valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 01:45:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
7,669 Commits 20 Branches 25 Tags 21 MiB
77c6b74c72
Commit Graph

438 Commits

Author SHA1 Message Date
Alejandro Ortuno
c03a696762 additional modifications on commands and process names 2020-10-13 11:00:06 +02:00
Alejandro Ortuno
50fde8c13f minor changes on command line 2020-10-13 10:55:29 +02:00
Alejandro Ortuno
30bd626d76 Split command line and do contains all. 2020-10-13 10:51:00 +02:00
Alejandro Ortuno
7459bcd08c Use process_creation for the detection 2020-10-13 10:41:50 +02:00
remotephone@gmail.com
a85c19db17 updating files to cover broader network discovery logic, renaming alert, adding recommended changes 2020-10-13 00:39:53 -05:00
remotephone@gmail.com
7d49db3988 updating falsepositives documentation to remove line that's not applicable 2020-10-12 23:19:02 -05:00
remotephone@gmail.com
89c8a589a5 updating search syntax, splitting process name and cmdline and adding category 2020-10-12 22:49:19 -05:00
remotephone@gmail.com
476a3c04d9 Adding t1070_002 2020-10-12 00:01:10 -05:00
remotephone@gmail.com
781c7ce6dc Cleaning up falsepositives section of both rules 2020-10-11 23:52:47 -05:00
remotephone@gmail.com
48edc674bd updating keywords to CommandLine|contains and splitting rule into two 2020-10-11 22:43:28 -05:00
Yugoslavskiy Daniil
e52baddda2 improve descriptin 2020-10-11 22:11:03 +02:00
Yugoslavskiy Daniil
7dec19afca add macos_create_hidden_account.yml; part of the oscd initiative task number 63 of the issue #1012 2020-10-11 22:01:05 +02:00
Alejandro Ortuno
d17faf8234 Local groups discovery sigma rules 2020-10-11 18:15:53 +02:00
Alejandro Ortuno
3358dd47ea macos local account creation 2020-10-11 17:56:29 +02:00
Alejandro Ortuno
418a9d5a02 Use endswith with processname 2020-10-11 09:37:08 +02:00
Alejandro Ortuno
748dccc289 additional changes to split processname and commandline 2020-10-10 13:11:17 +02:00
Alejandro Ortuno
04f415c80b Added the sigma rules per OS 2020-10-08 13:23:11 +02:00
Alejandro Ortuno
c5605ae8b6 Scheduled Cron Task/Job sigma rule 2020-10-08 13:15:02 +02:00
remotephone@gmail.com
e967cce211 change new lines to LF instead of CLRF 2020-10-07 23:02:03 -05:00
remotephone@gmail.com
9802704a2b not sure why i'm failing the tests on a line I didn't change. copying format from another file 2020-10-07 22:54:31 -05:00
remotephone@gmail.com
ff2ba5f876 double checking new line characters 2020-10-07 22:43:38 -05:00
remotephone@gmail.com
83ed39f95c adding UID, renaming 2020-10-07 22:25:54 -05:00
remotephone@gmail.com
4486c3ffc9 adding new line at end of file 2020-10-07 22:11:05 -05:00
remotephone@gmail.com
cde0020d30 T1016 detection rules 2020-10-07 22:09:15 -05:00
Ömer Günal
eac5ac9fc1
removed duplicate filter 2020-10-08 00:18:38 +03:00
Ömer Günal
e6588c08f4
Create lnx_system_info_discovery.yml 2020-10-08 00:15:46 +03:00
Ömer Günal
2cea3800de
Create lnx_password_policy_discovery.yml 2020-10-08 00:14:40 +03:00
Ömer Günal
f00e79d123
Create lnx_file_deletion.yml 2020-10-07 22:28:37 +03:00
Ömer Günal
18821d2255
Create lnx_clear_logs.yml 2020-10-07 22:27:06 +03:00
Ömer Günal
d44ef84b55
Update lnx_process_discovery.yml 2020-10-07 22:26:02 +03:00
Ömer Günal
d328f92503
Update at_command.yml 2020-10-07 22:23:48 +03:00
Ömer Günal
bdabb14483
Update at_command.yml 2020-10-07 22:22:31 +03:00
Ömer Günal
7b29e3a35f
Update lnx_install_root_certificate.yml 2020-10-07 22:20:17 +03:00
Ömer Günal
8ea054ff0b
Update at_command.yml 2020-10-07 00:07:30 +03:00
Ömer Günal
b0b72de94d
Create lnx_process_discovery.yml 2020-10-06 23:52:06 +03:00
Ömer Günal
7b39e76192
Create at_command.yml 2020-10-06 23:48:25 +03:00
Ömer Günal
759268108f
rename filename 2020-10-06 09:04:36 +03:00
Ömer Günal
0e7eb32f62
update description 2020-10-05 20:22:43 +03:00
Ömer Günal
1e7a47440f
Install Root Certificate 2020-10-05 20:21:20 +03:00
Florian Roth
d3ee1aba66 docs: MITRE ATT&CK(R) trademark references removed or adjusted 
https://github.com/Neo23x0/sigma/issues/1028
 2020-09-30 08:53:52 +02:00
Mike Wade
8ce73bd8df Fixed issues with tags and missing files 2020-09-15 06:10:57 -06:00
Mike Wade
52ab677798 Fixed my git issue 2020-09-13 22:03:04 -06:00
Florian Roth
de5444a81e
Merge pull request #989 from oscd-initiative/master 
[OSCD Initiative][ATT&CK tags update]
 2020-09-08 13:27:58 +02:00
Florian Roth
af3b93a522
Merge pull request #914 from omergunal/ogunal-2 
New rules for Linux
 2020-09-07 09:41:43 +02:00
Timur Zinniatullin
8dba6ceee6 2nd review 2020-08-25 09:31:38 +03:00
Timur Zinniatullin
1244cacfbf Update lnx_auditd_create_account.yml 2020-08-25 09:20:27 +03:00
Timur Zinniatullin
72fdf0da45
Update lnx_auditd_susp_cmds.yml 2020-08-04 20:00:30 +03:00
Timur Zinniatullin
4e688233d7 ATT&CK mapping update suggestions for \linux\ 2020-08-04 19:48:18 +03:00
Florian Roth
1c63a93643 fix: wrong casing in tag 2020-07-13 16:20:51 +02:00
viniciusvec
26f0d49772
Update lnx_shell_clear_cmd_history.yml 
Renamed tags to match production MITRE: https://attack.mitre.org/techniques/T1070/003/
 2020-07-13 14:06:14 +01:00
Ömer Günal
bee467dbd6
Rename lnx_setgid_setuid to lnx_setgid_setuid.yml 2020-07-13 01:36:20 +03:00
Ömer Günal
bf8f0307b7
Rename lnx_space_after_filename_ to lnx_space_after_filename_.yml 2020-07-13 01:33:59 +03:00
Ömer Günal
4b74a0df76
Create lnx_space_after_filename_ 2020-07-13 01:33:39 +03:00
Ömer Günal
c749aa2539
Create lnx_setgid_setuid 2020-07-13 01:33:09 +03:00
Ömer Günal
6b24a5df65
Create lnx_security_tools_disabling.yml 2020-07-13 01:32:24 +03:00
Ömer Günal
bdeca13825
Create lnx_proxy_connection.yml 2020-07-13 01:31:05 +03:00
Ömer Günal
708a28e307
Delete lnx_space_after_filename.yml 2020-07-13 01:26:37 +03:00
Ömer Günal
af6ad5a41b
Delete lnx_setuid_setgid.yml 2020-07-13 01:26:29 +03:00
Ömer Günal
64a9b6e098
Delete lnx_disabling_security_tools.yml 2020-07-13 01:26:11 +03:00
Ömer Günal
7466c8d425
Delete lnx_connection_proxy.yml 2020-07-13 01:26:03 +03:00
Ömer Günal
7ce16d1bbc
Update lnx_space_after_filename.yml 2020-07-13 01:07:32 +03:00
Ömer Günal
47a2f1bc94
Update lnx_space_after_filename.yml 2020-07-03 18:56:51 +03:00
Ömer Günal
51363d8a87
Update lnx_setuid_setgid.yml 2020-07-03 18:56:40 +03:00
Ömer Günal
87346d4b94
Update lnx_disabling_security_tools.yml 2020-07-03 18:56:30 +03:00
Ömer Günal
64afd6e7ee
Update lnx_connection_proxy.yml 2020-07-03 18:56:19 +03:00
Florian Roth
26d8810efb
Merge pull request #882 from Neo23x0/rule-devel 
Rule devel
 2020-07-03 15:33:55 +02:00
Florian Roth
8a0262d1a2 fix: in linux keyword expression 2020-07-03 15:08:20 +02:00
Florian Roth
5dd5b87f43 rule: guacamole exploitation detection 2020-07-03 13:20:03 +02:00
Florian Roth
fa452bf3e5
Merge pull request #849 from omergunal/ogunal-1 
Rules for detecting suspicious remote file copy
 2020-07-03 11:59:45 +02:00
Florian Roth
b9966a173c
Update lnx_file_copy.yml 2020-07-03 11:32:49 +02:00
Ömer Günal
4eb97ec43d
Update lnx_file_copy.yml 2020-06-22 21:35:50 +03:00
Ömer Günal
d17e0ae6eb
typo 2020-06-20 23:04:52 +03:00
Ömer Günal
93719d8a01
Merge pull request #1 from omergunal/omergunal-patch-1 
Remote file copy
 2020-06-18 23:56:29 +03:00
Ömer Günal
40a07a2d4f
Delete lnx_sudo_enumeration.yml 2020-06-18 23:55:24 +03:00
Ömer Günal
d87b0c95a4
Delete lnx_trap.yml 2020-06-18 23:55:16 +03:00
Ömer Günal
8db7c3207a
Delete lnx_sudo_caching.yml 2020-06-18 23:54:43 +03:00
Ömer Günal
5bc72b6cba
Delete lnx_space_after_filename.yml 2020-06-18 23:54:28 +03:00
Ömer Günal
f10440b9fa
Delete lnx_setuid_setgid.yml 2020-06-18 23:54:20 +03:00
Ömer Günal
6c8d104e7d
Delete lnx_disabling_security_tools.yml 2020-06-18 23:54:06 +03:00
Ömer Günal
84c4683607
Delete lnx_connection_proxy.yml 2020-06-18 23:53:43 +03:00
Ömer Günal
c6c455a3ec
Remote file copy 2020-06-18 23:37:49 +03:00
Ömer Günal
9bfc3d6807
Delete lnx_file_copy.yml 2020-06-18 23:37:12 +03:00
Ömer Günal
a963630db8
Remote File Copy 2020-06-18 23:36:29 +03:00
Ömer Günal
3a607abe33
Update lnx_trap.yml 2020-06-17 19:51:53 +03:00
Ömer Günal
7b86f4aefb
Update lnx_trap.yml 2020-06-17 19:47:31 +03:00
Ömer Günal
ebbd32d2e1
file extension 2020-06-17 19:43:57 +03:00
Ömer Günal
f989f7e155
file extension 2020-06-17 19:43:49 +03:00
Ömer Günal
772c03c49a
Connection Proxy 2020-06-17 19:39:55 +03:00
Ömer Günal
9d285ecf74
Trap 2020-06-17 19:39:00 +03:00
Ömer Günal
d0b66ab828
Space After Filename 2020-06-17 19:38:38 +03:00
Ömer Günal
3b8fb9e3d8
Disabling Security Tools 2020-06-17 19:38:10 +03:00
Ivan Kirillov
0fbfcc6ba9 Initial round of subtechnique updates 2020-06-16 14:46:08 -06:00
Florian Roth
fd2429bd34
Update lnx_setuid_setgid.yml 2020-06-16 19:46:50 +02:00
Florian Roth
06fe720165
Update lnx_sudo_enumeration.yml 2020-06-16 19:33:39 +02:00
Florian Roth
545c05d4d3
Update lnx_setuid_setgid.yml 2020-06-16 19:31:34 +02:00
Ömer Günal
0027415fa2
Update lnx_setuid_setgid.yml 2020-06-16 20:26:50 +03:00
Ömer Günal
41b2309418
file type changed 2020-06-16 20:24:09 +03:00
Ömer Günal
0d0058da43
added id 2020-06-16 20:21:07 +03:00
Ömer Günal
bbcd506fb1
added id 2020-06-16 20:21:02 +03:00
Ömer Günal
ace575aaa6
added id 2020-06-16 20:20:42 +03:00
Ömer Günal
4b1557a587
Setuid and Setgid 
Detects suspicious change of file privileges with chown and chmod commands
 2020-06-16 20:12:24 +03:00
Ömer Günal
b7e1c6750c
sudo caching 
attack.t1206
 2020-06-16 19:31:02 +03:00
Ömer Günal
e43f13ed67
Update lnx_sudo_enumeration.yml 
attack.t1169
 2020-06-16 19:20:42 +03:00
Ömer Günal
52487159c5
Detect Sudo enumeration commands 2020-06-16 19:17:00 +03:00
Florian Roth
74e16fdccd
Merge pull request #803 from gamma37/clear_cmd_history 
Edit Clear Command History
 2020-05-29 17:32:43 +02:00
gamma37
537bda4417
Update lnx_shell_clear_cmd_history.yml 2020-05-28 10:56:35 +02:00
gamma37
5a48934822
Edit Clear Command History 
I suggest a new point of view to detect that bash_history has been cleared : Instead of trying to detect all the commands that can do that, we could monitor the size of the file and log whenever it has less than 1 line.
 2020-05-28 10:52:17 +02:00
Florian Roth
8321cc7ee1
Merge pull request #772 from gamma37/suspicious_activities 
Create a rule for "suspicious activities"
 2020-05-23 18:11:32 +02:00
Florian Roth
e1a05dfc1c
Update lnx_auditd_susp_C2_commands.yml 2020-05-23 16:49:03 +02:00
gamma37
71c507d8a9
remove space bedore colon 2020-05-18 11:34:53 +02:00
gamma37
55eec46932
Create a rule for "suspicious activities" 2020-05-18 11:25:18 +02:00
gamma37
cbf06b1e43
lowercased tag 2020-05-18 10:11:32 +02:00
gamma37
904716771a
Create a new rule to detect "Create Account" 2020-05-18 10:03:34 +02:00
Florian Roth
7b713fbe7f rule: OpenSSHd rule adjusted 2020-05-15 17:19:32 +02:00
Thomas Patzke
373424f145 Rule fixes 
Made tests pass the new CI tests. Added further allowed lower case words
in rule test.
 2020-02-20 23:00:16 +01:00
Thomas Patzke
d7bd90cb24 Merge branch 'master' into oscd 2020-02-03 23:13:16 +01:00
Thomas Patzke
593abb1cce OSCD QA wave 3 2020-02-02 12:41:12 +01:00
Florian Roth
03ecb3b8dc refactor: moved rues from 'apt' folder in respective folders 2020-02-01 17:59:26 +01:00
Florian Roth
d42e87edd7 fix: fixed casing and long rule titles 2020-01-30 17:26:09 +01:00
Florian Roth
e79e99c4aa fix: fixed missing date fields in remaining files 2020-01-30 16:07:37 +01:00
Florian Roth
efd3af0812 fix: fixed missing date fields in other files 2020-01-30 15:32:39 +01:00
Thomas Patzke
924e1feb54 UUIDs + moved unsupported logic 
* Added UUIDs to all contributed rules
* Moved unsupported logic directory out of rules/ because this breaks CI
  testing.
 2019-12-19 23:56:36 +01:00
yugoslavskiy
edad1695f6 Merge branch 'oscd' of https://github.com/mrblacyk/sigma into mrblacyk-oscd 2019-12-02 02:56:53 +01:00
yugoslavskiy
48a94d1609
Update lnx_dd_delete_file.yml 2019-12-02 02:54:48 +01:00
yugoslavskiy
ca1c2f4436
Update lnx_chattr_immutable_removal.yml 2019-12-02 02:54:32 +01:00
yugoslavskiy
9e90335a5a
Update lnx_pers_systemd_reload.yml 2019-12-02 02:54:13 +01:00
yugoslavskiy
46ca68436e
Update lnx_file_or_folder_permissions.yml 2019-12-02 02:53:35 +01:00
mrblacyk
9d0889def4
Adding auditd compatibility 2019-11-29 09:34:08 +01:00
mrblacyk
cafbb25d2e
Update lnx_file_or_folder_permissions.yml 2019-11-29 09:33:04 +01:00
mrblacyk
bf5e6cc56b
Adding auditd compatibility 2019-11-29 09:32:05 +01:00
mrblacyk
a15c84eb80
Adding auditd compatibility 2019-11-29 09:27:31 +01:00
yugoslavskiy
efc404fbae resolve conflicts with rule IDs; restored and deprecated sysmon_mimikatz_detection_lsass.yml 2019-11-19 02:11:19 +01:00
Thomas Patzke
0592cbb67a Added UUIDs to rules 2019-11-12 23:12:27 +01:00
Thomas Patzke
5f6a4225ec Unified line terminators of rules to Unix 2019-11-12 23:05:36 +01:00
yugoslavskiy
a4331b0eec
Merge pull request #498 from theRabbitCode/oscd 
[OSCD] Added Atomic Blue Detections Repo
 2019-11-11 23:22:57 +03:00
yugoslavskiy
bdff2c312b
Update lnx_auditd_ld_so_preload_mod.yml 2019-11-11 01:44:53 +03:00
yugoslavskiy
69a99bc2c3
Merge pull request #493 from alx1m1k/oscd 
[OSCD] rules from Jet CSIRT team
 2019-11-10 23:11:24 +03:00
yugoslavskiy
82f23c5f63
Merge pull request #477 from zinint/oscd 
add 13 new rules:

- rules/linux/auditd/lnx_auditd_masquerading_crond.yml 
- rules/linux/auditd/lnx_auditd_user_discovery.yml 
- rules/linux/auditd/lnx_data_compressed.yml 
- rules/linux/auditd/lnx_network_sniffing.yml 
- rules/windows/powershell/powershell_data_compressed.yml 
- rules/windows/powershell/powershell_winlogon_helper_dll.yml 
- rules/windows/process_creation/win_change_default_file_association.yml 
- rules/windows/process_creation/win_data_compressed_with_rar.yml 
- rules/windows/process_creation/win_local_system_owner_account_discovery.yml 
- rules/windows/process_creation/win_network_sniffing.yml 
- rules/windows/process_creation/win_query_registry.yml 
- rules/windows/process_creation/win_service_execution.yml 
- rules/windows/process_creation/win_xsl_script_processing.yml 

modify 1 rule:

- rules/windows/process_creation/win_possible_applocker_bypass.yml
 2019-11-05 04:55:29 +03:00
yugoslavskiy
534f5fc0e1
Update lnx_network_sniffing.yml 2019-11-05 04:40:40 +03:00
yugoslavskiy
70fdd9c7d7
Update lnx_data_compressed.yml 2019-11-05 04:38:27 +03:00
yugoslavskiy
75f2b8536f
Update lnx_auditd_user_discovery.yml 2019-11-04 22:14:30 +03:00
yugoslavskiy
8b2216e94e
Update lnx_auditd_masquerading_crond.yml 2019-11-04 22:14:10 +03:00
yugoslavskiy
0d5489bbb0
Update lnx_auditd_user_discovery.yml 2019-11-04 22:07:30 +03:00
yugoslavskiy
bb71f95810
Update lnx_auditd_masquerading_crond.yml 2019-11-04 21:58:42 +03:00
yugoslavskiy
1f1fd68331
Merge pull request #472 from feedb/oscd 
add 11 new rules:

- rules/linux/auditd/lnx_auditd_web_rce.yml
- rules/windows/process_creation/process_creation_susp_bginfo.yml
- rules/windows/process_creation/process_creation_susp_cdb.yml
- rules/windows/process_creation/process_creation_susp_devtoolslauncher.yml
- rules/windows/process_creation/process_creation_susp_dnx.yml
- rules/windows/process_creation/process_creation_susp_dxcap.yml
- rules/windows/process_creation/process_creation_susp_msoffice.yml
- rules/windows/process_creation/process_creation_susp_odbcconf.yml
- rules/windows/process_creation/process_creation_susp_openwith.yml
- rules/windows/process_creation/process_creation_susp_psr_capture_screenshots.yml
- rules/windows/sysmon/sysmon_webshell_creation_detect.yml
 2019-11-04 20:40:58 +03:00
yugoslavskiy
8a35a51211
Update lnx_auditd_web_rce.yml 2019-11-04 18:08:17 +03:00
zinint
11e7bdc727
Update lnx_network_sniffing.yml 2019-10-30 22:59:46 +03:00
zinint
fd09c00b35
Update lnx_network_sniffing.yml 2019-10-30 20:59:07 +03:00
zinint
3d106d8e7f
Update lnx_network_sniffing.yml 2019-10-30 19:11:51 +03:00
zinint
e0c5479f0a
Update lnx_network_sniffing.yml 2019-10-30 19:10:48 +03:00
zinint
b5b40f2861
Update lnx_network_sniffing.yml 2019-10-30 19:07:05 +03:00
zinint
cc4a8df5e3
Update lnx_network_sniffing.yml 2019-10-30 19:06:53 +03:00
zinint
7e3d8ccaf3
T1040 2019-10-30 19:05:50 +03:00
zinint
4a560e9375
T1002 2019-10-29 22:56:45 +03:00
zinint
583980f8ec
Delete win_data_compressed.yml 2019-10-29 22:56:30 +03:00
zinint
4eb7965662
T1002 2019-10-29 22:54:42 +03:00
zinint
950796f71f
Update lnx_auditd_masquerading_crond.yml 2019-10-29 22:48:39 +03:00
zinint
c5599399b5
Update lnx_auditd_masquerading_crond.yml 2019-10-29 22:48:00 +03:00
zinint
47f7d648a3
T1036 2019-10-29 22:33:03 +03:00
Yugoslavskiy Daniil
3376cf4dd8 fix some typos and remove redundand references 2019-10-29 01:40:06 +03:00
RRRabbit
becfca6b41 Added Atomic Blue Detections Repo 2019-10-28 11:59:49 +01:00
zinint
d1cf80d9b6
Update lnx_auditd_user_discovery.yml 2019-10-28 00:00:06 +03:00
zinint
68b4541274
t1033 2019-10-27 23:59:16 +03:00
Mikhail Larin
334301c185 OSCD event rules from Jet CSIRT team 2019-10-25 17:57:56 +03:00
mrblacyk
499627edf3 File permissions modification (T1222) 2019-10-23 11:24:13 -07:00
mrblacyk
c2d906c15f DD overwrite with zero/null (T1485) 2019-10-23 11:22:33 -07:00
mrblacyk
5ae267e326 Linux systemd reload or start rule (T1501) 2019-10-23 11:21:19 -07:00
root
fb53855ae5 add rule sysmon_webshell_creation_detect.yml 2019-10-22 05:50:49 +02:00
root
e47caf4749 add rule lnx_auditd_web_rce.yml 2019-10-21 11:54:21 +02:00
root
a499141483 modified rule lnx_auditd_web_rce.yml 2019-10-21 11:28:59 +02:00
root
ac8308dfc9 add rule lnx_auditd_web_rce.yml 2019-10-21 11:14:24 +02:00
Florian Roth
454ba2b576 rule: modified sudo vuln rule to be most generic 2019-10-20 14:02:10 +02:00
Florian Roth
08ff2f38bc Revert "rule: modified sudo vuln rule to be most generic" 
This reverts commit ef6a25d109.
 2019-10-20 14:01:14 +02:00
Florian Roth
ef6a25d109 rule: modified sudo vuln rule to be most generic 2019-10-20 10:37:05 +02:00
Thomas Patzke
522f021ef1
Merge pull request #461 from Galapag0s/patch-2 
Added Additional history clearing options
 2019-10-16 22:35:41 +02:00
Florian Roth
36f678930d rule: updated sudo vuln rule to detect 0-padding part 2 
https://twitter.com/joshbressers/status/1184455759620378627
 2019-10-16 15:10:44 +02:00
Florian Roth
5374d18e4b rule: updated sudo vuln rule to detect 0-padding 
https://twitter.com/taviso/status/1184238670343065600
 2019-10-16 15:03:28 +02:00
Florian Roth
921a39f1e3 rule: extended sudo rule with variant for USER field 2019-10-15 14:55:09 +02:00
Florian Roth
96d77447d2 rule: added reference and mitre tags 2019-10-15 09:44:17 +02:00
Florian Roth
49ed76004c rule: sudo priv esc vuln CVE-2019-14287 2019-10-15 09:39:08 +02:00
Galapag0s
1e4ef648db
Added Additional history clearing options 
history -w will clear the current shell history
shred purposely overwrites data replacing it with random data
 2019-09-26 12:53:13 -04:00
Galapag0s
ccdda5e82b
Update lnx_shell_priv_esc_prep.yml 2019-09-06 11:29:42 -04:00
Galapag0s
23021aa110
Added Sticky Bits 
Attackers may look to exploit binaries with the sticky bits enabled.  By being able to run a binary as a different user or group, they may be able to run separate commands as an elevated user.
 2019-09-06 11:25:48 -04:00
Florian Roth
f5a8a81ff7 fix: linux cmds rule 2019-07-02 15:22:26 +02:00
petermmm
b6c4e64a9b fixed attack category number 2->3 2019-05-12 11:59:13 +02:00
petermmm
2778558ae3 added rule .bash_profile and .bashrc T1156 2019-05-12 02:07:13 +02:00
Thomas Patzke
46c789105b Fix and ordering 2019-05-10 00:08:26 +02:00
patrick
ca4b710c01 Added Sigma Use Case detecting Privilege Escalation Preparation in Linux 2019-04-07 15:36:19 +02:00
Florian Roth
2b814011cd
Merge pull request #287 from P4T12ICK/feature/lnx-clear-cmd-history-signature 
Add new signature for linux clear command history
 2019-04-03 19:45:06 +02:00
Florian Roth
6cc1770351
Merge pull request #294 from Pr0t3an/patch-3 
Update lnx_shell_susp_rev_shells.yml
 2019-04-03 01:07:07 +02:00
Florian Roth
b76925f838 Rule: extending rule with /dev/udp 2019-04-02 20:09:13 +02:00
Pr0t3an
d067087632
Update lnx_shell_susp_rev_shells.yml 
added 
 - 'bash -i >& /dev/udp/'
        - 'sh -I >$ /dev/udp/'
        - 'sh -i   >$ /dev/tcp/'
 2019-04-02 18:22:18 +01:00
Florian Roth
5c5a16c4d5 Rule: adding xterm -display string to rule 2019-04-02 18:48:18 +02:00
Florian Roth
453bd10e6e Rule: Suspicious reverse shell command lines 2019-04-02 17:03:57 +02:00
Florian Roth
d06a5431eb
Changes 2019-04-01 14:03:54 +02:00
patrick
0242c40360 Add new signature for linux clear command history 2019-03-24 10:10:14 +01:00
Florian Roth
5092b1e603 Rule: removed overlapping strings in Linux rule 2019-02-05 16:12:07 +01:00
Florian Roth
32c098294f Rule: extended suspicious command lines 2019-02-05 15:58:15 +01:00
Florian Roth
b92c032c2d Linux JexBoss back connect shell 2018-11-08 23:21:36 +01:00
Florian Roth
6bde2cd08f
Update lnx_buffer_overflows.yml 2018-08-25 00:20:34 +02:00
Florian Roth
234a48af19 rule: Linux SSHD exploit CVE-2018-15473 
https://github.com/Rhynorater/CVE-2018-15473-Exploit
 2018-08-24 16:40:41 +02:00
Florian Roth
9e0abc5f0b Adjusted rules to the new specs reg "not null" usage 2018-06-28 09:30:31 +02:00
Alexandre ZANNI
74da324d8f
remove old public_html 
remove old public_html
 2018-05-29 11:44:38 +02:00
Alexandre ZANNI
a1de770b64
enhance web server paths 
- specify when it is apache only
- add Per-user path
- add archlinux paths
 2018-05-29 11:41:36 +02:00
Thomas Patzke
59eff939f2 Merge branch 'devel-sigmac' 2018-03-04 22:59:41 +01:00
Thomas Patzke
4792700726 Fixed rule 2018-03-04 22:07:01 +01:00
Florian Roth
b88a81a9e1 Rule: Linux > named > suspicious activity 2018-02-20 14:56:28 +01:00
Florian Roth
ef0cd4c110 Rules: Extended and fixed (*) sshd rules 2018-02-20 13:44:06 +01:00
SherifEldeeb
348728bdd9 Cleaning up empty list items 2018-01-28 02:36:39 +03:00
SherifEldeeb
48441962cc Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00
SherifEldeeb
112a0939d7 Change "reference" to "references" to match new schema 2018-01-28 02:12:19 +03:00
Florian Roth
aca70e57ec Massive Title Cleanup 2018-01-27 10:57:30 +01:00
Florian Roth
f31ed7177e Added status 'experimental' to newly created auditd rules 2018-01-23 11:15:02 +01:00
Florian Roth
fe80ae7885 Rule: Linux auditd 'program execution in suspicious folders' 2018-01-23 11:13:23 +01:00
Florian Roth
228ca1b765 Rule: Linux auditd 'suspicious commands' 2018-01-23 11:13:23 +01:00
Thomas Patzke
5c465129bd Fixed rules 
* Replaced unspecified logsource attribute 'type' with 'category'
* Usage of service 'auth' for linux logs
 2017-09-11 00:35:52 +02:00
Thomas Patzke
f768bf3d61 Fixed parse errors 2017-08-02 22:49:15 +02:00
Florian Roth
fc4cd4036e Linux: Suspicious VSFTPD errors 2017-07-05 18:59:51 -06:00
Florian Roth
ead63fbf75 Linux: Suspicious SSHD errors 2017-06-30 08:47:56 +02:00
Florian Roth
004fed24e0 Linux Generic Rules 2017-05-02 20:32:38 +02:00
Florian Roth
67d9c44bb3 Improved linux suspicious activity rule 2017-03-27 15:21:39 +02:00
Florian Roth
c5323ac1c2 Changes to Linux suspicious activity rule 2017-03-27 10:29:57 +02:00
Florian Roth
5c4a13af71 Rules: Linux commands and log entries of interest 2017-03-25 19:59:45 +01:00
Florian Roth
c8cc857b7c Improved the linux suspicious keywords rule 2017-03-25 19:23:10 +01:00
Florian Roth
6932fcec65 Rule: Linux shell more suspicious keywords 2017-03-21 10:23:12 +01:00
Florian Roth
789b3899df Improved Linux Shell Activity Rule 2017-03-15 09:07:59 +01:00
Florian Roth
9afa12f4a3 Further shell commands from MSF repo 2017-03-14 16:33:51 +01:00
Florian Roth
daeb7c3693 Rule: Suspicious activity in shell commands 2017-03-14 14:54:08 +01:00
Florian Roth
546a587df7 Rule: Shellshock Regex detection 
http://rubular.com/r/zxBfjWfFYs
 2017-03-14 14:53:29 +01:00
Florian Roth
3eae1f2710 Bug and typo fixes 2017-03-14 14:52:28 +01:00
Florian Roth
9934a66a3c Rule: ClamAV 2017-03-01 10:00:17 +01:00
Florian Roth
2e0632b05f Rule: Linux: buffer overflows 2017-03-01 08:38:33 +01:00
Florian Roth
001bed0c45 ModSecurity rule: multiple blocks 2017-02-28 17:53:32 +01:00
Florian Roth
b1446f9b87 Removed 'last' keyword from 'timeframe' fields 2017-02-28 17:52:40 +01:00
Florian Roth
18fd63f6b7 Levels to low, medium, high, critical 2017-02-16 18:06:22 +01:00
Thomas Patzke
88270fcf2d Rule review and cleanup 
* removed unnecessary one element lists from definitions
* converted some lists of one element maps to maps because the resulting
  OR linkage would cause wrong result.
 2017-02-15 23:53:08 +01:00
Florian Roth
a2adb1ddb5 Renamed rule files, new rules 2017-02-10 19:17:02 +01:00
Florian Roth
1307a45fd5 Moved rules to a separate directory 2017-02-07 00:44:40 +01:00