This PR adds two new rules related to Git Hook persistence.
Git Hook Created or Modified
Git Hook Child Process
Git Hook Created or Modified
7 hits in my stack last 90d, all related to ALPHA testing. 2 hits last 60d in telemetry.
This rule detects the creation or modification of a Git hook file on a Linux system. Git hooks are scripts that Git executes before or after events such as commit, push, and receive. They are used to automate tasks, enforce policies, and customize Git's behavior. Attackers can abuse Git hooks to maintain persistence on a system by executing malicious code whenever a specific Git event occurs.
Git Hook Child Process
19 hits in my testing stack last 90d, all related to ALPHA testing. 0 hits in telemetry last 90d.
This rule detects child processes spawned by Git hooks. Git hooks are scripts that Git executes before or after events such as commit, push, and receive. The rule identifies child processes spawned by Git hooks that are not typically spawned by the Git process itself. This behavior may indicate an attacker attempting to hide malicious activity by leveraging the legitimate Git process to execute unauthorized commands.
Summary
This PR adds two new rules related to Git Hook persistence.
Git Hook Created or Modified
7 hits in my stack last 90d, all related to ALPHA testing. 2 hits last 60d in telemetry.
This rule detects the creation or modification of a Git hook file on a Linux system. Git hooks are scripts that Git executes before or after events such as commit, push, and receive. They are used to automate tasks, enforce policies, and customize Git's behavior. Attackers can abuse Git hooks to maintain persistence on a system by executing malicious code whenever a specific Git event occurs.
Git Hook Child Process
19 hits in my testing stack last 90d, all related to ALPHA testing. 0 hits in telemetry last 90d.
This rule detects child processes spawned by Git hooks. Git hooks are scripts that Git executes before or after events such as commit, push, and receive. The rule identifies child processes spawned by Git hooks that are not typically spawned by the Git process itself. This behavior may indicate an attacker attempting to hide malicious activity by leveraging the legitimate Git process to execute unauthorized commands.