Reviewed EXECVE Auditd rules to see if they have process_creation counterparts. Created new process_creation rule if needed, added related field to existing process_creation rules and updated Audited rule as needed.
Changelog
Process Creation:
new: Bpfdoor TCP Ports Redirect - Process Creation
new: File Time Attribute Change - Process Creation
new: Possible Coin Miner CPU Priority Param - Process Creation
new: Steganography Embed or Extract Files with Steghide - Process Creation
chore: Remove Immutable File Attribute - Title
chore: Clipboard Collection with Xclip Tool - Title + Related id
chore: DD File Overwrite - Process Creation - Title + Related id
Auditd:
chore: Bpfdoor TCP Ports Redirect - Title
chore: File Time Attribute Change - Title
chore: Possible Coin Miner CPU Priority Param - Title
chore: Overwriting the File with Dev Zero or Null - Title
chore: Steganography Hide Files with Steghide - Title
chore: Steganography Extract Files with Steghide - Title
Example Log Event
Fixed Issues
SigmaHQ Rule Creation Conventions
If your PR adds new rules, please consider following and applying these conventions
Summary of the Pull Request
Reviewed
EXECVEAuditd rules to see if they have process_creation counterparts. Created new process_creation rule if needed, addedrelatedfield to existing process_creation rules and updated Audited rule as needed.Changelog
Process Creation: new: Bpfdoor TCP Ports Redirect - Process Creation new: File Time Attribute Change - Process Creation new: Possible Coin Miner CPU Priority Param - Process Creation new: Steganography Embed or Extract Files with Steghide - Process Creation
chore: Remove Immutable File Attribute - Title chore: Clipboard Collection with Xclip Tool - Title + Related id chore: DD File Overwrite - Process Creation - Title + Related id
Auditd: chore: Bpfdoor TCP Ports Redirect - Title chore: File Time Attribute Change - Title chore: Possible Coin Miner CPU Priority Param - Title chore: Overwriting the File with Dev Zero or Null - Title chore: Steganography Hide Files with Steghide - Title chore: Steganography Extract Files with Steghide - Title
Example Log Event
Fixed Issues
SigmaHQ Rule Creation Conventions