security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e4746c3a83d2491ca76265c1e84f603d443c890f
sigma-rules/rules/linux
T
History
Samirbous 245956a8d6 [New] Potential Privilege Escalation in Container via Runc Init (#5964) 
* [New] Potential Privilege Escalation in Container via Runc Init

Identifies audit events for `runc init` child processes where the effective user is root and the login user ID is not root.
This pattern can indicate privilege escalation or credential separation abuse inside container runtimes, where a process executes  with elevated effective privileges while retaining a non-root audit identity.

* Update privilege_escalation_container_runc_init_effective_root_auditd.toml

* Update privilege_escalation_container_runc_init_effective_root_auditd.toml

* Update privilege_escalation_container_runc_init_effective_root_auditd.toml

* Update privilege_escalation_container_runc_init_effective_root_auditd.toml

* Update privilege_escalation_container_runc_init_effective_root_auditd.toml
2026-05-04 22:31:04 +01:00
..
collection_linux_clipboard_activity.toml
[Rule Tuning] agent.id --> host.id new_terms Key Modification (#5802)
2026-03-02 13:24:25 +01:00
collection_potential_audio_recording_activity.toml
[Rule Tuning] agent.id --> host.id new_terms Key Modification (#5802)
2026-03-02 13:24:25 +01:00
collection_potential_video_recording_or_screenshot_activity.toml
[Rule Tuning] agent.id --> host.id new_terms Key Modification (#5802)
2026-03-02 13:24:25 +01:00
command_and_control_auditd_curl_wget_from_container.toml
[New] Curl or Wget Execution from Container Context (#5975)
2026-05-02 11:08:29 +01:00
command_and_control_aws_cli_endpoint_url_used.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_cat_network_activity.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_cupsd_foomatic_rip_netcon.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_curl_socks_proxy_detected.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_frequent_egress_netcon_from_sus_executable.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
command_and_control_git_repo_or_file_download_to_sus_dir.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_ip_forwarding_activity.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_linux_chisel_client_activity.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_linux_kworker_netcon.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_linux_proxychains_activity.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_linux_ssh_x11_forwarding.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_linux_suspicious_proxychains_activity.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_linux_tunneling_and_port_forwarding.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_linux_tunneling_via_ssh_option.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_potential_tunneling_command_line.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_suspicious_network_activity_from_unknown_executable.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_telegram_api_request.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_tunneling_via_earthworm.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_auditd_sensitive_cloud_and_host_identity_file_open.toml
[New] Sensitive Identity File Open by Suspicious Process via Auditd (#5982)
2026-05-03 11:24:43 +01:00
credential_access_aws_creds_search_inside_container.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_collection_sensitive_files_compression_inside_container.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_collection_sensitive_files.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_credential_dumping.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_gdb_init_process_hooking.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_gdb_process_hooking.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_gh_auth_via_nodejs.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_kubernetes_service_account_secret_access.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_manual_memory_dumping.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_potential_linux_local_account_bruteforce.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
credential_access_potential_linux_ssh_bruteforce_external.toml
[Rule Tuning] Linux DR Tuning - 3 (#5483)
2026-01-08 13:32:43 +01:00
credential_access_potential_linux_ssh_bruteforce_internal.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_potential_password_spraying_attack.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
credential_access_potential_successful_linux_ssh_bruteforce.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_proc_credential_dumping.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_sensitive_keys_or_passwords_search_inside_container.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_ssh_backdoor_log.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_ssh_password_grabbing_via_strace.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_unusual_instance_metadata_service_api_request.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_acl_modification_via_setfacl.toml
[Rule Tuning] Linux DR Tuning - 4 (#5484)
2026-01-08 10:11:05 +01:00
defense_evasion_apparmor_exploitation_via_sys_fs.toml
[New Rules] AppArmor Exploitation (CrackArmor) (#5842)
2026-03-23 09:37:42 +01:00
defense_evasion_apparmor_policy_access.toml
[New Rules] AppArmor Exploitation (CrackArmor) (#5842)
2026-03-23 09:37:42 +01:00
defense_evasion_apparmor_policy_violation.toml
[New Rules] AppArmor Exploitation (CrackArmor) (#5842)
2026-03-23 09:37:42 +01:00
defense_evasion_apparmor_profile_compilation.toml
[New Rules] AppArmor Exploitation (CrackArmor) (#5842)
2026-03-23 09:37:42 +01:00
defense_evasion_attempt_to_disable_auditd_service.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_attempt_to_disable_iptables_or_firewall.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_attempt_to_disable_syslog_service.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_authorized_keys_file_deletion.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_base64_decoding_activity.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
defense_evasion_binary_copied_to_suspicious_directory.toml
[Rule Tuning] Linux DR Tuning - 4 (#5484)
2026-01-08 10:11:05 +01:00
defense_evasion_bpf_program_tampering.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_busybox_indirect_shell_spawn.toml
Add Investigation Guides for Rules (#5357)
2025-11-25 01:08:15 +05:30
defense_evasion_chattr_immutable_file.toml
[Rule Tuning] Linux DR Tuning - 4 (#5484)
2026-01-08 10:11:05 +01:00
defense_evasion_clear_kernel_ring_buffer.toml
[Rule Tuning] Linux DR Tuning - 4 (#5484)
2026-01-08 10:11:05 +01:00
defense_evasion_creation_of_hidden_files_directories.toml
[Rule Tuning] Linux DR Tuning - 4 (#5484)
2026-01-08 10:11:05 +01:00
defense_evasion_curl_or_wget_executed_via_lolbin.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_directory_creation_in_bin.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_disable_apparmor_attempt.toml
[Rule Tuning] Potential Disabling of AppArmor - Restore AppArmor service filters (#5574)
2026-01-19 09:19:24 -03:00
defense_evasion_disable_selinux_attempt.toml
[Rule Tuning] Linux DR Tuning - 4 (#5484)
2026-01-08 10:11:05 +01:00
defense_evasion_doas_configuration_creation_or_rename.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_dynamic_linker_file_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_esxi_suspicious_timestomp_touch.toml
Prep for Release 9.0 (#4550)
2025-03-20 20:32:07 +05:30
defense_evasion_file_creation_world_writeable_dir_by_unusual_process.toml
[New Rules] False Negatives for New BPFDoor Variants (#5939)
2026-04-22 08:03:32 +02:00
defense_evasion_file_deletion_via_shred.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_file_mod_writable_dir.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_hex_payload_execution_via_commandline.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_hex_payload_execution_via_utility.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_hidden_directory_creation.toml
[Rule Tuning] Linux DR Tuning - 5 (#5494)
2026-01-07 15:55:06 +01:00
defense_evasion_hidden_file_dir_tmp.toml
[Rule Tuning] Linux DR Tuning - 5 (#5494)
2026-01-07 15:55:06 +01:00
defense_evasion_hidden_shared_object.toml
[Rule Tuning] Linux DR Tuning - 5 (#5494)
2026-01-07 15:55:06 +01:00
defense_evasion_interactive_shell_from_system_user.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_interpreter_launched_from_decoded_payload.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_journalctl_clear_logs.toml
[Rule Tuning] Linux DR Tuning - 5 (#5494)
2026-01-07 15:55:06 +01:00
defense_evasion_kernel_module_removal.toml
[Rule Tuning] Linux DR Tuning - 5 (#5494)
2026-01-07 15:55:06 +01:00
defense_evasion_kill_command_executed.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_kthreadd_masquerading.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_ld_preload_cmdline.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_ld_so_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_log_files_deleted.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_mount_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_multi_base64_decoding_attempt.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_potential_proot_exploits.toml
[Rule Tuning] Linux DR Tuning - 5 (#5494)
2026-01-07 15:55:06 +01:00
defense_evasion_prctl_process_name_tampering.toml
[Rule Tuning] Linux DR Tuning - 5 (#5494)
2026-01-07 15:55:06 +01:00
defense_evasion_rename_esxi_files.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_root_certificate_installation.toml
[Rule Tuning] Linux DR Tuning - 5 (#5494)
2026-01-07 15:55:06 +01:00
defense_evasion_selinux_configuration_creation_or_renaming.toml
[Rule Tuning] Linux DR Tuning - 5 (#5494)
2026-01-07 15:55:06 +01:00
defense_evasion_shell_history_clearing_via_environment_variables.toml
[New Rules] False Negatives for New BPFDoor Variants (#5939)
2026-04-22 08:03:32 +02:00
defense_evasion_ssl_certificate_deletion.toml
[Rule Tuning] Linux DR Tuning - 5 (#5494)
2026-01-07 15:55:06 +01:00
defense_evasion_sus_utility_executed_via_tmux_or_screen.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_suspicious_path_mounted.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_symlink_binary_to_writable_dir.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_sysctl_kernel_feature_activity.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_unsual_kill_signal.toml
[Rule Tuning] Linux DR Tuning - 5 (#5494)
2026-01-07 15:55:06 +01:00
defense_evasion_unusual_preload_env_vars.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_user_or_group_deletion.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_var_log_file_creation_by_unsual_process.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_dmidecode_system_discovery.toml
[Rule Tuning] System Information Discovery via dmidecode from Parent Shell (#5732)
2026-02-17 17:49:56 +01:00
discovery_docker_socket_discovery.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_dynamic_linker_via_od.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_esxi_software_via_find.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_esxi_software_via_grep.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_kernel_instrumentation_discovery_via_kprobes_and_tracefs.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_kernel_module_enumeration.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_kernel_seeking.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_kernel_unpacking.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_kubeconfig_file_discovery.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_linux_hping_activity.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_linux_nping_activity.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_manual_mount_discovery_via_exports_or_fstab.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_pam_version_discovery.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_ping_sweep_detected.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_polkit_version_discovery.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_port_scanning_activity_from_compromised_host.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
discovery_potential_kubeletctl_execution.toml
[New/Tuning] Direct Kubelet API Access rules (#5996)
2026-05-04 22:18:23 +01:00
discovery_private_key_password_searching_activity.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_proc_maps_read.toml
[Rule Tuning] Linux DR Tuning - 6 (#5497)
2026-01-08 10:45:32 +01:00
discovery_process_capabilities.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_security_file_access_via_common_utility.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_subnet_scanning_activity_from_compromised_host.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
discovery_sudo_allowed_command_enumeration.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_suid_sguid_enumeration.toml
[Rule Tuning] Linux DR Tuning - 6 (#5497)
2026-01-08 10:45:32 +01:00
discovery_suspicious_memory_grep_activity.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_suspicious_network_tool_launched_inside_container.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_suspicious_which_command_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_unusual_process_connection_to_container_runtime_socket.toml
[New] Unusual Process Connection to Docker or Containerd Socket (#6005)
2026-05-02 10:05:09 +01:00
discovery_unusual_user_enumeration_via_id.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_virtual_machine_fingerprinting.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_yum_dnf_plugin_detection.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_abnormal_process_id_file_created.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_container_management_binary_launched_inside_container.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_cupsd_foomatic_rip_file_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_cupsd_foomatic_rip_lp_user_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_cupsd_foomatic_rip_shell_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_cupsd_foomatic_rip_suspicious_child_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_egress_connection_from_entrypoint_in_container.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_executable_stack_execution.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
execution_file_execution_followed_by_deletion.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_file_made_executable_via_chmod_inside_container.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_file_transfer_or_listener_established_via_netcat.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_interpreter_tty_upgrade.toml
[Rule Tuning] Linux DR Tuning - 7 (#5504)
2026-01-08 11:10:46 +01:00
execution_kubectl_apply_pod_from_url.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_nc_listener_via_rlwrap.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_netcon_from_rwx_mem_region_binary.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_network_event_post_compilation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_perl_tty_shell.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_potential_hack_tool_executed.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_potentially_overly_permissive_container_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_process_backgrounded_by_unusual_parent.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_process_started_from_process_id_file.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_process_started_in_shared_memory_directory.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_python_tty_shell.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_python_webserver_spawned.toml
[Rule Tuning] Linux DR Tuning - 7 (#5504)
2026-01-08 11:10:46 +01:00
execution_remote_code_execution_via_postgresql.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_shell_evasion_linux_binary.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_shell_openssl_client_or_server.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_shell_via_background_process.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_shell_via_child_tcp_utility_linux.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_shell_via_java_revshell_linux.toml
[Rule Tuning] Linux DR Tuning - 7 (#5504)
2026-01-08 11:10:46 +01:00
execution_shell_via_lolbin_interpreter_linux.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_shell_via_meterpreter_linux.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_shell_via_suspicious_binary.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_shell_via_tcp_cli_utility_linux.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_shell_via_udp_cli_utility_linux.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_sus_extraction_or_decrompression_via_funzip.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_suspicious_executable_running_system_commands.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_suspicious_mining_process_creation_events.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_suspicious_mkfifo_execution.toml
[Rule Tuning] agent.id --> host.id new_terms Key Modification (#5802)
2026-03-02 13:24:25 +01:00
execution_suspicious_pod_or_container_creation_command_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_system_binary_file_permission_change.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_tc_bpf_filter.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_unix_socket_communication.toml
[Rule Tuning] Linux DR Tuning - 7 (#5504)
2026-01-08 11:10:46 +01:00
execution_unknown_rwx_mem_region_binary_executed.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_unusual_interactive_process_inside_container.toml
[Rule Tuning] Linux DR Tuning - 7 (#5504)
2026-01-08 11:10:46 +01:00
execution_unusual_kthreadd_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_unusual_path_invocation_from_command_line.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_unusual_pkexec_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
exfiltration_potential_data_splitting_for_exfiltration.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
exfiltration_potential_database_dumping.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
exfiltration_potential_wget_data_exfiltration.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
exfiltration_unusual_file_transfer_utility_launched.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
impact_data_encrypted_via_openssl.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
impact_esxi_process_kill.toml
[Rule Tuning] Linux DR Tuning - 8 (#5505)
2026-01-08 10:01:11 +01:00
impact_memory_swap_modification.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
impact_potential_bruteforce_malware_infection.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
impact_potential_linux_ransomware_note_detected.toml
[Rule Tuning] Linux DR Tuning - 8 (#5505)
2026-01-08 10:01:11 +01:00
impact_process_kill_threshold.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
initial_access_apache_struts_cve_2023_50164_exploitation_to_webshell.toml
[Rule Tuning] Fixes for Unsupported Fields (#6025)
2026-05-01 18:01:01 -05:00
initial_access_first_time_public_key_authentication.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
initial_access_successful_ssh_authentication_by_unusual_ip.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
initial_access_successful_ssh_authentication_by_unusual_user.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
initial_access_telnet_auth_bypass_envar_auditd.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
initial_access_telnet_auth_bypass_via_user_envar.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
lateral_movement_direct_kubelet_access_via_process_args.toml
[New/Tuning] Direct Kubelet API Access rules (#5996)
2026-05-04 22:18:23 +01:00
lateral_movement_kubeconfig_file_activity.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
lateral_movement_kubelet_api_connection_attempt_internal_ip.toml
[New/Tuning] Direct Kubelet API Access rules (#5996)
2026-05-04 22:18:23 +01:00
lateral_movement_remote_file_creation_world_writeable_dir.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
lateral_movement_ssh_it_worm_download.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
lateral_movement_telnet_network_activity_external.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
lateral_movement_telnet_network_activity_internal.toml
[Rule Tuning] Linux DR Tuning - 8 (#5505)
2026-01-08 10:01:11 +01:00
lateral_movement_unusual_remote_file_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_apt_package_manager_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_apt_package_manager_file_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_apt_package_manager_netcon.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_at_job_creation.toml
[Rule Tuning] Linux DR Tuning - 9 (#5508)
2026-01-07 16:18:38 +01:00
persistence_boot_file_copy.toml
[Rule Tuning] Linux DR Tuning - 9 (#5508)
2026-01-07 16:18:38 +01:00
persistence_bpf_probe_write_user.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
persistence_bpf_program_or_map_load.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_chkconfig_service_add.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_credential_access_modify_ssh_binaries.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_cron_job_creation.toml
[Rule Tuning] Linux DR Tuning - 9 (#5508)
2026-01-07 16:18:38 +01:00
persistence_dbus_service_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_dbus_unsual_daemon_parent_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_dnf_package_manager_plugin_file_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_dpkg_package_installation_from_unusual_parent.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_dpkg_unusual_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_dracut_module_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_dynamic_linker_backup.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_extract_initramfs_via_cpio.toml
[Rule Tuning] Linux DR Tuning - 9 (#5508)
2026-01-07 16:18:38 +01:00
persistence_git_hook_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_git_hook_file_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_git_hook_netcon.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_git_hook_process_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_grub_configuration_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_grub_makeconfig.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_init_d_file_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_insmod_kernel_module_load.toml
[Rule Tuning] Kernel Module Load via Built-in Utility (#5736)
2026-02-23 09:48:12 +01:00
persistence_kde_autostart_modification.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_kernel_driver_load_by_non_root.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_kernel_driver_load.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_kernel_module_load_from_unusual_location.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_kernel_object_file_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_kubernetes_sensitive_file_activity.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_kworker_file_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_linux_backdoor_user_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_linux_group_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_linux_shell_activity_via_web_server.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_linux_user_account_creation.toml
[Rule Tuning] Linux DR Tuning - 9 (#5508)
2026-01-07 16:18:38 +01:00
persistence_linux_user_added_to_privileged_group.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_lkm_configuration_file_creation.toml
[Rule Tuning] Linux DR Tuning - 9 (#5508)
2026-01-07 16:18:38 +01:00
persistence_manual_dracut_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_message_of_the_day_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_message_of_the_day_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_network_manager_dispatcher_persistence.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_openssl_passwd_hash_generation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_pluggable_authentication_module_creation_in_unusual_dir.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_pluggable_authentication_module_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_pluggable_authentication_module_pam_exec_backdoor_exec.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_pluggable_authentication_module_source_download.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_polkit_policy_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_potential_persistence_script_executable_bit_set.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_process_capability_set_via_setcap.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_pth_file_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_rc_local_error_via_syslog.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
persistence_rc_local_service_already_running.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_rc_script_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_rpm_package_installation_from_unusual_parent.toml
[Rule Tuning] Linux DR Tuning - 9 (#5508)
2026-01-07 16:18:38 +01:00
persistence_setuid_setgid_capability_set.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_shadow_file_modification.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_shared_object_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_shell_configuration_modification.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_simple_web_server_connection_accepted.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_simple_web_server_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_site_and_user_customize_file_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_ssh_key_generation.toml
Prep for Release 9.0 (#4550)
2025-03-20 20:32:07 +05:30
persistence_ssh_netcon.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_ssh_via_backdoored_system_user.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_suspicious_file_opened_through_editor.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_suspicious_ssh_execution_xzbackdoor.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_systemd_generator_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_systemd_netcon.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_systemd_scheduled_timer_created.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_systemd_service_creation.toml
[Rule Tuning] Potential snap-confine Privilege Escalation (#5889)
2026-04-02 11:21:09 +02:00
persistence_systemd_service_started.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_systemd_shell_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_tainted_kernel_module_load.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
persistence_tainted_kernel_module_out_of_tree_load.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
persistence_udev_rule_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_unpack_initramfs_via_unmkinitramfs.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_unusual_exim4_child_process.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_unusual_pam_grantor.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_unusual_sshd_child_process.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_user_credential_modification_via_echo.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_user_or_group_creation_or_modification.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_web_server_sus_child_spawned.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
persistence_web_server_sus_command_execution.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
persistence_web_server_sus_destination_port.toml
[Rule Tuning] Fixes for Unsupported Fields (#6025)
2026-05-01 18:01:01 -05:00
persistence_web_server_unusual_command_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_xdg_autostart_netcon.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_yum_package_manager_plugin_file_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_auditd_euid_root_shell_from_non_standard_path.toml
[New/Tuning] Linux LPE via SUID Shell (#5980)
2026-05-01 10:51:29 +01:00
privilege_escalation_auditd_nsenter_target_host_pid.toml
[New] Nsenter to PID 1 Namespace via Auditd/D4C (#5988)
2026-05-02 14:56:06 +01:00
privilege_escalation_chown_chmod_unauthorized_file_read.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_chroot_execution_container_context.toml
[New/Tuning] Chroot Execution in Container Context on Linux (#5992)
2026-05-02 13:45:21 +01:00
privilege_escalation_container_runc_init_effective_root_auditd.toml
[New] Potential Privilege Escalation in Container via Runc Init (#5964)
2026-05-04 22:31:04 +01:00
privilege_escalation_container_util_misconfiguration.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_cve_2025_32463_nsswitch_file_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_cve_2025_32463_sudo_chroot_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_cve_2025_41244_vmtoolsd_lpe.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_dac_permissions.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_debugfs_launched_inside_container.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_docker_escape_via_nsenter.toml
[Rule Tuning] Linux DR Tuning - 11 (#5511)
2026-01-07 16:31:13 +01:00
privilege_escalation_docker_mount_chroot_container_escape.toml
[New/Tuning] Chroot Execution in Container Context on Linux (#5992)
2026-05-02 13:45:21 +01:00
privilege_escalation_docker_release_file_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_enlightenment_window_manager.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_gdb_sys_ptrace_elevation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_gdb_sys_ptrace_netcon.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_kworker_uid_elevation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_ld_preload_shared_object_modif.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_linux_suspicious_symbolic_link.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_load_and_unload_of_kernel_via_kexec.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_looney_tunables_cve_2023_4911.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_mount_launched_inside_container.toml
[Rule Tuning] Linux DR Tuning - 11 (#5511)
2026-01-07 16:31:13 +01:00
privilege_escalation_overlayfs_local_privesc.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_pkexec_envar_hijack.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_potential_bufferoverflow_attack.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
privilege_escalation_potential_copy_fail_cve_2026_31431_exploitation_via_af_alg_socket.toml
[New] Potential Copy Fail (CVE-2026-31431) Exploitation via AF_ALG Socket (#6015)
2026-04-30 12:24:01 -04:00
privilege_escalation_potential_suid_sgid_exploitation.toml
[New/Tuning] Linux LPE via SUID Shell (#5980)
2026-05-01 10:51:29 +01:00
privilege_escalation_potential_suid_sgid_proxy_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_potential_wildcard_shell_spawn.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_sda_disk_mount_non_root.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_shadow_file_read.toml
[Rule Tuning] Linux DR Tuning - 11 (#5511)
2026-01-07 16:31:13 +01:00
privilege_escalation_snap_confine_lpe_via_cve_2026_3888.toml
[Rule Tuning] Potential snap-confine Privilege Escalation (#5889)
2026-04-02 11:21:09 +02:00
privilege_escalation_sudo_cve_2019_14287.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_sudo_hijacking.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_sudo_token_via_process_injection.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_suspicious_cap_setuid_python_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_suspicious_chown_fowner_elevation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_suspicious_passwd_file_write.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_suspicious_suid_binary_execution.toml
[New] Suspicious SUID Binary Execution (#6018)
2026-04-30 17:38:22 +01:00
privilege_escalation_suspicious_uid_guid_elevation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_uid_change_post_compilation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_uid_elevation_from_unknown_executable.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_unshare_namespace_manipulation.toml
[Tuning/New] Namespace Manipulation Using Unshare (#6024)
2026-05-01 15:29:44 +01:00
privilege_escalation_writable_docker_socket.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00