valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
4ab522815b
SigmaHQ/rules/linux/lnx_clear_logs.yml
Ömer Günal 4ab522815b
Update lnx_clear_logs.yml
2020-12-01 21:28:12 +03:00

31 lines
726 B
YAML
Raw Blame History

title: Clear Linux Logs
id: 80915f59-9b56-4616-9de0-fd0dea6c12fe
status: stable
description: Detects clear logs
author: Ömer Günal, oscd.community
date: 2020/10/07
references:
- https://attack.mitre.org/techniques/T1070/002/
logsource:
product: linux
category: process_creation
detection:
selection1:
- ProcessName|endswith:
- '/rm'
- 'shred'
- 'echo'
- 'rmdir'
selection2:
CommandLine|contains:
- '/var/log'
- '/private/var/audit'
- '/private/var/log/'
condition: selection1 and selection2
falsepositives:
- Legitimate administration activities
level: medium
tags:
- attack.defense_evasion
- attack.t1070.002
Reference in New Issue View Git Blame Copy Permalink