security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a892cd1b6d0052aa506543b7375a1bdf5cb99ddd
sigma-rules/rules/linux
T
History
Samirbous 40213fa041 [New] Unusual Process Connection to Docker or Containerd Socket (#6005) 
* [New] Unusual Process Connection to Docker or Containerd Socket

Detects a process connecting to a container runtime Unix socket (containerd or Docker) that is not a known legitimate runtime component. Direct access to the container runtime socket allows an attacker to create, exec into, or manipulate containers without going through the Kubernetes API server, bypassing RBAC, admission webhooks, pod security standards, and Kubernetes audit logging entirely.

* Update discovery_unusual_process_connection_to_container_runtime_socket.toml
2026-05-02 10:05:09 +01:00
..
collection_linux_clipboard_activity.toml
[Rule Tuning] agent.id --> host.id new_terms Key Modification (#5802)
2026-03-02 13:24:25 +01:00
collection_potential_audio_recording_activity.toml
[Rule Tuning] agent.id --> host.id new_terms Key Modification (#5802)
2026-03-02 13:24:25 +01:00
collection_potential_video_recording_or_screenshot_activity.toml
[Rule Tuning] agent.id --> host.id new_terms Key Modification (#5802)
2026-03-02 13:24:25 +01:00
command_and_control_aws_cli_endpoint_url_used.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_cat_network_activity.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_cupsd_foomatic_rip_netcon.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_curl_socks_proxy_detected.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_frequent_egress_netcon_from_sus_executable.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
command_and_control_git_repo_or_file_download_to_sus_dir.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_ip_forwarding_activity.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_linux_chisel_client_activity.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_linux_kworker_netcon.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_linux_proxychains_activity.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_linux_ssh_x11_forwarding.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_linux_suspicious_proxychains_activity.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_linux_tunneling_and_port_forwarding.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_linux_tunneling_via_ssh_option.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_potential_tunneling_command_line.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_suspicious_network_activity_from_unknown_executable.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_telegram_api_request.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_tunneling_via_earthworm.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_aws_creds_search_inside_container.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_collection_sensitive_files_compression_inside_container.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_collection_sensitive_files.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_credential_dumping.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_gdb_init_process_hooking.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_gdb_process_hooking.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_gh_auth_via_nodejs.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_kubernetes_service_account_secret_access.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_manual_memory_dumping.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_potential_linux_local_account_bruteforce.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
credential_access_potential_linux_ssh_bruteforce_external.toml
[Rule Tuning] Linux DR Tuning - 3 (#5483)
2026-01-08 13:32:43 +01:00
credential_access_potential_linux_ssh_bruteforce_internal.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_potential_password_spraying_attack.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
credential_access_potential_successful_linux_ssh_bruteforce.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_proc_credential_dumping.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_sensitive_keys_or_passwords_search_inside_container.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_ssh_backdoor_log.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_ssh_password_grabbing_via_strace.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_unusual_instance_metadata_service_api_request.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_acl_modification_via_setfacl.toml
[Rule Tuning] Linux DR Tuning - 4 (#5484)
2026-01-08 10:11:05 +01:00
defense_evasion_apparmor_exploitation_via_sys_fs.toml
[New Rules] AppArmor Exploitation (CrackArmor) (#5842)
2026-03-23 09:37:42 +01:00
defense_evasion_apparmor_policy_access.toml
[New Rules] AppArmor Exploitation (CrackArmor) (#5842)
2026-03-23 09:37:42 +01:00
defense_evasion_apparmor_policy_violation.toml
[New Rules] AppArmor Exploitation (CrackArmor) (#5842)
2026-03-23 09:37:42 +01:00
defense_evasion_apparmor_profile_compilation.toml
[New Rules] AppArmor Exploitation (CrackArmor) (#5842)
2026-03-23 09:37:42 +01:00
defense_evasion_attempt_to_disable_auditd_service.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_attempt_to_disable_iptables_or_firewall.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_attempt_to_disable_syslog_service.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_authorized_keys_file_deletion.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_base64_decoding_activity.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
defense_evasion_binary_copied_to_suspicious_directory.toml
[Rule Tuning] Linux DR Tuning - 4 (#5484)
2026-01-08 10:11:05 +01:00
defense_evasion_bpf_program_tampering.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_busybox_indirect_shell_spawn.toml
Add Investigation Guides for Rules (#5357)
2025-11-25 01:08:15 +05:30
defense_evasion_chattr_immutable_file.toml
[Rule Tuning] Linux DR Tuning - 4 (#5484)
2026-01-08 10:11:05 +01:00
defense_evasion_clear_kernel_ring_buffer.toml
[Rule Tuning] Linux DR Tuning - 4 (#5484)
2026-01-08 10:11:05 +01:00
defense_evasion_creation_of_hidden_files_directories.toml
[Rule Tuning] Linux DR Tuning - 4 (#5484)
2026-01-08 10:11:05 +01:00
defense_evasion_curl_or_wget_executed_via_lolbin.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_directory_creation_in_bin.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_disable_apparmor_attempt.toml
[Rule Tuning] Potential Disabling of AppArmor - Restore AppArmor service filters (#5574)
2026-01-19 09:19:24 -03:00
defense_evasion_disable_selinux_attempt.toml
[Rule Tuning] Linux DR Tuning - 4 (#5484)
2026-01-08 10:11:05 +01:00
defense_evasion_doas_configuration_creation_or_rename.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_dynamic_linker_file_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_esxi_suspicious_timestomp_touch.toml
Prep for Release 9.0 (#4550)
2025-03-20 20:32:07 +05:30
defense_evasion_file_creation_world_writeable_dir_by_unusual_process.toml
[New Rules] False Negatives for New BPFDoor Variants (#5939)
2026-04-22 08:03:32 +02:00
defense_evasion_file_deletion_via_shred.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_file_mod_writable_dir.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_hex_payload_execution_via_commandline.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_hex_payload_execution_via_utility.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_hidden_directory_creation.toml
[Rule Tuning] Linux DR Tuning - 5 (#5494)
2026-01-07 15:55:06 +01:00
defense_evasion_hidden_file_dir_tmp.toml
[Rule Tuning] Linux DR Tuning - 5 (#5494)
2026-01-07 15:55:06 +01:00
defense_evasion_hidden_shared_object.toml
[Rule Tuning] Linux DR Tuning - 5 (#5494)
2026-01-07 15:55:06 +01:00
defense_evasion_interactive_shell_from_system_user.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_interpreter_launched_from_decoded_payload.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_journalctl_clear_logs.toml
[Rule Tuning] Linux DR Tuning - 5 (#5494)
2026-01-07 15:55:06 +01:00
defense_evasion_kernel_module_removal.toml
[Rule Tuning] Linux DR Tuning - 5 (#5494)
2026-01-07 15:55:06 +01:00
defense_evasion_kill_command_executed.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_kthreadd_masquerading.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_ld_preload_cmdline.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_ld_so_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_log_files_deleted.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_mount_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_multi_base64_decoding_attempt.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_potential_proot_exploits.toml
[Rule Tuning] Linux DR Tuning - 5 (#5494)
2026-01-07 15:55:06 +01:00
defense_evasion_prctl_process_name_tampering.toml
[Rule Tuning] Linux DR Tuning - 5 (#5494)
2026-01-07 15:55:06 +01:00
defense_evasion_rename_esxi_files.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_root_certificate_installation.toml
[Rule Tuning] Linux DR Tuning - 5 (#5494)
2026-01-07 15:55:06 +01:00
defense_evasion_selinux_configuration_creation_or_renaming.toml
[Rule Tuning] Linux DR Tuning - 5 (#5494)
2026-01-07 15:55:06 +01:00
defense_evasion_shell_history_clearing_via_environment_variables.toml
[New Rules] False Negatives for New BPFDoor Variants (#5939)
2026-04-22 08:03:32 +02:00
defense_evasion_ssl_certificate_deletion.toml
[Rule Tuning] Linux DR Tuning - 5 (#5494)
2026-01-07 15:55:06 +01:00
defense_evasion_sus_utility_executed_via_tmux_or_screen.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_suspicious_path_mounted.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_symlink_binary_to_writable_dir.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_sysctl_kernel_feature_activity.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_unsual_kill_signal.toml
[Rule Tuning] Linux DR Tuning - 5 (#5494)
2026-01-07 15:55:06 +01:00
defense_evasion_unusual_preload_env_vars.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_user_or_group_deletion.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_var_log_file_creation_by_unsual_process.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_dmidecode_system_discovery.toml
[Rule Tuning] System Information Discovery via dmidecode from Parent Shell (#5732)
2026-02-17 17:49:56 +01:00
discovery_docker_socket_discovery.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_dynamic_linker_via_od.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_esxi_software_via_find.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_esxi_software_via_grep.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_kernel_instrumentation_discovery_via_kprobes_and_tracefs.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_kernel_module_enumeration.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_kernel_seeking.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_kernel_unpacking.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_kubeconfig_file_discovery.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_linux_hping_activity.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_linux_nping_activity.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_manual_mount_discovery_via_exports_or_fstab.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_pam_version_discovery.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_ping_sweep_detected.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_polkit_version_discovery.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_port_scanning_activity_from_compromised_host.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
discovery_private_key_password_searching_activity.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_proc_maps_read.toml
[Rule Tuning] Linux DR Tuning - 6 (#5497)
2026-01-08 10:45:32 +01:00
discovery_process_capabilities.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_security_file_access_via_common_utility.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_subnet_scanning_activity_from_compromised_host.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
discovery_sudo_allowed_command_enumeration.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_suid_sguid_enumeration.toml
[Rule Tuning] Linux DR Tuning - 6 (#5497)
2026-01-08 10:45:32 +01:00
discovery_suspicious_memory_grep_activity.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_suspicious_network_tool_launched_inside_container.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_suspicious_which_command_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_unusual_process_connection_to_container_runtime_socket.toml
[New] Unusual Process Connection to Docker or Containerd Socket (#6005)
2026-05-02 10:05:09 +01:00
discovery_unusual_user_enumeration_via_id.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_virtual_machine_fingerprinting.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_yum_dnf_plugin_detection.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_abnormal_process_id_file_created.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_container_management_binary_launched_inside_container.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_cupsd_foomatic_rip_file_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_cupsd_foomatic_rip_lp_user_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_cupsd_foomatic_rip_shell_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_cupsd_foomatic_rip_suspicious_child_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_egress_connection_from_entrypoint_in_container.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_executable_stack_execution.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
execution_file_execution_followed_by_deletion.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_file_made_executable_via_chmod_inside_container.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_file_transfer_or_listener_established_via_netcat.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_interpreter_tty_upgrade.toml
[Rule Tuning] Linux DR Tuning - 7 (#5504)
2026-01-08 11:10:46 +01:00
execution_kubectl_apply_pod_from_url.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_nc_listener_via_rlwrap.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_netcon_from_rwx_mem_region_binary.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_network_event_post_compilation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_perl_tty_shell.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_potential_hack_tool_executed.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_potentially_overly_permissive_container_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_process_backgrounded_by_unusual_parent.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_process_started_from_process_id_file.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_process_started_in_shared_memory_directory.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_python_tty_shell.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_python_webserver_spawned.toml
[Rule Tuning] Linux DR Tuning - 7 (#5504)
2026-01-08 11:10:46 +01:00
execution_remote_code_execution_via_postgresql.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_shell_evasion_linux_binary.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_shell_openssl_client_or_server.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_shell_via_background_process.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_shell_via_child_tcp_utility_linux.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_shell_via_java_revshell_linux.toml
[Rule Tuning] Linux DR Tuning - 7 (#5504)
2026-01-08 11:10:46 +01:00
execution_shell_via_lolbin_interpreter_linux.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_shell_via_meterpreter_linux.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_shell_via_suspicious_binary.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_shell_via_tcp_cli_utility_linux.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_shell_via_udp_cli_utility_linux.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_sus_extraction_or_decrompression_via_funzip.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_suspicious_executable_running_system_commands.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_suspicious_mining_process_creation_events.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_suspicious_mkfifo_execution.toml
[Rule Tuning] agent.id --> host.id new_terms Key Modification (#5802)
2026-03-02 13:24:25 +01:00
execution_suspicious_pod_or_container_creation_command_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_system_binary_file_permission_change.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_tc_bpf_filter.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_unix_socket_communication.toml
[Rule Tuning] Linux DR Tuning - 7 (#5504)
2026-01-08 11:10:46 +01:00
execution_unknown_rwx_mem_region_binary_executed.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_unusual_interactive_process_inside_container.toml
[Rule Tuning] Linux DR Tuning - 7 (#5504)
2026-01-08 11:10:46 +01:00
execution_unusual_kthreadd_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_unusual_path_invocation_from_command_line.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_unusual_pkexec_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
exfiltration_potential_data_splitting_for_exfiltration.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
exfiltration_potential_database_dumping.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
exfiltration_potential_wget_data_exfiltration.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
exfiltration_unusual_file_transfer_utility_launched.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
impact_data_encrypted_via_openssl.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
impact_esxi_process_kill.toml
[Rule Tuning] Linux DR Tuning - 8 (#5505)
2026-01-08 10:01:11 +01:00
impact_memory_swap_modification.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
impact_potential_bruteforce_malware_infection.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
impact_potential_linux_ransomware_note_detected.toml
[Rule Tuning] Linux DR Tuning - 8 (#5505)
2026-01-08 10:01:11 +01:00
impact_process_kill_threshold.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
initial_access_apache_struts_cve_2023_50164_exploitation_to_webshell.toml
[Rule Tuning] Fixes for Unsupported Fields (#6025)
2026-05-01 18:01:01 -05:00
initial_access_first_time_public_key_authentication.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
initial_access_successful_ssh_authentication_by_unusual_ip.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
initial_access_successful_ssh_authentication_by_unusual_user.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
initial_access_telnet_auth_bypass_envar_auditd.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
initial_access_telnet_auth_bypass_via_user_envar.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
lateral_movement_kubeconfig_file_activity.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
lateral_movement_remote_file_creation_world_writeable_dir.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
lateral_movement_ssh_it_worm_download.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
lateral_movement_telnet_network_activity_external.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
lateral_movement_telnet_network_activity_internal.toml
[Rule Tuning] Linux DR Tuning - 8 (#5505)
2026-01-08 10:01:11 +01:00
lateral_movement_unusual_remote_file_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_apt_package_manager_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_apt_package_manager_file_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_apt_package_manager_netcon.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_at_job_creation.toml
[Rule Tuning] Linux DR Tuning - 9 (#5508)
2026-01-07 16:18:38 +01:00
persistence_boot_file_copy.toml
[Rule Tuning] Linux DR Tuning - 9 (#5508)
2026-01-07 16:18:38 +01:00
persistence_bpf_probe_write_user.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
persistence_bpf_program_or_map_load.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_chkconfig_service_add.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_credential_access_modify_ssh_binaries.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_cron_job_creation.toml
[Rule Tuning] Linux DR Tuning - 9 (#5508)
2026-01-07 16:18:38 +01:00
persistence_dbus_service_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_dbus_unsual_daemon_parent_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_dnf_package_manager_plugin_file_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_dpkg_package_installation_from_unusual_parent.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_dpkg_unusual_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_dracut_module_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_dynamic_linker_backup.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_extract_initramfs_via_cpio.toml
[Rule Tuning] Linux DR Tuning - 9 (#5508)
2026-01-07 16:18:38 +01:00
persistence_git_hook_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_git_hook_file_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_git_hook_netcon.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_git_hook_process_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_grub_configuration_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_grub_makeconfig.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_init_d_file_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_insmod_kernel_module_load.toml
[Rule Tuning] Kernel Module Load via Built-in Utility (#5736)
2026-02-23 09:48:12 +01:00
persistence_kde_autostart_modification.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_kernel_driver_load_by_non_root.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_kernel_driver_load.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_kernel_module_load_from_unusual_location.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_kernel_object_file_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_kubernetes_sensitive_file_activity.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_kworker_file_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_linux_backdoor_user_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_linux_group_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_linux_shell_activity_via_web_server.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_linux_user_account_creation.toml
[Rule Tuning] Linux DR Tuning - 9 (#5508)
2026-01-07 16:18:38 +01:00
persistence_linux_user_added_to_privileged_group.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_lkm_configuration_file_creation.toml
[Rule Tuning] Linux DR Tuning - 9 (#5508)
2026-01-07 16:18:38 +01:00
persistence_manual_dracut_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_message_of_the_day_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_message_of_the_day_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_network_manager_dispatcher_persistence.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_openssl_passwd_hash_generation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_pluggable_authentication_module_creation_in_unusual_dir.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_pluggable_authentication_module_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_pluggable_authentication_module_pam_exec_backdoor_exec.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_pluggable_authentication_module_source_download.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_polkit_policy_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_potential_persistence_script_executable_bit_set.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_process_capability_set_via_setcap.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_pth_file_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_rc_local_error_via_syslog.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
persistence_rc_local_service_already_running.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_rc_script_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_rpm_package_installation_from_unusual_parent.toml
[Rule Tuning] Linux DR Tuning - 9 (#5508)
2026-01-07 16:18:38 +01:00
persistence_setuid_setgid_capability_set.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_shadow_file_modification.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_shared_object_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_shell_configuration_modification.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_simple_web_server_connection_accepted.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_simple_web_server_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_site_and_user_customize_file_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_ssh_key_generation.toml
Prep for Release 9.0 (#4550)
2025-03-20 20:32:07 +05:30
persistence_ssh_netcon.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_ssh_via_backdoored_system_user.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_suspicious_file_opened_through_editor.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_suspicious_ssh_execution_xzbackdoor.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_systemd_generator_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_systemd_netcon.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_systemd_scheduled_timer_created.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_systemd_service_creation.toml
[Rule Tuning] Potential snap-confine Privilege Escalation (#5889)
2026-04-02 11:21:09 +02:00
persistence_systemd_service_started.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_systemd_shell_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_tainted_kernel_module_load.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
persistence_tainted_kernel_module_out_of_tree_load.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
persistence_udev_rule_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_unpack_initramfs_via_unmkinitramfs.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_unusual_exim4_child_process.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_unusual_pam_grantor.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_unusual_sshd_child_process.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_user_credential_modification_via_echo.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_user_or_group_creation_or_modification.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_web_server_sus_child_spawned.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
persistence_web_server_sus_command_execution.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
persistence_web_server_sus_destination_port.toml
[Rule Tuning] Fixes for Unsupported Fields (#6025)
2026-05-01 18:01:01 -05:00
persistence_web_server_unusual_command_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_xdg_autostart_netcon.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_yum_package_manager_plugin_file_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_auditd_euid_root_shell_from_non_standard_path.toml
[New/Tuning] Linux LPE via SUID Shell (#5980)
2026-05-01 10:51:29 +01:00
privilege_escalation_chown_chmod_unauthorized_file_read.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_container_util_misconfiguration.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_cve_2025_32463_nsswitch_file_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_cve_2025_32463_sudo_chroot_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_cve_2025_41244_vmtoolsd_lpe.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_dac_permissions.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_debugfs_launched_inside_container.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_docker_escape_via_nsenter.toml
[Rule Tuning] Linux DR Tuning - 11 (#5511)
2026-01-07 16:31:13 +01:00
privilege_escalation_docker_mount_chroot_container_escape.toml
[Rule Tuning] Adds Crowdstrike Compatibility to Linux Process Rules (#5232)
2025-11-10 16:03:39 +01:00
privilege_escalation_docker_release_file_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_enlightenment_window_manager.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_gdb_sys_ptrace_elevation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_gdb_sys_ptrace_netcon.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_kworker_uid_elevation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_ld_preload_shared_object_modif.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_linux_suspicious_symbolic_link.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_load_and_unload_of_kernel_via_kexec.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_looney_tunables_cve_2023_4911.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_mount_launched_inside_container.toml
[Rule Tuning] Linux DR Tuning - 11 (#5511)
2026-01-07 16:31:13 +01:00
privilege_escalation_overlayfs_local_privesc.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_pkexec_envar_hijack.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_potential_bufferoverflow_attack.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
privilege_escalation_potential_copy_fail_cve_2026_31431_exploitation_via_af_alg_socket.toml
[New] Potential Copy Fail (CVE-2026-31431) Exploitation via AF_ALG Socket (#6015)
2026-04-30 12:24:01 -04:00
privilege_escalation_potential_suid_sgid_exploitation.toml
[New/Tuning] Linux LPE via SUID Shell (#5980)
2026-05-01 10:51:29 +01:00
privilege_escalation_potential_suid_sgid_proxy_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_potential_wildcard_shell_spawn.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_sda_disk_mount_non_root.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_shadow_file_read.toml
[Rule Tuning] Linux DR Tuning - 11 (#5511)
2026-01-07 16:31:13 +01:00
privilege_escalation_snap_confine_lpe_via_cve_2026_3888.toml
[Rule Tuning] Potential snap-confine Privilege Escalation (#5889)
2026-04-02 11:21:09 +02:00
privilege_escalation_sudo_cve_2019_14287.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_sudo_hijacking.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_sudo_token_via_process_injection.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_suspicious_cap_setuid_python_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_suspicious_chown_fowner_elevation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_suspicious_passwd_file_write.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_suspicious_suid_binary_execution.toml
[New] Suspicious SUID Binary Execution (#6018)
2026-04-30 17:38:22 +01:00
privilege_escalation_suspicious_uid_guid_elevation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_uid_change_post_compilation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_uid_elevation_from_unknown_executable.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_unshare_namespace_manipulation.toml
[Tuning/New] Namespace Manipulation Using Unshare (#6024)
2026-05-01 15:29:44 +01:00
privilege_escalation_writable_docker_socket.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00