[Rule Tuning] Potential Linux Hack Tool Launched (#4191)

Aegrah · web-flow · commit 9e4fce65867c · 2024-10-25T17:23:48.000+02:00
diff --git a/rules/linux/execution_potential_hack_tool_executed.toml b/rules/linux/execution_potential_hack_tool_executed.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/09/22"
 integration = ["endpoint", "auditd_manager"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/10/22"
 
 [rule]
 author = ["Elastic"]
@@ -56,10 +56,10 @@ tags = [
 ]
 timestamp_override = "event.ingested"
 type = "eql"
-
 query = '''
-process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started")
- and process.name in (
+process where host.os.type == "linux" and event.type == "start" and
+event.action in ("exec", "exec_event", "executed", "process_started") and
+process.name in~ (
   // exploitation frameworks
   "crackmapexec", "msfconsole", "msfvenom", "sliver-client", "sliver-server", "havoc",
   // network scanners (nmap left out to reduce noise)
@@ -73,16 +73,15 @@ process where host.os.type == "linux" and event.type == "start" and event.action
   // cracking and brute forcing
   "john", "hashcat", "hydra", "ncrack", "cewl", "fcrackzip", "rainbowcrack",
   // host and network
-  "linenum.sh", "linpeas.sh", "pspy32", "pspy32s", "pspy64", "pspy64s", "binwalk", "evil-winrm"
+  "linenum.sh", "linpeas.sh", "pspy32", "pspy32s", "pspy64", "pspy64s", "binwalk", "evil-winrm",
+  "linux-exploit-suggester-2.pl", "linux-exploit-suggester.sh", "panix.sh"
 )
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 
 [rule.threat.tactic]
 id = "TA0002"
 name = "Execution"
 reference = "https://attack.mitre.org/tactics/TA0002/"
-
