security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
be611be8b319942e3ee65de3556fb48955ae5f7a
sigma-rules/rules/linux
T
History
Terrance DeJesus be611be8b3 [New Rule] Instance Metadata Service (IMDS) API Requests - Linux (#4005) 
* new rule metadata API requests

* updated description and name

* added Ipv6

* adjusted query

* rule name fix

* changed to EQL; added discovery tactic

* removed timestamp override

* adding host.os.type

* adjusted description

* Update rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* adjusted query

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
2024-09-05 10:08:32 -04:00
..
command_and_control_aws_cli_endpoint_url_used.toml
[New Rule] AWS CLI Command with Custom Endpoint URL (#4002)
2024-08-28 09:58:08 -04:00
command_and_control_cat_network_activity.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
command_and_control_linux_chisel_client_activity.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
command_and_control_linux_chisel_server_activity.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
command_and_control_linux_kworker_netcon.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
command_and_control_linux_proxychains_activity.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
command_and_control_linux_suspicious_proxychains_activity.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
command_and_control_linux_tunneling_and_port_forwarding.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
command_and_control_suspicious_network_activity_from_unknown_executable.toml
Prep for next release 8.16 (#3919)
2024-07-24 11:19:56 -04:00
command_and_control_tunneling_via_earthworm.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
credential_access_collection_sensitive_files.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
credential_access_credential_dumping.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
credential_access_gdb_init_process_hooking.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
credential_access_gdb_process_hooking.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
credential_access_potential_linux_local_account_bruteforce.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
credential_access_potential_linux_ssh_bruteforce_external.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
credential_access_potential_linux_ssh_bruteforce_internal.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
credential_access_potential_successful_linux_ftp_bruteforce.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
credential_access_potential_successful_linux_rdp_bruteforce.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
credential_access_potential_successful_linux_ssh_bruteforce.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
credential_access_proc_credential_dumping.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
credential_access_ssh_backdoor_log.toml
Refresh MITRE Attack v15.1.0 (#3725)
2024-06-04 20:14:58 +05:30
credential_access_unusual_instance_metadata_service_api_request.toml
[New Rule] Instance Metadata Service (IMDS) API Requests - Linux (#4005)
2024-09-05 10:08:32 -04:00
defense_evasion_attempt_to_disable_auditd_service.toml
[New Rule] Attempt to Disable Auditd Service (#4028)
2024-09-01 09:51:13 +02:00
defense_evasion_attempt_to_disable_iptables_or_firewall.toml
[Rule Tuning] Attempt to Disable IPTables or Firewall (#3972)
2024-08-10 10:18:11 +02:00
defense_evasion_attempt_to_disable_syslog_service.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_binary_copied_to_suspicious_directory.toml
[Rule Tuning] System Binary Moved or Copied (#3933)
2024-08-01 18:47:58 +02:00
defense_evasion_chattr_immutable_file.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_clear_kernel_ring_buffer.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_disable_apparmor_attempt.toml
[Rule Tuning] Potential Disabling of AppArmor (#3971)
2024-08-10 09:51:45 +02:00
defense_evasion_disable_selinux_attempt.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_doas_configuration_creation_or_rename.toml
[New Rule] Potential Defense Evasion via Doas (#4027)
2024-08-29 21:19:13 +02:00
defense_evasion_dynamic_linker_file_creation.toml
[New Rule] Dynamic Linker Creation or Modification (#3969)
2024-08-10 10:25:55 +02:00
defense_evasion_esxi_suspicious_timestomp_touch.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_file_deletion_via_shred.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_file_mod_writable_dir.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_hidden_file_dir_tmp.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_hidden_shared_object.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_kernel_module_removal.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_kthreadd_masquerading.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_log_files_deleted.toml
[Rule Tuning] System Log File Deletion (#3970)
2024-08-10 10:04:56 +02:00
defense_evasion_mount_execution.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_potential_proot_exploits.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_rename_esxi_files.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_rename_esxi_index_file.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_root_certificate_installation.toml
[New Rule] Root Certificate Installation (#4025)
2024-09-03 17:40:17 +02:00
defense_evasion_selinux_configuration_creation_or_renaming.toml
[New Rule] SELinux Configuration Creation or Modification (#4024)
2024-09-01 10:14:59 +02:00
defense_evasion_ssl_certificate_deletion.toml
[New Rule] SSL Certificate Deletion (#4026)
2024-08-29 21:10:59 +02:00
defense_evasion_sus_utility_executed_via_tmux_or_screen.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
discovery_dynamic_linker_via_od.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
discovery_esxi_software_via_find.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
discovery_esxi_software_via_grep.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
discovery_kernel_module_enumeration.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
discovery_linux_hping_activity.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
discovery_linux_nping_activity.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
discovery_ping_sweep_detected.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
discovery_proc_maps_read.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
discovery_process_capabilities.toml
[Tuning] event.action and event.type change (#3495)
2024-03-13 10:11:21 +01:00
discovery_pspy_process_monitoring_detected.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
discovery_sudo_allowed_command_enumeration.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
discovery_suid_sguid_enumeration.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
discovery_suspicious_which_command_execution.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
discovery_unusual_user_enumeration_via_id.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
discovery_virtual_machine_fingerprinting.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
discovery_yum_dnf_plugin_detection.toml
[New Rules] Yum Plugin Creation / Discovery (#3820)
2024-06-25 16:14:28 +02:00
execution_abnormal_process_id_file_created.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
execution_curl_cve_2023_38545_heap_overflow.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
execution_egress_connection_from_entrypoint_in_container.toml
[New Rules] Docker Entrypoint Netcon / Nsenter Escape (#3883)
2024-07-15 13:07:36 +02:00
execution_file_execution_followed_by_deletion.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
execution_file_transfer_or_listener_established_via_netcat.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
execution_interpreter_tty_upgrade.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
execution_nc_listener_via_rlwrap.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
execution_netcon_from_rwx_mem_region_binary.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
execution_network_event_post_compilation.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
execution_perl_tty_shell.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
execution_potential_hack_tool_executed.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
execution_potentially_overly_permissive_container_creation.toml
[New Rule] Unsafe Docker Container Creation (#3884)
2024-07-17 15:03:07 +02:00
execution_process_started_from_process_id_file.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
execution_process_started_in_shared_memory_directory.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
execution_python_tty_shell.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
execution_remote_code_execution_via_postgresql.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
execution_shell_evasion_linux_binary.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
execution_shell_openssl_client_or_server.toml
[New Rule] Openssl Client or Server Activity (#3930)
2024-08-22 16:53:31 +02:00
execution_shell_via_background_process.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
execution_shell_via_child_tcp_utility_linux.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
execution_shell_via_java_revshell_linux.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
execution_shell_via_lolbin_interpreter_linux.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
execution_shell_via_meterpreter_linux.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
execution_shell_via_suspicious_binary.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
execution_shell_via_tcp_cli_utility_linux.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
execution_shell_via_udp_cli_utility_linux.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
execution_sus_extraction_or_decrompression_via_funzip.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
execution_suspicious_executable_running_system_commands.toml
[Rule Tuning] Misc. DR Rule Tuning (#3904)
2024-07-19 15:13:42 +02:00
execution_suspicious_mining_process_creation_events.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
execution_tc_bpf_filter.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
execution_unknown_rwx_mem_region_binary_executed.toml
[Rule Tuning] Misc. DR Rule Tuning (#3904)
2024-07-19 15:13:42 +02:00
impact_data_encrypted_via_openssl.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
impact_esxi_process_kill.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
impact_potential_linux_ransomware_note_detected.toml
[Rule Tuning] Misc. DR Rule Tuning (#3904)
2024-07-19 15:13:42 +02:00
impact_process_kill_threshold.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
lateral_movement_ssh_it_worm_download.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
lateral_movement_telnet_network_activity_external.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
lateral_movement_telnet_network_activity_internal.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_apt_package_manager_execution.toml
[Tuning & Changes] Misc rule/hunt tuning (#3875)
2024-07-11 14:55:33 +02:00
persistence_apt_package_manager_file_creation.toml
[Tuning & Changes] Misc rule/hunt tuning (#3875)
2024-07-11 14:55:33 +02:00
persistence_apt_package_manager_netcon.toml
[Rule Tuning] Misc. DR Rule Tuning (#3904)
2024-07-19 15:13:42 +02:00
persistence_at_job_creation.toml
[New Rule & Tuning] (Ana)Cron & At Job Creation (#3726)
2024-06-05 09:53:42 +02:00
persistence_chkconfig_service_add.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_credential_access_modify_ssh_binaries.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_cron_job_creation.toml
Prep for next release 8.16 (#3919)
2024-07-24 11:19:56 -04:00
persistence_dnf_package_manager_plugin_file_creation.toml
[Tuning & Changes] Misc rule/hunt tuning (#3875)
2024-07-11 14:55:33 +02:00
persistence_dpkg_package_installation_from_unusual_parent.toml
[New Rules] DPKG Execution/Installation (#3879)
2024-07-15 12:59:03 +02:00
persistence_dpkg_unusual_execution.toml
[New Rules] DPKG Execution/Installation (#3879)
2024-07-15 12:59:03 +02:00
persistence_dynamic_linker_backup.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_etc_file_creation.toml
[Rule Tuning] System V Init Script Created (#3811)
2024-06-27 21:38:34 +02:00
persistence_git_hook_execution.toml
[New Rules] Git Hook execution/netcon (#3896)
2024-07-17 15:28:37 +02:00
persistence_git_hook_file_creation.toml
[New Rules] Git Hook Execution/File Creation (#3832)
2024-06-28 11:34:32 +02:00
persistence_git_hook_netcon.toml
[New Rules] Git Hook execution/netcon (#3896)
2024-07-17 15:28:37 +02:00
persistence_git_hook_process_execution.toml
[New Rules] Git Hook Execution/File Creation (#3832)
2024-06-28 11:34:32 +02:00
persistence_init_d_file_creation.toml
[Rule Tuning] System V Init Script Created (#3811)
2024-06-27 21:38:34 +02:00
persistence_insmod_kernel_module_load.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_kde_autostart_modification.toml
[Rule Tuning] Misc. DR Rule Tuning (#3904)
2024-07-19 15:13:42 +02:00
persistence_kernel_driver_load_by_non_root.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_kernel_driver_load.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_kworker_file_creation.toml
[Rule Tuning] Misc. DR Rule Tuning (#3904)
2024-07-19 15:13:42 +02:00
persistence_linux_backdoor_user_creation.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_linux_group_creation.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_linux_shell_activity_via_web_server.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_linux_user_account_creation.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_linux_user_added_to_privileged_group.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_message_of_the_day_creation.toml
[Rule Tuning] Message-of-the-Day (MOTD) (#3730)
2024-06-05 10:18:30 +02:00
persistence_message_of_the_day_execution.toml
[Rule Tuning] Message-of-the-Day (MOTD) (#3730)
2024-06-05 10:18:30 +02:00
persistence_pluggable_authentication_module_creation.toml
[Rule Tuning] Misc. DR Rule Tuning - Part 2 (#3905)
2024-07-19 15:21:35 +02:00
persistence_potential_persistence_script_executable_bit_set.toml
[Tuning] Executable Bit Set for Potential Persistence Script (#3929)
2024-08-02 21:13:19 +02:00
persistence_process_capability_set_via_setcap.toml
[New Rule] Process Capability Set via setcap Utility (#3744)
2024-06-06 12:44:31 +02:00
persistence_rc_local_error_via_syslog.toml
[New Rules] rc.local Execution Rules (#3813)
2024-06-28 09:59:26 +02:00
persistence_rc_local_service_already_running.toml
[New Rules] rc.local Execution Rules (#3813)
2024-06-28 09:59:26 +02:00
persistence_rc_script_creation.toml
[Rule Tuning] Misc. DR Rule Tuning - Part 2 (#3905)
2024-07-19 15:21:35 +02:00
persistence_rpm_package_installation_from_unusual_parent.toml
[New Rule] RPM Package Installed by Unusual Parent Process (#3882)
2024-07-17 15:12:17 +02:00
persistence_setuid_setgid_capability_set.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_shared_object_creation.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_shell_configuration_modification.toml
[Rule Tuning] Misc. DR Rule Tuning - Part 2 (#3905)
2024-07-19 15:21:35 +02:00
persistence_ssh_key_generation.toml
[Bug] Persistence ssh key generation index pattern (#3873)
2024-07-08 10:27:52 -03:00
persistence_ssh_netcon.toml
[Rule Tuning] Misc. DR Rule Tuning - Part 2 (#3905)
2024-07-19 15:21:35 +02:00
persistence_suspicious_file_opened_through_editor.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_suspicious_ssh_execution_xzbackdoor.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_systemd_generator_creation.toml
[New Rule & Tuning] Systemd Generator Created (#3801)
2024-06-27 22:00:48 +02:00
persistence_systemd_netcon.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_systemd_scheduled_timer_created.toml
[Rule Tuning] Misc. DR Rule Tuning - Part 2 (#3905)
2024-07-19 15:21:35 +02:00
persistence_systemd_service_creation.toml
[Rule Tuning] Misc. DR Rule Tuning - Part 2 (#3905)
2024-07-19 15:21:35 +02:00
persistence_systemd_service_started.toml
Prep for next release 8.16 (#3919)
2024-07-24 11:19:56 -04:00
persistence_tainted_kernel_module_load.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_tainted_kernel_module_out_of_tree_load.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_udev_rule_creation.toml
[Rule Tuning] Misc. DR Rule Tuning - Part 2 (#3905)
2024-07-19 15:21:35 +02:00
persistence_unusual_pam_grantor.toml
Prep for next release 8.16 (#3919)
2024-07-24 11:19:56 -04:00
persistence_user_or_group_creation_or_modification.toml
[Rule Tuning] Updated setup guide (#3885)
2024-07-17 14:39:38 +02:00
persistence_user_password_change.toml
[New Rule] Linux Shadow File Modification (#3737)
2024-07-05 10:03:24 +02:00
persistence_xdg_autostart_netcon.toml
[Rule Tuning] Misc. DR Rule Tuning - Part 2 (#3905)
2024-07-19 15:21:35 +02:00
persistence_yum_package_manager_plugin_file_creation.toml
[Tuning & Changes] Misc rule/hunt tuning (#3875)
2024-07-11 14:55:33 +02:00
privilege_escalation_chown_chmod_unauthorized_file_read.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
privilege_escalation_container_util_misconfiguration.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
privilege_escalation_dac_permissions.toml
[Security Content] Small tweaks on the setup guides (#3308)
2024-03-11 09:09:40 -03:00
privilege_escalation_docker_escape_via_nsenter.toml
[New Rules] Docker Entrypoint Netcon / Nsenter Escape (#3883)
2024-07-15 13:07:36 +02:00
privilege_escalation_docker_mount_chroot_container_escape.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
privilege_escalation_enlightenment_window_manager.toml
[Tuning] event.action and event.type change (#3495)
2024-03-13 10:11:21 +01:00
privilege_escalation_gdb_sys_ptrace_elevation.toml
[Tuning] event.action and event.type change (#3495)
2024-03-13 10:11:21 +01:00
privilege_escalation_gdb_sys_ptrace_netcon.toml
[Tuning] event.action and event.type change (#3495)
2024-03-13 10:11:21 +01:00
privilege_escalation_kworker_uid_elevation.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
privilege_escalation_ld_preload_shared_object_modif.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
privilege_escalation_linux_suspicious_symbolic_link.toml
[Rule Tuning] Removed Endgame from Incompatible Rules (#3931)
2024-07-31 09:26:38 +02:00
privilege_escalation_linux_uid_int_max_bug.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
privilege_escalation_load_and_unload_of_kernel_via_kexec.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
privilege_escalation_looney_tunables_cve_2023_4911.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
privilege_escalation_netcon_via_sudo_binary.toml
[Rule Tuning] Misc. DR Rule Tuning - Part 2 (#3905)
2024-07-19 15:21:35 +02:00
privilege_escalation_overlayfs_local_privesc.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
privilege_escalation_pkexec_envar_hijack.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
privilege_escalation_potential_bufferoverflow_attack.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
privilege_escalation_potential_suid_sgid_exploitation.toml
[New Rule] Privilege Escalation via SUID/SGID (#3793)
2024-06-27 16:50:09 +02:00
privilege_escalation_potential_wildcard_shell_spawn.toml
[Rule Tuning] Misc. DR Rule Tuning - Part 2 (#3905)
2024-07-19 15:21:35 +02:00
privilege_escalation_sda_disk_mount_non_root.toml
[Rule Tuning] Removed Endgame from Incompatible Rules (#3931)
2024-07-31 09:26:38 +02:00
privilege_escalation_shadow_file_read.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
privilege_escalation_sudo_cve_2019_14287.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
privilege_escalation_sudo_hijacking.toml
[Rule Tuning] Potential Sudo Hijacking (#3745)
2024-06-06 11:59:26 +02:00
privilege_escalation_sudo_token_via_process_injection.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
privilege_escalation_suspicious_cap_setuid_python_execution.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
privilege_escalation_suspicious_chown_fowner_elevation.toml
[Tuning] event.action and event.type change (#3495)
2024-03-13 10:11:21 +01:00
privilege_escalation_suspicious_passwd_file_write.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
privilege_escalation_suspicious_uid_guid_elevation.toml
[Rule Tuning] Misc. DR Rule Tuning - Part 2 (#3905)
2024-07-19 15:21:35 +02:00
privilege_escalation_uid_change_post_compilation.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
privilege_escalation_uid_elevation_from_unknown_executable.toml
[Rule Tuning] Misc. DR Rule Tuning - Part 2 (#3905)
2024-07-19 15:21:35 +02:00
privilege_escalation_unshare_namespace_manipulation.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
privilege_escalation_writable_docker_socket.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30