Rules Update

pyproject.toml

@@ -12,7 +12,7 @@ dependencies = [
     "pymisp>=2.4.179",
     "PyYAML>=6.0.1",
     "ruamel-yaml>=0.18.5",
-    "termcolor>=2.3.0",
+    "termcolor>=2.4.0",
     "pysigma>=0.10.9",
     "pysigma-pipeline-sysmon>=1.0.3",
     "pysigma-pipeline-windows>=1.1.1",

rules_linux.json

@@ -2373,6 +2373,24 @@
         ],
         "filename": "proc_creation_lnx_susp_java_children.yml"
     },
+    {
+        "title": "Potential Linux Process Code Injection Via DD Utility",
+        "id": "4cad6c64-d6df-42d6-8dae-eb78defdc415",
+        "description": "Detects the injection of code by overwriting the memory map of a Linux process using the \"dd\" Linux command.",
+        "author": "Joseph Kamau",
+        "tags": [
+            "attack.defense_evasion",
+            "attack.t1055.009"
+        ],
+        "falsepositives": [
+            "Unknown"
+        ],
+        "level": "medium",
+        "rule": [
+            "SELECT * FROM logs WHERE (Image LIKE '%/dd' ESCAPE '\\' AND CommandLine LIKE '%of=%' ESCAPE '\\' AND CommandLine LIKE '%/proc/%' ESCAPE '\\' AND CommandLine LIKE '%/mem%' ESCAPE '\\')"
+        ],
+        "filename": "proc_creation_lnx_dd_process_injection.yml"
+    },
     {
         "title": "Decode Base64 Encoded Text",
         "id": "e2072cab-8c9a-459b-b63c-40ae79e27031",