Created
March 23, 2020 18:12
-
-
Save vicenteherrera/2a6220273a34ba675b02c809a683a889 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| - rule: DB program spawned process | |
| desc: > | |
| a database-server related program spawned a new process other than itself. | |
| This shouldn\'t occur and is a follow on from some SQL injection attacks. | |
| condition: > | |
| proc.pname in (db_server_binaries) | |
| and spawned_process | |
| and not proc.name in (db_server_binaries) | |
| and not postgres_running_wal_e | |
| output: > | |
| Database-related program spawned process other than itself (user=%user.name | |
| program=%proc.cmdline parent=%proc.pname container_id=%container.id image=%container.image.repository) | |
| priority: NOTICE | |
| tags: [process, database, mitre_execution] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment