Thomas Strömberg
Thomas Strömberg
Detection will be less racy on machines with eventing enabled.
For less racy detection.
This way we would find more things on nodes with events enabled.
Many queries contain false positives in certain environments. `osqtool` should offer a way to encode false positives specific to that environment, but allow a working query to be shared. One...
TripleCross does not compile out of the box with ArchLinux today, due to it's inclusion of libbpf 1.0.1: ```shell % make all MKDIR .output MKDIR .output/libbpf LIB libbpf.a MKDIR /home/t/src/TripleCross/src/.output//libbpf/staticobjs...
**Describe the bug** The "Suspicious Access to Web Browser Credential Stores" rule only supports Windows. Could it please be ported to Linux and macOS? **To Reproduce** 1. View https://github.com/elastic/protections-artifacts/blob/main/behavior/rules/credential_access_suspicious_access_to_web_browser_credential_stores.toml 2....
**Describe the bug** The "Sensitive File Access - Cloud Credentials" rule only supports Windows. Could it please be ported to Linux and macOS? **To Reproduce** 1. View https://github.com/elastic/protections-artifacts/blob/main/behavior/rules/credential_access_sensitive_file_access_cloud_credentials.toml 3. Notice...
I'm concerned that traitor could leave a modified passwd file in place if the test times out. Unfortunately, I don't have a vulnerable machine for testing at this time. Because...
As some compromises hysterically end up mining crypto-coins, we should simulate appropriately: https://attack.mitre.org/techniques/T1496/ Perhaps we can rig something up to use XMrig to mine Monero for 15 seconds?
Using head: ``` % go-get-proxied -j { "host": "10.9.8.7", "password": null, "port": 31280, "protocol": "", "src": "State:/Network/Global/Proxies", "username": null } ``` I have both set. ``` % scutil --proxy {...