Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Linux Shell Evasion Rule Tuning #1878

Merged
merged 42 commits into from
Mar 29, 2022
Merged

Conversation

DefSecSentinel
Copy link
Contributor

@DefSecSentinel DefSecSentinel commented Mar 24, 2022

Summary

Tuning these shell evasion rules to increase accuracy and performance by taking multi match selections from ":" to "in", taking single match selection from ":" to "==" and by removing sequencing where possible and using entity_id to sequence where necessary. Each of these rules has been tested and validated to ensure they work as expected.

license = "Elastic License v2"
name = "Interactive Terminal Spawned via Python"
risk_score = 73
rule_id = "d76b02ef-fc95-4001-9297-01cb7412232f"
severity = "high"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution"]
timestamp_override = "event.ingested"
type = "query"
type = "eql"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no type changes in rules - can we revert this change #1730

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How do I revert it?

@@ -11,19 +11,20 @@ interactive tty after obtaining initial access to a host.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
language = "kuery"
language = "eql"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we revert this - #1730

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this should be failing due to #1855 ...

Copy link
Contributor

@brokensound77 brokensound77 Mar 24, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fix in #1880 - which will cause this PR to fail (as expected) until type changes are reverted

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

failed test

ValueError: cannot change "type" in locked rule: Interactive Terminal Spawned via Perl from query to eql

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How do I revert it?

@shashank-elastic
Copy link
Contributor

Changes with GTFOBin rules looks good. Approving the PR

@DefSecSentinel DefSecSentinel requested a review from w0rk3r March 28, 2022 18:50
Copy link
Contributor

@brokensound77 brokensound77 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks for the changes 👍

@DefSecSentinel DefSecSentinel merged commit bcec8a4 into main Mar 29, 2022
@DefSecSentinel DefSecSentinel deleted the shell-evasion-rule-tuning branch March 29, 2022 14:16
@brokensound77 brokensound77 added the bug Something isn't working label Mar 29, 2022
This was referenced Mar 29, 2022
Mikaayenson pushed a commit that referenced this pull request Mar 30, 2022
* Linux Shell Evasion Rule Tuning

* Update execution_python_tty_shell.toml

* Update rules/linux/execution_apt_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_apt_binary.toml

* Update rules/linux/execution_awk_binary_shell.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_awk_binary_shell.toml

* Update rules/linux/execution_c89_c99_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_c89_c99_binary.toml

* Update rules/linux/execution_cpulimit_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_cpulimit_binary.toml

* Update rules/linux/execution_expect_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_expect_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_expect_binary.toml

* Update rules/linux/execution_find_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_find_binary.toml

* Update rules/linux/execution_gcc_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_gcc_binary.toml

* Update rules/linux/execution_mysql_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_mysql_binary.toml

* Update rules/linux/execution_nice_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_nice_binary.toml

* Update rules/linux/execution_ssh_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_ssh_binary.toml

* Update execution_perl_tty_shell.toml

* Update execution_python_tty_shell.toml

* Update rules/linux/execution_apt_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_awk_binary_shell.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_c89_c99_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_cpulimit_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_expect_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_find_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_gcc_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_mysql_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_nice_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_ssh_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

Co-authored-by: Justin Ibarra <[email protected]>
Mikaayenson pushed a commit that referenced this pull request Mar 30, 2022
* Linux Shell Evasion Rule Tuning

* Update execution_python_tty_shell.toml

* Update rules/linux/execution_apt_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_apt_binary.toml

* Update rules/linux/execution_awk_binary_shell.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_awk_binary_shell.toml

* Update rules/linux/execution_c89_c99_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_c89_c99_binary.toml

* Update rules/linux/execution_cpulimit_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_cpulimit_binary.toml

* Update rules/linux/execution_expect_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_expect_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_expect_binary.toml

* Update rules/linux/execution_find_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_find_binary.toml

* Update rules/linux/execution_gcc_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_gcc_binary.toml

* Update rules/linux/execution_mysql_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_mysql_binary.toml

* Update rules/linux/execution_nice_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_nice_binary.toml

* Update rules/linux/execution_ssh_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_ssh_binary.toml

* Update execution_perl_tty_shell.toml

* Update execution_python_tty_shell.toml

* Update rules/linux/execution_apt_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_awk_binary_shell.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_c89_c99_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_cpulimit_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_expect_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_find_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_gcc_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_mysql_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_nice_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_ssh_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

Co-authored-by: Justin Ibarra <[email protected]>
Mikaayenson pushed a commit that referenced this pull request Mar 30, 2022
* Linux Shell Evasion Rule Tuning

* Update execution_python_tty_shell.toml

* Update rules/linux/execution_apt_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_apt_binary.toml

* Update rules/linux/execution_awk_binary_shell.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_awk_binary_shell.toml

* Update rules/linux/execution_c89_c99_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_c89_c99_binary.toml

* Update rules/linux/execution_cpulimit_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_cpulimit_binary.toml

* Update rules/linux/execution_expect_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_expect_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_expect_binary.toml

* Update rules/linux/execution_find_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_find_binary.toml

* Update rules/linux/execution_gcc_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_gcc_binary.toml

* Update rules/linux/execution_mysql_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_mysql_binary.toml

* Update rules/linux/execution_nice_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_nice_binary.toml

* Update rules/linux/execution_ssh_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_ssh_binary.toml

* Update execution_perl_tty_shell.toml

* Update execution_python_tty_shell.toml

* Update rules/linux/execution_apt_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_awk_binary_shell.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_c89_c99_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_cpulimit_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_expect_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_find_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_gcc_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_mysql_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_nice_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_ssh_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

Co-authored-by: Justin Ibarra <[email protected]>
Mikaayenson pushed a commit that referenced this pull request Mar 30, 2022
* Linux Shell Evasion Rule Tuning

* Update execution_python_tty_shell.toml

* Update rules/linux/execution_apt_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_apt_binary.toml

* Update rules/linux/execution_awk_binary_shell.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_awk_binary_shell.toml

* Update rules/linux/execution_c89_c99_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_c89_c99_binary.toml

* Update rules/linux/execution_cpulimit_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_cpulimit_binary.toml

* Update rules/linux/execution_expect_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_expect_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_expect_binary.toml

* Update rules/linux/execution_find_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_find_binary.toml

* Update rules/linux/execution_gcc_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_gcc_binary.toml

* Update rules/linux/execution_mysql_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_mysql_binary.toml

* Update rules/linux/execution_nice_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_nice_binary.toml

* Update rules/linux/execution_ssh_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_ssh_binary.toml

* Update execution_perl_tty_shell.toml

* Update execution_python_tty_shell.toml

* Update rules/linux/execution_apt_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_awk_binary_shell.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_c89_c99_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_cpulimit_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_expect_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_find_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_gcc_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_mysql_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_nice_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_ssh_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

Co-authored-by: Justin Ibarra <[email protected]>
Mikaayenson pushed a commit that referenced this pull request Mar 30, 2022
* Linux Shell Evasion Rule Tuning

* Update execution_python_tty_shell.toml

* Update rules/linux/execution_apt_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_apt_binary.toml

* Update rules/linux/execution_awk_binary_shell.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_awk_binary_shell.toml

* Update rules/linux/execution_c89_c99_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_c89_c99_binary.toml

* Update rules/linux/execution_cpulimit_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_cpulimit_binary.toml

* Update rules/linux/execution_expect_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_expect_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_expect_binary.toml

* Update rules/linux/execution_find_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_find_binary.toml

* Update rules/linux/execution_gcc_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_gcc_binary.toml

* Update rules/linux/execution_mysql_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_mysql_binary.toml

* Update rules/linux/execution_nice_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_nice_binary.toml

* Update rules/linux/execution_ssh_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_ssh_binary.toml

* Update execution_perl_tty_shell.toml

* Update execution_python_tty_shell.toml

* Update rules/linux/execution_apt_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_awk_binary_shell.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_c89_c99_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_cpulimit_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_expect_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_find_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_gcc_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_mysql_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_nice_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_ssh_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

Co-authored-by: Justin Ibarra <[email protected]>
Mikaayenson pushed a commit that referenced this pull request Mar 30, 2022
* Linux Shell Evasion Rule Tuning

* Update execution_python_tty_shell.toml

* Update rules/linux/execution_apt_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_apt_binary.toml

* Update rules/linux/execution_awk_binary_shell.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_awk_binary_shell.toml

* Update rules/linux/execution_c89_c99_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_c89_c99_binary.toml

* Update rules/linux/execution_cpulimit_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_cpulimit_binary.toml

* Update rules/linux/execution_expect_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_expect_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_expect_binary.toml

* Update rules/linux/execution_find_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_find_binary.toml

* Update rules/linux/execution_gcc_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_gcc_binary.toml

* Update rules/linux/execution_mysql_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_mysql_binary.toml

* Update rules/linux/execution_nice_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_nice_binary.toml

* Update rules/linux/execution_ssh_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_ssh_binary.toml

* Update execution_perl_tty_shell.toml

* Update execution_python_tty_shell.toml

* Update rules/linux/execution_apt_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_awk_binary_shell.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_c89_c99_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_cpulimit_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_expect_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_find_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_gcc_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_mysql_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_nice_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_ssh_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

Co-authored-by: Justin Ibarra <[email protected]>
Mikaayenson pushed a commit that referenced this pull request Mar 30, 2022
* Linux Shell Evasion Rule Tuning

* Update execution_python_tty_shell.toml

* Update rules/linux/execution_apt_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_apt_binary.toml

* Update rules/linux/execution_awk_binary_shell.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_awk_binary_shell.toml

* Update rules/linux/execution_c89_c99_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_c89_c99_binary.toml

* Update rules/linux/execution_cpulimit_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_cpulimit_binary.toml

* Update rules/linux/execution_expect_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_expect_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_expect_binary.toml

* Update rules/linux/execution_find_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_find_binary.toml

* Update rules/linux/execution_gcc_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_gcc_binary.toml

* Update rules/linux/execution_mysql_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_mysql_binary.toml

* Update rules/linux/execution_nice_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_nice_binary.toml

* Update rules/linux/execution_ssh_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_ssh_binary.toml

* Update execution_perl_tty_shell.toml

* Update execution_python_tty_shell.toml

* Update rules/linux/execution_apt_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_awk_binary_shell.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_c89_c99_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_cpulimit_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_expect_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_find_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_gcc_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_mysql_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_nice_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_ssh_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

Co-authored-by: Justin Ibarra <[email protected]>
Mikaayenson pushed a commit that referenced this pull request Mar 30, 2022
* Linux Shell Evasion Rule Tuning

* Update execution_python_tty_shell.toml

* Update rules/linux/execution_apt_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_apt_binary.toml

* Update rules/linux/execution_awk_binary_shell.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_awk_binary_shell.toml

* Update rules/linux/execution_c89_c99_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_c89_c99_binary.toml

* Update rules/linux/execution_cpulimit_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_cpulimit_binary.toml

* Update rules/linux/execution_expect_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_expect_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_expect_binary.toml

* Update rules/linux/execution_find_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_find_binary.toml

* Update rules/linux/execution_gcc_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_gcc_binary.toml

* Update rules/linux/execution_mysql_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_mysql_binary.toml

* Update rules/linux/execution_nice_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_nice_binary.toml

* Update rules/linux/execution_ssh_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_ssh_binary.toml

* Update execution_perl_tty_shell.toml

* Update execution_python_tty_shell.toml

* Update rules/linux/execution_apt_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_awk_binary_shell.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_c89_c99_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_cpulimit_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_expect_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_find_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_gcc_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_mysql_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_nice_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_ssh_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

Co-authored-by: Justin Ibarra <[email protected]>
Mikaayenson pushed a commit that referenced this pull request Mar 30, 2022
* Linux Shell Evasion Rule Tuning

* Update execution_python_tty_shell.toml

* Update rules/linux/execution_apt_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_apt_binary.toml

* Update rules/linux/execution_awk_binary_shell.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_awk_binary_shell.toml

* Update rules/linux/execution_c89_c99_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_c89_c99_binary.toml

* Update rules/linux/execution_cpulimit_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_cpulimit_binary.toml

* Update rules/linux/execution_expect_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_expect_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_expect_binary.toml

* Update rules/linux/execution_find_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_find_binary.toml

* Update rules/linux/execution_gcc_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_gcc_binary.toml

* Update rules/linux/execution_mysql_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_mysql_binary.toml

* Update rules/linux/execution_nice_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_nice_binary.toml

* Update rules/linux/execution_ssh_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_ssh_binary.toml

* Update execution_perl_tty_shell.toml

* Update execution_python_tty_shell.toml

* Update rules/linux/execution_apt_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_awk_binary_shell.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_c89_c99_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_cpulimit_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_expect_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_find_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_gcc_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_mysql_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_nice_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

* Update rules/linux/execution_ssh_binary.toml

Co-authored-by: Justin Ibarra <[email protected]>

Co-authored-by: Justin Ibarra <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants