From 743e4c477cd872a338848a44d2fe3f76f0be1cc9 Mon Sep 17 00:00:00 2001
From: Milad Cheraghi <tak.cheraghi@gmail.com>
Date: Tue, 10 Dec 2024 13:38:38 +0330
Subject: [PATCH] Some Images and one technique Added

---
 .../proc_creation_lnx_cat_sudoers.yml          | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml b/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml
index f1dde2f9bc1..05397881811 100644
--- a/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml
+++ b/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml
@@ -4,9 +4,9 @@ status: test
 description: Detects the execution of a cat /etc/sudoers to list all users that have sudo rights
 references:
     - https://github.com/sleventyeleven/linuxprivchecker/
-author: Florian Roth (Nextron Systems)
+author: Florian Roth (Nextron Systems), CheraghiMilad
 date: 2022-06-20
-modified: 2022-09-15
+modified: 2024-12-10
 tags:
     - attack.reconnaissance
     - attack.t1592.004
@@ -14,13 +14,21 @@ logsource:
     category: process_creation
     product: linux
 detection:
-    selection:
+    selection_1:
+        Image|endswith: '/visudo'
+    selection_2:
         Image|endswith:
+            - '/grep'
             - '/cat'
-            - 'grep'
+            - '/ed'
             - '/head'
-            - '/tail'
             - '/more'
+            - '/nano'
+            - '/tail'
+            - '/less'
+            - '/vi'
+            - '/vim'
+            - '/emacs'
         CommandLine|contains: ' /etc/sudoers'
     condition: selection
 falsepositives: