valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 01:45:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update lnx_clear_logs.yml

Browse Source
This commit is contained in:
Ömer Günal 2020-12-01 21:28:12 +03:00 committed by GitHub
parent bca3c80f43
commit 4ab522815b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 12 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
rules/linux/lnx_clear_logs.yml
View File

@ -10,16 +10,18 @@ logsource:
product: linux
category: process_creation
detection:
keywords:
- Commands|contains:
- 'rm * /var/log*'
- 'shred -u /var/log*'
- 'echo * > /var/log*'
- 'rmdir * /var/log*'
- 'rm * /private/var/audit/*'
- 'rm * /private/var/log/system.log*'
- 'echo * /var/spool/mail/*'
condition: keywords
selection1:
- ProcessName|endswith:
- '/rm'
- 'shred'
- 'echo'
- 'rmdir'
selection2:
CommandLine|contains:
- '/var/log'
- '/private/var/audit'
- '/private/var/log/'
condition: selection1 and selection2
falsepositives:
- Legitimate administration activities
level: medium