker_netcon.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_linux_proxychains_activity.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_linux_ssh_x11_forwarding.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_linux_suspicious_proxychains_activity.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_linux_tunneling_and_port_forwarding.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_linux_tunneling_via_ssh_option.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_potential_tunneling_command_line.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_suspicious_network_activity_from_unknown_executable.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_telegram_api_request.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_tunneling_via_earthworm.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_auditd_sensitive_cloud_and_host_identity_file_open.toml
[New] Sensitive Identity File Open by Suspicious Process via Auditd (#5982)
2026-05-03 11:24:43 +01:00
credential_access_aws_creds_search_inside_container.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_collection_sensitive_files_compression_inside_container.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_collection_sensitive_files.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_credential_dumping.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_gdb_init_process_hooking.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_gdb_process_hooking.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_gh_auth_via_nodejs.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_kubernetes_service_account_secret_access.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_manual_memory_dumping.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_potential_linux_local_account_bruteforce.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
credential_access_potential_linux_ssh_bruteforce_external.toml
[Rule Tuning] Linux DR Tuning - 3 (#5483)
2026-01-08 13:32:43 +01:00
credential_access_potential_linux_ssh_bruteforce_internal.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_potential_password_spraying_attack.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
credential_access_potential_successful_linux_ssh_bruteforce.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_proc_credential_dumping.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_sensitive_keys_or_passwords_search_inside_container.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_ssh_backdoor_log.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_ssh_password_grabbing_via_strace.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_unusual_instance_metadata_service_api_request.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_acl_modification_via_setfacl.toml
[Rule Tuning] Linux DR Tuning - 4 (#5484)
2026-01-08 10:11:05 +01:00
defense_evasion_apparmor_exploitation_via_sys_fs.toml
[New Rules] AppArmor Exploitation (CrackArmor) (#5842)
2026-03-23 09:37:42 +01:00
defense_evasion_apparmor_policy_access.toml
[New Rules] AppArmor Exploitation (CrackArmor) (#5842)
2026-03-23 09:37:42 +01:00
defense_evasion_apparmor_policy_violation.toml
[New Rules] AppArmor Exploitation (CrackArmor) (#5842)
2026-03-23 09:37:42 +01:00
defense_evasion_apparmor_profile_compilation.toml
[New Rules] AppArmor Exploitation (CrackArmor) (#5842)
2026-03-23 09:37:42 +01:00
defense_evasion_attempt_to_disable_auditd_service.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_attempt_to_disable_iptables_or_firewall.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_attempt_to_disable_syslog_service.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_authorized_keys_file_deletion.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_base64_decoding_activity.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
defense_evasion_binary_copied_to_suspicious_directory.toml
[Rule Tuning] Linux DR Tuning - 4 (#5484)
2026-01-08 10:11:05 +01:00
defense_evasion_bpf_program_tampering.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_busybox_indirect_shell_spawn.toml
Add Investigation Guides for Rules (#5357)
2025-11-25 01:08:15 +05:30
defense_evasion_chattr_immutable_file.toml
[Rule Tuning] Linux DR Tuning - 4 (#5484)
2026-01-08 10:11:05 +01:00
defense_evasion_clear_kernel_ring_buffer.toml
[Rule Tuning] Linux DR Tuning - 4 (#5484)
2026-01-08 10:11:05 +01:00
defense_evasion_creation_of_hidden_files_directories.toml
[Rule Tuning] Linux DR Tuning - 4 (#5484)
2026-01-08 10:11:05 +01:00
defense_evasion_curl_or_wget_executed_via_lolbin.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_directory_creation_in_bin.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_disable_apparmor_attempt.toml
[Rule Tuning] Potential Disabling of AppArmor - Restore AppArmor service filters (#5574)
2026-01-19 09:19:24 -03:00
defense_evasion_disable_selinux_attempt.toml
[Rule Tuning] Linux DR Tuning - 4 (#5484)
2026-01-08 10:11:05 +01:00
defense_evasion_doas_configuration_creation_or_rename.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_dynamic_linker_file_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_esxi_suspicious_timestomp_touch.toml
Prep for Release 9.0 (#4550)
2025-03-20 20:32:07 +05:30
defense_evasion_file_creation_world_writeable_dir_by_unusual_process.toml
[New Rules] False Negatives for New BPFDoor Variants (#5939)
2026-04-22 08:03:32 +02:00
defense_evasion_file_deletion_via_shred.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_file_mod_writable_dir.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_hex_payload_execution_via_commandline.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_hex_payload_execution_via_utility.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_hidden_directory_creation.toml
[Rule Tuning] Linux DR Tuning - 5 (#5494)
2026-01-07 15:55:06 +01:00
defense_evasion_hidden_file_dir_tmp.toml
[Rule Tuning] Linux DR Tuning - 5 (#5494)
2026-01-07 15:55:06 +01:00
defense_evasion_hidden_shared_object.toml
[Rule Tuning] Linux DR Tuning - 5 (#5494)
2026-01-07 15:55:06 +01:00
defense_evasion_interactive_shell_from_system_user.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_interpreter_launched_from_decoded_payload.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_journalctl_clear_logs.toml
[Rule Tuning] Linux DR Tuning - 5 (#5494)
2026-01-07 15:55:06 +01:00
defense_evasion_kernel_module_removal.toml
[Rule Tuning] Linux DR Tuning - 5 (#5494)
2026-01-07 15:55:06 +01:00
defense_evasion_kill_command_executed.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_kthreadd_masquerading.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_ld_preload_cmdline.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_ld_so_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_log_files_deleted.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_mount_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_multi_base64_decoding_attempt.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_potential_proot_exploits.toml
[Rule Tuning] Linux DR Tuning - 5 (#5494)
2026-01-07 15:55:06 +01:00
defense_evasion_prctl_process_name_tampering.toml
[Rule Tuning] Linux DR Tuning - 5 (#5494)
2026-01-07 15:55:06 +01:00
defense_evasion_rename_esxi_files.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_root_certificate_installation.toml
[Rule Tuning] Linux DR Tuning - 5 (#5494)
2026-01-07 15:55:06 +01:00
defense_evasion_selinux_configuration_creation_or_renaming.toml
[Rule Tuning] Linux DR Tuning - 5 (#5494)
2026-01-07 15:55:06 +01:00
defense_evasion_shell_history_clearing_via_environment_variables.toml
[New Rules] False Negatives for New BPFDoor Variants (#5939)
2026-04-22 08:03:32 +02:00
defense_evasion_ssl_certificate_deletion.toml
[Rule Tuning] Linux DR Tuning - 5 (#5494)
2026-01-07 15:55:06 +01:00
defense_evasion_sus_utility_executed_via_tmux_or_screen.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_suspicious_path_mounted.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_symlink_binary_to_writable_dir.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_sysctl_kernel_feature_activity.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_unsual_kill_signal.toml
[Rule Tuning] Linux DR Tuning - 5 (#5494)
2026-01-07 15:55:06 +01:00
defense_evasion_unusual_preload_env_vars.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_user_or_group_deletion.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_var_log_file_creation_by_unsual_process.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_dmidecode_system_discovery.toml
[Rule Tuning] System Information Discovery via dmidecode from Parent Shell (#5732)
2026-02-17 17:49:56 +01:00
discovery_docker_socket_discovery.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_dynamic_linker_via_od.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_esxi_software_via_find.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_esxi_software_via_grep.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_kernel_instrumentation_discovery_via_kprobes_and_tracefs.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_kernel_module_enumeration.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_kernel_seeking.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_kernel_unpacking.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_kubeconfig_file_discovery.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_linux_hping_activity.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_linux_nping_activity.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_manual_mount_discovery_via_exports_or_fstab.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_pam_version_discovery.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_ping_sweep_detected.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_polkit_version_discovery.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_port_scanning_activity_from_compromised_host.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
discovery_private_key_password_searching_activity.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_proc_maps_read.toml
[Rule Tuning] Linux DR Tuning - 6 (#5497)
2026-01-08 10:45:32 +01:00
discovery_process_capabilities.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_security_file_access_via_common_utility.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_subnet_scanning_activity_from_compromised_host.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
discovery_sudo_allowed_command_enumeration.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_suid_sguid_enumeration.toml
[Rule Tuning] Linux DR Tuning - 6 (#5497)
2026-01-08 10:45:32 +01:00
discovery_suspicious_memory_grep_activity.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_suspicious_network_tool_launched_inside_container.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_suspicious_which_command_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_unusual_process_connection_to_container_runtime_socket.toml
[New] Unusual Process Connection to Docker or Containerd Socket (#6005)
2026-05-02 10:05:09 +01:00
discovery_unusual_user_enumeration_via_id.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_virtual_machine_fingerprinting.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_yum_dnf_plugin_detection.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_abnormal_process_id_file_created.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_container_management_binary_launched_inside_container.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_cupsd_foomatic_rip_file_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_cupsd_foomatic_rip_lp_user_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_cupsd_foomatic_rip_shell_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_cupsd_foomatic_rip_suspicious_child_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_egress_connection_from_entrypoint_in_container.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_executable_stack_execution.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
execution_file_execution_followed_by_deletion.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_file_made_executable_via_chmod_inside_container.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_file_transfer_or_listener_established_via_netcat.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_interpreter_tty_upgrade.toml
[Rule Tuning] Linux DR Tuning - 7 (#5504)
2026-01-08 11:10:46 +01:00
execution_kubectl_apply_pod_from_url.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_nc_listener_via_rlwrap.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_netcon_from_rwx_mem_region_binary.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_network_event_post_compilation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_perl_tty_shell.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_potential_hack_tool_executed.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_potentially_overly_permissive_container_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_process_backgrounded_by_unusual_parent.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_process_started_from_process_id_file.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_process_started_in_shared_memory_directory.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_python_tty_shell.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_python_webserver_spawned.toml
[Rule Tuning] Linux DR Tuning - 7 (#5504)
2026-01-08 11:10:46 +01:00
execution_remote_code_execution_via_postgresql.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_shell_evasion_linux_binary.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_shell_openssl_client_or_server.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_shell_via_background_process.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_shell_via_child_tcp_utility_linux.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_shell_via_java_revshell_linux.toml
[Rule Tuning] Linux DR Tuning - 7 (#5504)
2026-01-08 11:10:46 +01:00
execution_shell_via_lolbin_interpreter_linux.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_shell_via_meterpreter_linux.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_shell_via_suspicious_binary.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_shell_via_tcp_cli_utility_linux.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_shell_via_udp_cli_utility_linux.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_sus_extraction_or_decrompression_via_funzip.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_suspicious_executable_running_system_commands.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_suspicious_mining_process_creation_events.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_suspicious_mkfifo_execution.toml
[Rule Tuning] agent.id --> host.id new_terms Key Modification (#5802)
2026-03-02 13:24:25 +01:00
execution_suspicious_pod_or_container_creation_command_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_system_binary_file_permission_change.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_tc_bpf_filter.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_unix_socket_communication.toml
[Rule Tuning] Linux DR Tuning - 7 (#5504)
2026-01-08 11:10:46 +01:00
execution_unknown_rwx_mem_region_binary_executed.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_unusual_interactive_process_inside_container.toml
[Rule Tuning] Linux DR Tuning - 7 (#5504)
2026-01-08 11:10:46 +01:00
execution_unusual_kthreadd_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_unusual_path_invocation_from_command_line.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_unusual_pkexec_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
exfiltration_potential_data_splitting_for_exfiltration.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
exfiltration_potential_database_dumping.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
exfiltration_potential_wget_data_exfiltration.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
exfiltration_unusual_file_transfer_utility_launched.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
impact_data_encrypted_via_openssl.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
impact_esxi_process_kill.toml
[Rule Tuning] Linux DR Tuning - 8 (#5505)
2026-01-08 10:01:11 +01:00
impact_memory_swap_modification.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
impact_potential_bruteforce_malware_infection.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
impact_potential_linux_ransomware_note_detected.toml
[Rule Tuning] Linux DR Tuning - 8 (#5505)
2026-01-08 10:01:11 +01:00
impact_process_kill_threshold.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
initial_access_apache_struts_cve_2023_50164_exploitation_to_webshell.toml
[Rule Tuning] Fixes for Unsupported Fields (#6025)
2026-05-01 18:01:01 -05:00
initial_access_first_time_public_key_authentication.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
initial_access_successful_ssh_authentication_by_unusual_ip.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
initial_access_successful_ssh_authentication_by_unusual_user.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
initial_access_telnet_auth_bypass_envar_auditd.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
initial_access_telnet_auth_bypass_via_user_envar.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
lateral_movement_kubeconfig_file_activity.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
lateral_movement_remote_file_creation_world_writeable_dir.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
lateral_movement_ssh_it_worm_download.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
lateral_movement_telnet_network_activity_external.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
lateral_movement_telnet_network_activity_internal.toml
[Rule Tuning] Linux DR Tuning - 8 (#5505)
2026-01-08 10:01:11 +01:00
lateral_movement_unusual_remote_file_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_apt_package_manager_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_apt_package_manager_file_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_apt_package_manager_netcon.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_at_job_creation.toml
[Rule Tuning] Linux DR Tuning - 9 (#5508)
2026-01-07 16:18:38 +01:00
persistence_boot_file_copy.toml
[Rule Tuning] Linux DR Tuning - 9 (#5508)
2026-01-07 16:18:38 +01:00
persistence_bpf_probe_write_user.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
persistence_bpf_program_or_map_load.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_chkconfig_service_add.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_credential_access_modify_ssh_binaries.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_cron_job_creation.toml
[Rule Tuning] Linux DR Tuning - 9 (#5508)
2026-01-07 16:18:38 +01:00
persistence_dbus_service_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_dbus_unsual_daemon_parent_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_dnf_package_manager_plugin_file_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_dpkg_package_installation_from_unusual_parent.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_dpkg_unusual_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_dracut_module_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_dynamic_linker_backup.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_extract_initramfs_via_cpio.toml
[Rule Tuning] Linux DR Tuning - 9 (#5508)
2026-01-07 16:18:38 +01:00
persistence_git_hook_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_git_hook_file_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_git_hook_netcon.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_git_hook_process_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_grub_configuration_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_grub_makeconfig.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_init_d_file_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_insmod_kernel_module_load.toml
[Rule Tuning] Kernel Module Load via Built-in Utility (#5736)
2026-02-23 09:48:12 +01:00
persistence_kde_autostart_modification.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_kernel_driver_load_by_non_root.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_kernel_driver_load.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_kernel_module_load_from_unusual_location.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_kernel_object_file_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_kubernetes_sensitive_file_activity.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_kworker_file_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_linux_backdoor_user_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_linux_group_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_linux_shell_activity_via_web_server.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_linux_user_account_creation.toml
[Rule Tuning] Linux DR Tuning - 9 (#5508)
2026-01-07 16:18:38 +01:00
persistence_linux_user_added_to_privileged_group.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_lkm_configuration_file_creation.toml
[Rule Tuning] Linux DR Tuning - 9 (#5508)
2026-01-07 16:18:38 +01:00
persistence_manual_dracut_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_message_of_the_day_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_message_of_the_day_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_network_manager_dispatcher_persistence.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_openssl_passwd_hash_generation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_pluggable_authentication_module_creation_in_unusual_dir.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_pluggable_authentication_module_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_pluggable_authentication_module_pam_exec_backdoor_exec.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_pluggable_authentication_module_source_download.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_polkit_policy_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_potential_persistence_script_executable_bit_set.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_process_capability_set_via_setcap.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_pth_file_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_rc_local_error_via_syslog.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
persistence_rc_local_service_already_running.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_rc_script_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_rpm_package_installation_from_unusual_parent.toml
[Rule Tuning] Linux DR Tuning - 9 (#5508)
2026-01-07 16:18:38 +01:00
persistence_setuid_setgid_capability_set.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_shadow_file_modification.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_shared_object_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_shell_configuration_modification.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_simple_web_server_connection_accepted.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_simple_web_server_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_site_and_user_customize_file_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_ssh_key_generation.toml
Prep for Release 9.0 (#4550)
2025-03-20 20:32:07 +05:30
persistence_ssh_netcon.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_ssh_via_backdoored_system_user.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_suspicious_file_opened_through_editor.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_suspicious_ssh_execution_xzbackdoor.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_systemd_generator_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_systemd_netcon.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_systemd_scheduled_timer_created.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_systemd_service_creation.toml
[Rule Tuning] Potential snap-confine Privilege Escalation (#5889)
2026-04-02 11:21:09 +02:00
persistence_systemd_service_started.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_systemd_shell_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_tainted_kernel_module_load.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
persistence_tainted_kernel_module_out_of_tree_load.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
persistence_udev_rule_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_unpack_initramfs_via_unmkinitramfs.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_unusual_exim4_child_process.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_unusual_pam_grantor.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_unusual_sshd_child_process.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_user_credential_modification_via_echo.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_user_or_group_creation_or_modification.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_web_server_sus_child_spawned.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
persistence_web_server_sus_command_execution.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
persistence_web_server_sus_destination_port.toml
[Rule Tuning] Fixes for Unsupported Fields (#6025)
2026-05-01 18:01:01 -05:00
persistence_web_server_unusual_command_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_xdg_autostart_netcon.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_yum_package_manager_plugin_file_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_auditd_euid_root_shell_from_non_standard_path.toml
[New/Tuning] Linux LPE via SUID Shell (#5980)
2026-05-01 10:51:29 +01:00
privilege_escalation_auditd_nsenter_target_host_pid.toml
[New] Nsenter to PID 1 Namespace via Auditd/D4C (#5988)
2026-05-02 14:56:06 +01:00
privilege_escalation_chown_chmod_unauthorized_file_read.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_chroot_execution_container_context.toml
[New/Tuning] Chroot Execution in Container Context on Linux (#5992)
2026-05-02 13:45:21 +01:00
privilege_escalation_container_util_misconfiguration.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_cve_2025_32463_nsswitch_file_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_cve_2025_32463_sudo_chroot_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_cve_2025_41244_vmtoolsd_lpe.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_dac_permissions.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_debugfs_launched_inside_container.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_docker_escape_via_nsenter.toml
[Rule Tuning] Linux DR Tuning - 11 (#5511)
2026-01-07 16:31:13 +01:00
privilege_escalation_docker_mount_chroot_container_escape.toml
[New/Tuning] Chroot Execution in Container Context on Linux (#5992)
2026-05-02 13:45:21 +01:00
privilege_escalation_docker_release_file_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_enlightenment_window_manager.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_gdb_sys_ptrace_elevation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_gdb_sys_ptrace_netcon.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_kworker_uid_elevation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_ld_preload_shared_object_modif.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_linux_suspicious_symbolic_link.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_load_and_unload_of_kernel_via_kexec.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_looney_tunables_cve_2023_4911.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_mount_launched_inside_container.toml
[Rule Tuning] Linux DR Tuning - 11 (#5511)
2026-01-07 16:31:13 +01:00
privilege_escalation_overlayfs_local_privesc.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_pkexec_envar_hijack.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_potential_bufferoverflow_attack.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
privilege_escalation_potential_copy_fail_cve_2026_31431_exploitation_via_af_alg_socket.toml
[New] Potential Copy Fail (CVE-2026-31431) Exploitation via AF_ALG Socket (#6015)
2026-04-30 12:24:01 -04:00
privilege_escalation_potential_suid_sgid_exploitation.toml
[New/Tuning] Linux LPE via SUID Shell (#5980)
2026-05-01 10:51:29 +01:00
privilege_escalation_potential_suid_sgid_proxy_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_potential_wildcard_shell_spawn.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_sda_disk_mount_non_root.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_shadow_file_read.toml
[Rule Tuning] Linux DR Tuning - 11 (#5511)
2026-01-07 16:31:13 +01:00
privilege_escalation_snap_confine_lpe_via_cve_2026_3888.toml
[Rule Tuning] Potential snap-confine Privilege Escalation (#5889)
2026-04-02 11:21:09 +02:00
privilege_escalation_sudo_cve_2019_14287.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_sudo_hijacking.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_sudo_token_via_process_injection.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_suspicious_cap_setuid_python_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_suspicious_chown_fowner_elevation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_suspicious_passwd_file_write.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_suspicious_suid_binary_execution.toml
[New] Suspicious SUID Binary Execution (#6018)
2026-04-30 17:38:22 +01:00
privilege_escalation_suspicious_uid_guid_elevation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_uid_change_post_compilation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_uid_elevation_from_unknown_executable.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_unshare_namespace_manipulation.toml
[Tuning/New] Namespace Manipulation Using Unshare (#6024)
2026-05-01 15:29:44 +01:00
privilege_escalation_writable_docker_socket.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00