valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update lnx_file_deletion.yml

Browse Source
This commit is contained in:
Ömer Günal 2020-12-01 21:24:57 +03:00 committed by GitHub
parent 2fa7008363
commit d0bb6e9e81
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 7 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
rules/linux/lnx_file_deletion.yml
View File

@ -10,15 +10,13 @@ logsource:
product: linux
category: process_creation
detection:
keywords:
- Commands|contains:
- 'rm '
- 'shred -u'
- 'rmdir'
- 'unlink'
- 'busybox rm -f *'
- 'find * -delete'
condition: keywords
selection:
- ProcessName|endswith:
- '/rm'
- '/shred'
- '/unlink'
- '/busybox'
condition: selection
falsepositives:
- Legitimate administration activities
level: low