Skip to content

Commit 616222d

Browse files
Aegrahgithub-actions[bot]
Aegrah
authored and
github-actions[bot]
committed
[Rule Tuning] System Binary Moved or Copied (#3933)
(cherry picked from commit 485312d)
1 parent 583dc6d commit 616222d

File tree

1 file changed

+2
-2
lines changed

1 file changed

+2
-2
lines changed

rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
creation_date = "2023/08/29"
33
integration = ["endpoint"]
44
maturity = "production"
5-
updated_date = "2024/07/18"
5+
updated_date = "2024/07/31"
66

77
[rule]
88
author = ["Elastic"]
@@ -73,7 +73,7 @@ file.Ext.original.path : (
7373
"/bin/node", "/usr/bin/node", "/sbin/apk", "/usr/sbin/apk", "/usr/local/sbin/apk", "/usr/bin/pip", "/bin/pip",
7474
"/usr/local/bin/pip", "/usr/libexec/platform-python", "/usr/bin/platform-python", "/bin/platform-python",
7575
"/usr/lib/systemd/systemd", "/usr/sbin/sshd", "/sbin/sshd", "/usr/local/sbin/sshd", "/usr/sbin/crond", "/sbin/crond",
76-
"/usr/local/sbin/crond", "/usr/sbin/gdm",
76+
"/usr/local/sbin/crond", "/usr/sbin/gdm"
7777
) or
7878
file.Ext.original.path : (
7979
"/bin/*.tmp", "/usr/bin/*.tmp", "/usr/local/bin/*.tmp", "/sbin/*.tmp", "/usr/sbin/*.tmp", "/usr/local/sbin/*.tmp"

0 commit comments

Comments
 (0)