valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 01:45:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Adding auditd compatibility

Browse Source
This commit is contained in:
mrblacyk 2019-11-29 09:32:05 +01:00 committed by GitHub
parent a15c84eb80
commit bf5e6cc56b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 8 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
rules/linux/lnx_dd_delete_file.yml
View File

@ -6,13 +6,15 @@ tags:
- attack.t1485
logsource:
product: linux
service: auditd
detection:
keywords1:
- 'dd'
keywords2:
- 'if=/dev/null'
- 'if=/dev/zero'
condition: keywords1 and keywords2
selection:
type: 'EXECVE'
a0: 'dd'
a1:
- 'if=/dev/null'
- 'if=/dev/zero'
condition: selection
falsepositives:
- Unknown
level: low