diff --git a/rules-emerging-threats/2025/Exploits/CVE-2025-32463/file_event_lnx_exploit_cve_2025_32463.yml b/rules-emerging-threats/2025/Exploits/CVE-2025-32463/file_event_lnx_exploit_cve_2025_32463.yml index de969c7d2..ea07151e6 100644 --- a/rules-emerging-threats/2025/Exploits/CVE-2025-32463/file_event_lnx_exploit_cve_2025_32463.yml +++ b/rules-emerging-threats/2025/Exploits/CVE-2025-32463/file_event_lnx_exploit_cve_2025_32463.yml @@ -10,6 +10,7 @@ references: - https://github.com/kh4sh3i/CVE-2025-32463/blob/81bb430f84fa2089224733c3ed4bfa434c197ad4/exploit.sh author: Swachchhanda Shrawn Poudel (Nextron Systems) date: 2025-10-02 +modified: 2026-03-31 tags: - attack.privilege-escalation - attack.t1068 @@ -22,7 +23,9 @@ detection: selection: TargetFilename|endswith: '/etc/nsswitch.conf' filter_main_legitimate_path: - TargetFilename: '/etc/nsswitch.conf' + TargetFilename: + - '/etc/nsswitch.conf' + - '/usr/share/factory/etc/nsswitch.conf' condition: selection and not 1 of filter_main_* falsepositives: - Backup locations diff --git a/rules/windows/file/file_event/file_event_win_susp_double_extension.yml b/rules/windows/file/file_event/file_event_win_susp_double_extension.yml index 3bd6f6098..53b01bef9 100644 --- a/rules/windows/file/file_event/file_event_win_susp_double_extension.yml +++ b/rules/windows/file/file_event/file_event_win_susp_double_extension.yml @@ -17,7 +17,7 @@ references: - https://vipre.com/blog/svg-phishing-attacks-the-new-trick-in-the-cybercriminals-playbook/ author: Nasreddine Bencherchali (Nextron Systems), frack113 date: 2022-06-19 -modified: 2025-07-22 +modified: 2026-03-31 tags: - attack.defense-evasion - attack.t1036.007 @@ -59,7 +59,9 @@ detection: # TargetFilename|contains: # - '\AppData\Roaming\Microsoft\Office\Recent\' # - '\AppData\Roaming\Microsoft\Windows\Recent\' - condition: 1 of selection_* + filter_icons_linux: + TargetFilename|startswith: '/usr/share/icons/' + condition: 1 of selection_* and not 1 of filter_* falsepositives: - Unlikely level: high