valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 17:35:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Updated ART reference links from .yaml to .md

Browse Source
This commit is contained in:
leegengyu 2021-07-06 17:43:20 +08:00
parent 69d5d9734d
commit 3791ab4b12
5 changed files with 10 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml
View File

@ -6,7 +6,7 @@ author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd
date: 2019/10/24
modified: 2019/11/11
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md
- https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html
logsource:
product: linux
@ -21,4 +21,4 @@ falsepositives:
level: high
tags:
- attack.defense_evasion
- attack.t1574.006
- attack.t1574.006

2
rules/linux/auditd/lnx_auditd_masquerading_crond.yml
View File

@ -6,7 +6,7 @@ description: Masquerading occurs when the name or location of an executable, leg
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md
logsource:
product: linux
service: auditd

2
rules/linux/auditd/lnx_auditd_user_discovery.yml
View File

@ -6,7 +6,7 @@ description: Adversaries may use the information from System Owner/User Discover
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md
logsource:
product: linux
service: auditd

8
rules/linux/auditd/lnx_data_compressed.yml
View File

@ -1,12 +1,12 @@
title: Data Compressed
id: a3b5e3e9-1b49-4119-8b8e-0344a01f21ee
status: experimental
description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network
description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
modified: 2019/11/04
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md
logsource:
product: linux
service: auditd
@ -24,8 +24,8 @@ detection:
a1|contains: '-c'
condition: 1 of them
falsepositives:
- Legitimate use of archiving tools by legitimate user
- Legitimate use of archiving tools by legitimate user.
level: low
tags:
- attack.exfiltration
- attack.t1560.001
- attack.t1560.001

4
rules/linux/auditd/lnx_network_sniffing.yml
View File

@ -7,7 +7,7 @@ author: Timur Zinniatullin, oscd.community
date: 2019/10/21
modified: 2019/11/04
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.yaml
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md
logsource:
product: linux
service: auditd
@ -24,7 +24,7 @@ detection:
a3: '-i'
condition: selection1 or selection2
falsepositives:
- Legitimate administrator or user uses network sniffing tool for legitimate reason
- Legitimate administrator or user uses network sniffing tool for legitimate reasons.
level: low
tags:
- attack.credential_access