sigma-rules

Files

T

Samirbous 353fde10a0 [Deprecate Rule] Suspicious Process from Conhost (#2222 )

only FPs with no way to tune other than opening the rule for easy evasion by excluding by process.executable/args).

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit d3420e3386)

2022-08-16 14:33:36 +00:00

command_and_control_dns_directly_to_the_internet.toml

[Deprecation rule] DNS Activity to the Internet (#2221 )

2022-08-03 02:01:16 +00:00

command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.toml

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00

command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.toml

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00

command_and_control_port_8000_activity_to_the_internet.toml

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00

command_and_control_pptp_point_to_point_tunneling_protocol_activity.toml

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00

command_and_control_proxy_port_activity_to_the_internet.toml

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00

command_and_control_smtp_to_the_internet.toml

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00

command_and_control_sql_server_port_activity_to_the_internet.toml

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00

command_and_control_ssh_secure_shell_from_the_internet.toml

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00

command_and_control_ssh_secure_shell_to_the_internet.toml

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00

command_and_control_tor_activity_to_the_internet.toml

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00

credential_access_tcpdump_activity.toml

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00

defense_evasion_attempt_to_disable_iptables_or_firewall.toml

Rule(s) deprecation as part of Linux Detection Rule Review (#2163 )

2022-07-26 13:19:25 +00:00

defense_evasion_base64_encoding_or_decoding_activity.toml

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00

defense_evasion_code_injection_conhost.toml

[Deprecate Rule] Suspicious Process from Conhost (#2222 )

2022-08-16 14:33:36 +00:00

defense_evasion_execution_via_trusted_developer_utilities.toml

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00

defense_evasion_hex_encoding_or_decoding_activity.toml

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00

defense_evasion_mshta_making_network_connections.toml

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00

defense_evasion_whitespace_padding_in_command_line.toml

[Security Content] 8.4 - Add Investigation Guides - Windows - 2 (#2144 )

2022-08-09 00:35:02 +00:00

discovery_file_dir_discovery.toml

[Deprecate Rule] File and Directory Discovery (#2217 )

2022-08-02 15:58:37 +00:00

discovery_process_discovery_via_tasklist_command.toml

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00

discovery_query_registry_via_reg.toml

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00

discovery_whoami_commmand.toml

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00

execution_apt_binary.toml

[Rule tuning] Linux binary(s) shell evasion threat (#1957 )

2022-05-25 03:04:53 +00:00

execution_awk_binary_shell.toml

[Rule tuning] Linux binary(s) shell evasion threat (#1957 )

2022-05-25 03:04:53 +00:00

execution_busybox_binary.toml

[Rule tuning] Linux binary(s) shell evasion threat (#1957 )

2022-05-25 03:04:53 +00:00

execution_c89_c99_binary.toml

[Rule tuning] Linux binary(s) shell evasion threat (#1957 )

2022-05-25 03:04:53 +00:00

execution_command_shell_started_by_powershell.toml

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00

execution_cpulimit_binary.toml

[Rule tuning] Linux binary(s) shell evasion threat (#1957 )

2022-05-25 03:04:53 +00:00

execution_crash_binary.toml

[Rule tuning] Linux binary(s) shell evasion threat (#1957 )

2022-05-25 03:04:53 +00:00

execution_env_binary.toml

[Rule tuning] Linux binary(s) shell evasion threat (#1957 )

2022-05-25 03:04:53 +00:00

execution_expect_binary.toml

[Rule tuning] Linux binary(s) shell evasion threat (#1957 )

2022-05-25 03:04:53 +00:00

execution_find_binary.toml

[Rule tuning] Linux binary(s) shell evasion threat (#1957 )

2022-05-25 03:04:53 +00:00

execution_flock_binary.toml

[Rule tuning] Linux binary(s) shell evasion threat (#1957 )

2022-05-25 03:04:53 +00:00

execution_gcc_binary.toml

[Rule tuning] Linux binary(s) shell evasion threat (#1957 )

2022-05-25 03:04:53 +00:00

execution_linux_process_started_in_temp_directory.toml

Rule(s) deprecation as part of Linux Detection Rule Review (#2163 )

2022-07-26 13:19:25 +00:00

execution_mysql_binary.toml

[Rule tuning] Linux binary(s) shell evasion threat (#1957 )

2022-05-25 03:04:53 +00:00

execution_ssh_binary.toml

[Rule tuning] Linux binary(s) shell evasion threat (#1957 )

2022-05-25 03:04:53 +00:00

execution_vi_binary.toml

[Rule tuning] Linux binary(s) shell evasion threat (#1957 )

2022-05-25 03:04:53 +00:00

execution_via_net_com_assemblies.toml

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00

exfiltration_rds_snapshot_export.toml

2058 add setup field to metadata (#2061 )

2022-07-19 09:36:52 -04:00

initial_access_login_failures.toml

Rule(s) deprecation as part of Linux Detection Rule Review (#2163 )

2022-07-26 13:19:25 +00:00

initial_access_login_location.toml

Rule(s) deprecation as part of Linux Detection Rule Review (#2163 )

2022-07-26 13:19:25 +00:00

initial_access_login_sessions.toml

Rule(s) deprecation as part of Linux Detection Rule Review (#2163 )

2022-07-26 13:19:25 +00:00

initial_access_login_time.toml

Rule(s) deprecation as part of Linux Detection Rule Review (#2163 )

2022-07-26 13:19:25 +00:00

initial_access_rdp_remote_desktop_protocol_to_the_internet.toml

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00

linux_mknod_activity.toml

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00

linux_nmap_activity.toml

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00

linux_socat_activity.toml

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00

persistence_cron_jobs_creation_and_runtime.toml

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00

persistence_kernel_module_activity.toml

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00

privilege_escalation_krbrelayup_suspicious_logon.toml

[Deprecated Rule] Potential Privilege Escalation via Local Kerberos R… (#2209 )

2022-08-01 16:29:46 +00:00

privilege_escalation_linux_strace_activity.toml

Rule tuning as part of Linux Detection Rules Review (#2170 )

2022-07-29 16:26:57 +00:00

privilege_escalation_printspooler_malicious_driver_file_changes.toml

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00

privilege_escalation_printspooler_malicious_registry_modification.toml

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00

privilege_escalation_setgid_bit_set_via_chmod.toml

Linux Shell Evasion Rule Tuning (#1878 )

2022-03-29 21:03:35 -04:00