security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e761beb0a0646efd11f63d1e7263bc0b8a298324
sigma-rules/rules/linux
T
History
ALEXANDER MA COTE bd46e892f1 add "Windows Azure Linux Agent"'s pid file to list (#2328) 
* add "Windows Azure Linux Agent"'s pid file to list

https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/agent-linux
this tool is default installed on azure linux hosts, can resolve my problem as an exception and have but the tool is common enough in cloud environments that it deserves inclusion.

* Update execution_abnormal_process_id_file_created.toml

* Update rules/linux/execution_abnormal_process_id_file_created.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
2022-10-13 16:53:35 -03:00
..
command_and_control_connection_attempt_by_non_ssh_root_session.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
command_and_control_linux_iodine_activity.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
command_and_control_tunneling_via_earthworm.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
credential_access_bruteforce_passowrd_guessing.toml
Add investigation guides (#2326)
2022-09-23 20:18:48 +05:30
credential_access_collection_sensitive_files.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
credential_access_potential_linux_ssh_bruteforce_root.toml
Add investigation guides (#2326)
2022-09-23 20:18:48 +05:30
credential_access_potential_linux_ssh_bruteforce.toml
[Rule Tuning] adjust duplicate ssh brute force rule names and add unit test (#2321)
2022-09-26 10:04:38 -04:00
credential_access_ssh_backdoor_log.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
defense_evasion_attempt_to_disable_syslog_service.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
defense_evasion_chattr_immutable_file.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
defense_evasion_disable_selinux_attempt.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
defense_evasion_file_deletion_via_shred.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
defense_evasion_file_mod_writable_dir.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
defense_evasion_hidden_file_dir_tmp.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
defense_evasion_hidden_shared_object.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
defense_evasion_kernel_module_removal.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
defense_evasion_log_files_deleted.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
discovery_kernel_module_enumeration.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
discovery_linux_hping_activity.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
discovery_linux_nping_activity.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
discovery_virtual_machine_fingerprinting.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
execution_abnormal_process_id_file_created.toml
add "Windows Azure Linux Agent"'s pid file to list (#2328)
2022-10-13 16:53:35 -03:00
execution_linux_netcat_network_connection.toml
[Security Content] Add missing "has_guide" tag (#2349)
2022-10-11 06:30:19 -07:00
execution_perl_tty_shell.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
execution_process_started_from_process_id_file.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
execution_process_started_in_shared_memory_directory.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
execution_python_tty_shell.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
execution_shell_evasion_linux_binary.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
execution_tc_bpf_filter.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
impact_process_kill_threshold.toml
[Security Content] Tag rules with robust Investigation Guides (#2297)
2022-09-23 14:20:32 -03:00
lateral_movement_telnet_network_activity_external.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
lateral_movement_telnet_network_activity_internal.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
persistence_chkconfig_service_add.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
persistence_credential_access_modify_ssh_binaries.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
persistence_dynamic_linker_backup.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
persistence_etc_file_creation.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
persistence_insmod_kernel_module_load.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
persistence_kde_autostart_modification.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
persistence_shell_activity_by_web_server.toml
[Security Content] Add missing "has_guide" tag (#2349)
2022-10-11 06:30:19 -07:00
privilege_escalation_ld_preload_shared_object_modif.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
privilege_escalation_pkexec_envar_hijack.toml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
privilege_escalation_shadow_file_read.toml
[New Rule] Linux rule(s) to detect namespace manipulation,shadow file read (#2283)
2022-09-14 22:01:46 +05:30
privilege_escalation_unshare_namesapce_manipulation.toml
[New Rule] Linux rule(s) to detect namespace manipulation,shadow file read (#2283)
2022-09-14 22:01:46 +05:30