security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c89f423961f2dcec5b26f7144bce54677dee9263
sigma-rules/rules/linux
T
History
Terrance DeJesus c89f423961 [New Rule] Suspicious Outbound Network Connect Sequence by Root (#1975) 
* adding initial rule

* adjusted UUID

* removed event.ingested as query is a sequence

* changed file name to match mitre ATT&CK tactic

* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml

* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml

* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml

* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml

* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml

* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml

* TOML linted

* Update command_and_control_connection_attempt_by_non_ssh_root_session.toml

Just edited a couple grammar things. Looks good

* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml

* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml

* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml

* added additional tactic for privilege escalation and linted

* formatted query to be more readable

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
2022-05-16 16:22:33 -05:00
..
command_and_control_connection_attempt_by_non_ssh_root_session.toml
[New Rule] Suspicious Outbound Network Connect Sequence by Root (#1975)
2022-05-16 16:22:33 -05:00
command_and_control_tunneling_via_earthworm.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
credential_access_collection_sensitive_files.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
credential_access_ssh_backdoor_log.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
defense_evasion_attempt_to_disable_iptables_or_firewall.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
defense_evasion_attempt_to_disable_syslog_service.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
defense_evasion_deletion_of_bash_command_line_history.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
defense_evasion_disable_selinux_attempt.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
defense_evasion_file_deletion_via_shred.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
defense_evasion_file_mod_writable_dir.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
defense_evasion_hidden_file_dir_tmp.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
defense_evasion_kernel_module_removal.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
defense_evasion_log_files_deleted.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
discovery_kernel_module_enumeration.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
discovery_virtual_machine_fingerprinting.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
execution_abnormal_process_id_file_created.toml
[New Rule] Abnormal Process ID File Creation (#1964)
2022-05-12 10:38:27 -04:00
execution_apt_binary.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
execution_awk_binary_shell.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
execution_busybox_binary.toml
Linux Shell Evasion Rule Tuning (#1878)
2022-03-29 09:16:21 -05:00
execution_c89_c99_binary.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
execution_cpulimit_binary.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
execution_crash_binary.toml
[Rule Tuning] Update Rule Content Changes from Security Docs Team (#1945)
2022-05-06 13:21:12 -04:00
execution_env_binary.toml
[Rule Tuning] Update Rule Content Changes from Security Docs Team (#1945)
2022-05-06 13:21:12 -04:00
execution_expect_binary.toml
[Rule Tuning] Update Rule Content Changes from Security Docs Team (#1945)
2022-05-06 13:21:12 -04:00
execution_find_binary.toml
[Rule Tuning] Update Rule Content Changes from Security Docs Team (#1945)
2022-05-06 13:21:12 -04:00
execution_flock_binary.toml
[Rule Tuning] Update Rule Content Changes from Security Docs Team (#1945)
2022-05-06 13:21:12 -04:00
execution_gcc_binary.toml
[Rule Tuning] Update Rule Content Changes from Security Docs Team (#1945)
2022-05-06 13:21:12 -04:00
execution_mysql_binary.toml
[Rule Tuning] Update Rule Content Changes from Security Docs Team (#1945)
2022-05-06 13:21:12 -04:00
execution_nice_binary.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
execution_perl_tty_shell.toml
Linux Shell Evasion Rule Tuning (#1878)
2022-03-29 09:16:21 -05:00
execution_process_started_from_process_id_file.toml
[New Rule] Abnormal Process ID File Creation (#1964)
2022-05-12 10:38:27 -04:00
execution_process_started_in_shared_memory_directory.toml
[New Rule] Executable Launched from Shared Memory Directory (#1961)
2022-05-11 12:18:55 -04:00
execution_python_tty_shell.toml
[Rule Tuning] Timeline Templates For Windows and Linux (#1892)
2022-04-01 13:44:35 -04:00
execution_ssh_binary.toml
[Rule Tuning] Update Rule Content Changes from Security Docs Team (#1945)
2022-05-06 13:21:12 -04:00
execution_vi_binary.toml
[Rule Tuning] Update Rule Content Changes from Security Docs Team (#1945)
2022-05-06 13:21:12 -04:00
initial_access_login_failures.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
initial_access_login_location.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
initial_access_login_sessions.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
initial_access_login_time.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
lateral_movement_telnet_network_activity_external.toml
[Rule Tuning] Update network rule address blocks (#1227)
2021-06-15 09:22:59 -04:00
lateral_movement_telnet_network_activity_internal.toml
[Rule Tuning] Update network rule address blocks (#1227)
2021-06-15 09:22:59 -04:00
linux_hping_activity.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
linux_iodine_activity.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
linux_netcat_network_connection.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
linux_nping_activity.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
linux_process_started_in_temp_directory.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
linux_strace_activity.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
persistence_credential_access_modify_ssh_binaries.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
persistence_kde_autostart_modification.toml
Expand timestamp override tests (#1907)
2022-04-01 15:27:08 -08:00
persistence_shell_activity_by_web_server.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
privilege_escalation_ld_preload_shared_object_modif.toml
Refresh ATT&CK mappings to v9.0 (#1401)
2021-08-04 14:16:10 -08:00
privilege_escalation_pkexec_envar_hijack.toml
[Security Content] Update rules based on docs review (#1803)
2022-03-01 21:39:30 -03:00