security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
eb32e7a2424dd9f597917bd7d7473f8c29dde6c1
sigma-rules/rules/linux
T
History
Samirbous f0467c8bed [New] Suspicious SUID Binary Execution (#6018) 
* [New] Suspicious SUDI Binary Execution

Detects execution of common privilege elevation helpers (su, sudo, pkexec, passwd, chsh, newgrp) under the root effective user when the real user and parent user are not root, combined with minimal argument counts and suspicious parent context (interpreters, short shell -c invocations, or parents running from user-writable paths) :

* Update rules/linux/privilege_escalation_suspicious_sudi_binary_execution.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/linux/privilege_escalation_suspicious_sudi_binary_execution.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update privilege_escalation_suspicious_sudi_binary_execution.toml

* Update privilege_escalation_suspicious_sudi_binary_execution.toml

* Rename privilege_escalation_suspicious_sudi_binary_execution.toml to privilege_escalation_suspicious_suid_binary_execution.toml

* Update privilege_escalation_suspicious_suid_binary_execution.toml

* Update privilege_escalation_suspicious_suid_binary_execution.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
2026-04-30 17:38:22 +01:00
..
collection_linux_clipboard_activity.toml
[Rule Tuning] agent.id --> host.id new_terms Key Modification (#5802)
2026-03-02 13:24:25 +01:00
collection_potential_audio_recording_activity.toml
[Rule Tuning] agent.id --> host.id new_terms Key Modification (#5802)
2026-03-02 13:24:25 +01:00
collection_potential_video_recording_or_screenshot_activity.toml
[Rule Tuning] agent.id --> host.id new_terms Key Modification (#5802)
2026-03-02 13:24:25 +01:00
command_and_control_aws_cli_endpoint_url_used.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_cat_network_activity.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_cupsd_foomatic_rip_netcon.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_curl_socks_proxy_detected.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_frequent_egress_netcon_from_sus_executable.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
command_and_control_git_repo_or_file_download_to_sus_dir.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_ip_forwarding_activity.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_linux_chisel_client_activity.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_linux_kworker_netcon.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_linux_proxychains_activity.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_linux_ssh_x11_forwarding.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_linux_suspicious_proxychains_activity.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_linux_tunneling_and_port_forwarding.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_linux_tunneling_via_ssh_option.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_potential_tunneling_command_line.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_suspicious_network_activity_from_unknown_executable.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_telegram_api_request.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
command_and_control_tunneling_via_earthworm.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_aws_creds_search_inside_container.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_collection_sensitive_files_compression_inside_container.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_collection_sensitive_files.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_credential_dumping.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_gdb_init_process_hooking.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_gdb_process_hooking.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_gh_auth_via_nodejs.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_kubernetes_service_account_secret_access.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_manual_memory_dumping.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_potential_linux_local_account_bruteforce.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
credential_access_potential_linux_ssh_bruteforce_external.toml
[Rule Tuning] Linux DR Tuning - 3 (#5483)
2026-01-08 13:32:43 +01:00
credential_access_potential_linux_ssh_bruteforce_internal.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_potential_password_spraying_attack.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
credential_access_potential_successful_linux_ssh_bruteforce.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_proc_credential_dumping.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_sensitive_keys_or_passwords_search_inside_container.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_ssh_backdoor_log.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_ssh_password_grabbing_via_strace.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_unusual_instance_metadata_service_api_request.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_acl_modification_via_setfacl.toml
[Rule Tuning] Linux DR Tuning - 4 (#5484)
2026-01-08 10:11:05 +01:00
defense_evasion_apparmor_exploitation_via_sys_fs.toml
[New Rules] AppArmor Exploitation (CrackArmor) (#5842)
2026-03-23 09:37:42 +01:00
defense_evasion_apparmor_policy_access.toml
[New Rules] AppArmor Exploitation (CrackArmor) (#5842)
2026-03-23 09:37:42 +01:00
defense_evasion_apparmor_policy_violation.toml
[New Rules] AppArmor Exploitation (CrackArmor) (#5842)
2026-03-23 09:37:42 +01:00
defense_evasion_apparmor_profile_compilation.toml
[New Rules] AppArmor Exploitation (CrackArmor) (#5842)
2026-03-23 09:37:42 +01:00
defense_evasion_attempt_to_disable_auditd_service.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_attempt_to_disable_iptables_or_firewall.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_attempt_to_disable_syslog_service.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_authorized_keys_file_deletion.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_base64_decoding_activity.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
defense_evasion_binary_copied_to_suspicious_directory.toml
[Rule Tuning] Linux DR Tuning - 4 (#5484)
2026-01-08 10:11:05 +01:00
defense_evasion_bpf_program_tampering.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_busybox_indirect_shell_spawn.toml
Add Investigation Guides for Rules (#5357)
2025-11-25 01:08:15 +05:30
defense_evasion_chattr_immutable_file.toml
[Rule Tuning] Linux DR Tuning - 4 (#5484)
2026-01-08 10:11:05 +01:00
defense_evasion_clear_kernel_ring_buffer.toml
[Rule Tuning] Linux DR Tuning - 4 (#5484)
2026-01-08 10:11:05 +01:00
defense_evasion_creation_of_hidden_files_directories.toml
[Rule Tuning] Linux DR Tuning - 4 (#5484)
2026-01-08 10:11:05 +01:00
defense_evasion_curl_or_wget_executed_via_lolbin.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_directory_creation_in_bin.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_disable_apparmor_attempt.toml
[Rule Tuning] Potential Disabling of AppArmor - Restore AppArmor service filters (#5574)
2026-01-19 09:19:24 -03:00
defense_evasion_disable_selinux_attempt.toml
[Rule Tuning] Linux DR Tuning - 4 (#5484)
2026-01-08 10:11:05 +01:00
defense_evasion_doas_configuration_creation_or_rename.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_dynamic_linker_file_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_esxi_suspicious_timestomp_touch.toml
Prep for Release 9.0 (#4550)
2025-03-20 20:32:07 +05:30
defense_evasion_file_creation_world_writeable_dir_by_unusual_process.toml
[New Rules] False Negatives for New BPFDoor Variants (#5939)
2026-04-22 08:03:32 +02:00
defense_evasion_file_deletion_via_shred.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_file_mod_writable_dir.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_hex_payload_execution_via_commandline.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_hex_payload_execution_via_utility.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_hidden_directory_creation.toml
[Rule Tuning] Linux DR Tuning - 5 (#5494)
2026-01-07 15:55:06 +01:00
defense_evasion_hidden_file_dir_tmp.toml
[Rule Tuning] Linux DR Tuning - 5 (#5494)
2026-01-07 15:55:06 +01:00
defense_evasion_hidden_shared_object.toml
[Rule Tuning] Linux DR Tuning - 5 (#5494)
2026-01-07 15:55:06 +01:00
defense_evasion_interactive_shell_from_system_user.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_interpreter_launched_from_decoded_payload.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_journalctl_clear_logs.toml
[Rule Tuning] Linux DR Tuning - 5 (#5494)
2026-01-07 15:55:06 +01:00
defense_evasion_kernel_module_removal.toml
[Rule Tuning] Linux DR Tuning - 5 (#5494)
2026-01-07 15:55:06 +01:00
defense_evasion_kill_command_executed.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_kthreadd_masquerading.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_ld_preload_cmdline.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_ld_so_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_log_files_deleted.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_mount_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_multi_base64_decoding_attempt.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_potential_proot_exploits.toml
[Rule Tuning] Linux DR Tuning - 5 (#5494)
2026-01-07 15:55:06 +01:00
defense_evasion_prctl_process_name_tampering.toml
[Rule Tuning] Linux DR Tuning - 5 (#5494)
2026-01-07 15:55:06 +01:00
defense_evasion_rename_esxi_files.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_root_certificate_installation.toml
[Rule Tuning] Linux DR Tuning - 5 (#5494)
2026-01-07 15:55:06 +01:00
defense_evasion_selinux_configuration_creation_or_renaming.toml
[Rule Tuning] Linux DR Tuning - 5 (#5494)
2026-01-07 15:55:06 +01:00
defense_evasion_shell_history_clearing_via_environment_variables.toml
[New Rules] False Negatives for New BPFDoor Variants (#5939)
2026-04-22 08:03:32 +02:00
defense_evasion_ssl_certificate_deletion.toml
[Rule Tuning] Linux DR Tuning - 5 (#5494)
2026-01-07 15:55:06 +01:00
defense_evasion_sus_utility_executed_via_tmux_or_screen.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_suspicious_path_mounted.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_symlink_binary_to_writable_dir.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_sysctl_kernel_feature_activity.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_unsual_kill_signal.toml
[Rule Tuning] Linux DR Tuning - 5 (#5494)
2026-01-07 15:55:06 +01:00
defense_evasion_unusual_preload_env_vars.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_user_or_group_deletion.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
defense_evasion_var_log_file_creation_by_unsual_process.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_dmidecode_system_discovery.toml
[Rule Tuning] System Information Discovery via dmidecode from Parent Shell (#5732)
2026-02-17 17:49:56 +01:00
discovery_docker_socket_discovery.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_dynamic_linker_via_od.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_esxi_software_via_find.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_esxi_software_via_grep.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_kernel_instrumentation_discovery_via_kprobes_and_tracefs.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_kernel_module_enumeration.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_kernel_seeking.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_kernel_unpacking.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_kubeconfig_file_discovery.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_linux_hping_activity.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_linux_nping_activity.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_manual_mount_discovery_via_exports_or_fstab.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_pam_version_discovery.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_ping_sweep_detected.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_polkit_version_discovery.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_port_scanning_activity_from_compromised_host.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
discovery_private_key_password_searching_activity.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_proc_maps_read.toml
[Rule Tuning] Linux DR Tuning - 6 (#5497)
2026-01-08 10:45:32 +01:00
discovery_process_capabilities.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_security_file_access_via_common_utility.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_subnet_scanning_activity_from_compromised_host.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
discovery_sudo_allowed_command_enumeration.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_suid_sguid_enumeration.toml
[Rule Tuning] Linux DR Tuning - 6 (#5497)
2026-01-08 10:45:32 +01:00
discovery_suspicious_memory_grep_activity.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_suspicious_network_tool_launched_inside_container.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_suspicious_which_command_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_unusual_user_enumeration_via_id.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_virtual_machine_fingerprinting.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_yum_dnf_plugin_detection.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_abnormal_process_id_file_created.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_container_management_binary_launched_inside_container.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_cupsd_foomatic_rip_file_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_cupsd_foomatic_rip_lp_user_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_cupsd_foomatic_rip_shell_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_cupsd_foomatic_rip_suspicious_child_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_egress_connection_from_entrypoint_in_container.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_executable_stack_execution.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
execution_file_execution_followed_by_deletion.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_file_made_executable_via_chmod_inside_container.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_file_transfer_or_listener_established_via_netcat.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_interpreter_tty_upgrade.toml
[Rule Tuning] Linux DR Tuning - 7 (#5504)
2026-01-08 11:10:46 +01:00
execution_kubectl_apply_pod_from_url.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_nc_listener_via_rlwrap.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_netcon_from_rwx_mem_region_binary.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_network_event_post_compilation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_perl_tty_shell.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_potential_hack_tool_executed.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_potentially_overly_permissive_container_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_process_backgrounded_by_unusual_parent.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_process_started_from_process_id_file.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_process_started_in_shared_memory_directory.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_python_tty_shell.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_python_webserver_spawned.toml
[Rule Tuning] Linux DR Tuning - 7 (#5504)
2026-01-08 11:10:46 +01:00
execution_remote_code_execution_via_postgresql.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_shell_evasion_linux_binary.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_shell_openssl_client_or_server.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_shell_via_background_process.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_shell_via_child_tcp_utility_linux.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_shell_via_java_revshell_linux.toml
[Rule Tuning] Linux DR Tuning - 7 (#5504)
2026-01-08 11:10:46 +01:00
execution_shell_via_lolbin_interpreter_linux.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_shell_via_meterpreter_linux.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_shell_via_suspicious_binary.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_shell_via_tcp_cli_utility_linux.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_shell_via_udp_cli_utility_linux.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_sus_extraction_or_decrompression_via_funzip.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_suspicious_executable_running_system_commands.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_suspicious_mining_process_creation_events.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_suspicious_mkfifo_execution.toml
[Rule Tuning] agent.id --> host.id new_terms Key Modification (#5802)
2026-03-02 13:24:25 +01:00
execution_suspicious_pod_or_container_creation_command_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_system_binary_file_permission_change.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_tc_bpf_filter.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_unix_socket_communication.toml
[Rule Tuning] Linux DR Tuning - 7 (#5504)
2026-01-08 11:10:46 +01:00
execution_unknown_rwx_mem_region_binary_executed.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_unusual_interactive_process_inside_container.toml
[Rule Tuning] Linux DR Tuning - 7 (#5504)
2026-01-08 11:10:46 +01:00
execution_unusual_kthreadd_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_unusual_path_invocation_from_command_line.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
execution_unusual_pkexec_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
exfiltration_potential_data_splitting_for_exfiltration.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
exfiltration_potential_database_dumping.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
exfiltration_potential_wget_data_exfiltration.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
exfiltration_unusual_file_transfer_utility_launched.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
impact_data_encrypted_via_openssl.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
impact_esxi_process_kill.toml
[Rule Tuning] Linux DR Tuning - 8 (#5505)
2026-01-08 10:01:11 +01:00
impact_memory_swap_modification.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
impact_potential_bruteforce_malware_infection.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
impact_potential_linux_ransomware_note_detected.toml
[Rule Tuning] Linux DR Tuning - 8 (#5505)
2026-01-08 10:01:11 +01:00
impact_process_kill_threshold.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
initial_access_apache_struts_cve_2023_50164_exploitation_to_webshell.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
initial_access_first_time_public_key_authentication.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
initial_access_successful_ssh_authentication_by_unusual_ip.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
initial_access_successful_ssh_authentication_by_unusual_user.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
initial_access_telnet_auth_bypass_envar_auditd.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
initial_access_telnet_auth_bypass_via_user_envar.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
lateral_movement_kubeconfig_file_activity.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
lateral_movement_remote_file_creation_world_writeable_dir.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
lateral_movement_ssh_it_worm_download.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
lateral_movement_telnet_network_activity_external.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
lateral_movement_telnet_network_activity_internal.toml
[Rule Tuning] Linux DR Tuning - 8 (#5505)
2026-01-08 10:01:11 +01:00
lateral_movement_unusual_remote_file_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_apt_package_manager_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_apt_package_manager_file_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_apt_package_manager_netcon.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_at_job_creation.toml
[Rule Tuning] Linux DR Tuning - 9 (#5508)
2026-01-07 16:18:38 +01:00
persistence_boot_file_copy.toml
[Rule Tuning] Linux DR Tuning - 9 (#5508)
2026-01-07 16:18:38 +01:00
persistence_bpf_probe_write_user.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
persistence_bpf_program_or_map_load.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_chkconfig_service_add.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_credential_access_modify_ssh_binaries.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_cron_job_creation.toml
[Rule Tuning] Linux DR Tuning - 9 (#5508)
2026-01-07 16:18:38 +01:00
persistence_dbus_service_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_dbus_unsual_daemon_parent_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_dnf_package_manager_plugin_file_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_dpkg_package_installation_from_unusual_parent.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_dpkg_unusual_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_dracut_module_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_dynamic_linker_backup.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_extract_initramfs_via_cpio.toml
[Rule Tuning] Linux DR Tuning - 9 (#5508)
2026-01-07 16:18:38 +01:00
persistence_git_hook_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_git_hook_file_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_git_hook_netcon.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_git_hook_process_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_grub_configuration_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_grub_makeconfig.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_init_d_file_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_insmod_kernel_module_load.toml
[Rule Tuning] Kernel Module Load via Built-in Utility (#5736)
2026-02-23 09:48:12 +01:00
persistence_kde_autostart_modification.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_kernel_driver_load_by_non_root.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_kernel_driver_load.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_kernel_module_load_from_unusual_location.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_kernel_object_file_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_kubernetes_sensitive_file_activity.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_kworker_file_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_linux_backdoor_user_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_linux_group_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_linux_shell_activity_via_web_server.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_linux_user_account_creation.toml
[Rule Tuning] Linux DR Tuning - 9 (#5508)
2026-01-07 16:18:38 +01:00
persistence_linux_user_added_to_privileged_group.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_lkm_configuration_file_creation.toml
[Rule Tuning] Linux DR Tuning - 9 (#5508)
2026-01-07 16:18:38 +01:00
persistence_manual_dracut_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_message_of_the_day_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_message_of_the_day_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_network_manager_dispatcher_persistence.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_openssl_passwd_hash_generation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_pluggable_authentication_module_creation_in_unusual_dir.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_pluggable_authentication_module_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_pluggable_authentication_module_pam_exec_backdoor_exec.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_pluggable_authentication_module_source_download.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_polkit_policy_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_potential_persistence_script_executable_bit_set.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_process_capability_set_via_setcap.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_pth_file_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_rc_local_error_via_syslog.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
persistence_rc_local_service_already_running.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_rc_script_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_rpm_package_installation_from_unusual_parent.toml
[Rule Tuning] Linux DR Tuning - 9 (#5508)
2026-01-07 16:18:38 +01:00
persistence_setuid_setgid_capability_set.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_shadow_file_modification.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_shared_object_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_shell_configuration_modification.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_simple_web_server_connection_accepted.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_simple_web_server_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_site_and_user_customize_file_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_ssh_key_generation.toml
Prep for Release 9.0 (#4550)
2025-03-20 20:32:07 +05:30
persistence_ssh_netcon.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_ssh_via_backdoored_system_user.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_suspicious_file_opened_through_editor.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_suspicious_ssh_execution_xzbackdoor.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_systemd_generator_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_systemd_netcon.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_systemd_scheduled_timer_created.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_systemd_service_creation.toml
[Rule Tuning] Potential snap-confine Privilege Escalation (#5889)
2026-04-02 11:21:09 +02:00
persistence_systemd_service_started.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_systemd_shell_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_tainted_kernel_module_load.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
persistence_tainted_kernel_module_out_of_tree_load.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
persistence_udev_rule_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_unpack_initramfs_via_unmkinitramfs.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_unusual_exim4_child_process.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_unusual_pam_grantor.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_unusual_sshd_child_process.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_user_credential_modification_via_echo.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_user_or_group_creation_or_modification.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_web_server_sus_child_spawned.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
persistence_web_server_sus_command_execution.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
persistence_web_server_sus_destination_port.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_web_server_unusual_command_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_xdg_autostart_netcon.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
persistence_yum_package_manager_plugin_file_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_chown_chmod_unauthorized_file_read.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_container_util_misconfiguration.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_cve_2025_32463_nsswitch_file_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_cve_2025_32463_sudo_chroot_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_cve_2025_41244_vmtoolsd_lpe.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_dac_permissions.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_debugfs_launched_inside_container.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_docker_escape_via_nsenter.toml
[Rule Tuning] Linux DR Tuning - 11 (#5511)
2026-01-07 16:31:13 +01:00
privilege_escalation_docker_mount_chroot_container_escape.toml
[Rule Tuning] Adds Crowdstrike Compatibility to Linux Process Rules (#5232)
2025-11-10 16:03:39 +01:00
privilege_escalation_docker_release_file_creation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_enlightenment_window_manager.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_gdb_sys_ptrace_elevation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_gdb_sys_ptrace_netcon.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_kworker_uid_elevation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_ld_preload_shared_object_modif.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_linux_suspicious_symbolic_link.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_load_and_unload_of_kernel_via_kexec.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_looney_tunables_cve_2023_4911.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_mount_launched_inside_container.toml
[Rule Tuning] Linux DR Tuning - 11 (#5511)
2026-01-07 16:31:13 +01:00
privilege_escalation_overlayfs_local_privesc.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_pkexec_envar_hijack.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_potential_bufferoverflow_attack.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
privilege_escalation_potential_copy_fail_cve_2026_31431_exploitation_via_af_alg_socket.toml
[New] Potential Copy Fail (CVE-2026-31431) Exploitation via AF_ALG Socket (#6015)
2026-04-30 12:24:01 -04:00
privilege_escalation_potential_suid_sgid_exploitation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_potential_suid_sgid_proxy_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_potential_wildcard_shell_spawn.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_sda_disk_mount_non_root.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_shadow_file_read.toml
[Rule Tuning] Linux DR Tuning - 11 (#5511)
2026-01-07 16:31:13 +01:00
privilege_escalation_snap_confine_lpe_via_cve_2026_3888.toml
[Rule Tuning] Potential snap-confine Privilege Escalation (#5889)
2026-04-02 11:21:09 +02:00
privilege_escalation_sudo_cve_2019_14287.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_sudo_hijacking.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_sudo_token_via_process_injection.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_suspicious_cap_setuid_python_execution.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_suspicious_chown_fowner_elevation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_suspicious_passwd_file_write.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_suspicious_suid_binary_execution.toml
[New] Suspicious SUID Binary Execution (#6018)
2026-04-30 17:38:22 +01:00
privilege_escalation_suspicious_uid_guid_elevation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_uid_change_post_compilation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_uid_elevation_from_unknown_executable.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_unshare_namespace_manipulation.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
privilege_escalation_writable_docker_socket.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00