valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 09:25:17 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update lnx_auditd_clipboard_collection.yml

Browse Source 
Changes after suggestion.
This commit is contained in:
zakibro 2021-09-27 07:59:43 +02:00 committed by GitHub
parent 4bbe4962b0
commit 6a2785492d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 12 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
rules/linux/auditd/lnx_auditd_clipboard_collection.yml
View File

@ -12,16 +12,20 @@ logsource:
product: linux
service: auditd
detection:
xclip:
type: EXECVE
a0: xclip
a1: '-selection'
a2: clipboard
a3: '-o'
condition: xclip
xclip:
type: EXECVE
a0: xclip
a1:
- '-selection'
- '-sel'
a2:
- clipboard
- clip
a3: '-o'
condition: xclip
tags:
- attack.collection
- attack.t1115
falsepositives:
- Legitimate usage of xclip tools
level: low
level: low