security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
cbbac02b5671443fb2e6b86ed9446ecd0afa15c0
sigma-rules/rules/cross-platform
T
History
Isai 2289fd6496 [New Rule] Masquerading Space After Filename (#2368) 
* Create defense_evasion_masquerading_space_after_filename.toml

new rule toml

* Update defense_evasion_masquerading_space_after_filename.toml

toml-lint the file

* Moved to cross-platform folder

moved to cross-platform folder

* update query to specify OS

added filter for host OS to query ```host.os.type:("linux","macos")```

* Update rule query: regex and process.executable

update rule query to use regex instead of wildcards and alert on process.executable instead of process.args and process.name to reduce noise.

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
2022-11-15 09:54:46 -05:00
..
command_and_control_non_standard_ssh_port.toml
Rule to Identify Non-Standard Port connection(s) (#2365)
2022-11-15 20:13:12 +05:30
credential_access_cookies_chromium_browsers_debugging.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
defense_evasion_agent_spoofing_mismatched_id.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
defense_evasion_agent_spoofing_multiple_hosts.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
defense_evasion_deleting_websvr_access_logs.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
defense_evasion_deletion_of_bash_command_line_history.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
defense_evasion_elastic_agent_service_terminated.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
defense_evasion_masquerading_space_after_filename.toml
[New Rule] Masquerading Space After Filename (#2368)
2022-11-15 09:54:46 -05:00
defense_evasion_timestomp_touch.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
discovery_security_software_grep.toml
[Security Content] Add missing "has_guide" tag (#2349)
2022-10-11 06:30:19 -07:00
discovery_virtual_machine_fingerprinting_grep.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
execution_pentest_eggshell_remote_admin_tool.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
execution_python_script_in_cmdline.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
execution_revershell_via_shell_cmd.toml
[Security Content] Add missing "has_guide" tag (#2349)
2022-10-11 06:30:19 -07:00
execution_suspicious_jar_child_process.toml
[Rule Tuning] Link Elastic Security Labs content to compatible rules (#2388)
2022-11-07 15:17:49 -05:00
execution_suspicious_java_netcon_childproc.toml
[Rule Tuning] Link Elastic Security Labs content to compatible rules (#2388)
2022-11-07 15:17:49 -05:00
guided_onborading_sample_rule.toml
[Guided Onboarding] Sample Rule for SIEM onboarding (#2324)
2022-10-18 09:46:41 -03:00
impact_hosts_file_modified.toml
[Security Content] Add missing "has_guide" tag (#2349)
2022-10-11 06:30:19 -07:00
initial_access_zoom_meeting_with_no_passcode.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
persistence_credential_access_modify_auth_module_or_config.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
persistence_shell_profile_modification.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
persistence_ssh_authorized_keys_modification.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
privilege_escalation_echo_nopasswd_sudoers.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
privilege_escalation_setuid_setgid_bit_set_via_chmod.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
privilege_escalation_sudo_buffer_overflow.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
privilege_escalation_sudoers_file_mod.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
threat_intel_filebeat8x.toml
[Security Content] Tag rules with robust Investigation Guides (#2297)
2022-09-23 14:20:32 -03:00
threat_intel_fleet_integrations.toml
[Security Content] Tag rules with robust Investigation Guides (#2297)
2022-09-23 14:20:32 -03:00