362f4e4e60
fix: apply suggestions from code review
...
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2023-02-16 11:05:38 +01:00
7ec76db26c
Merge branch 'master' into wmic-rules-updates
2023-02-15 19:58:11 +01:00
e52edb69c4
Merge pull request #4039 from fornotes/master
...
Added New Rule for LPE via StorSvc DLL Hijack
2023-02-15 19:18:39 +01:00
39e957d7ee
fix: update title
2023-02-15 19:11:39 +01:00
33207aa7ab
fix: change link to permalink
2023-02-15 13:37:05 +01:00
2fd43cbe82
fix: typo in field
2023-02-15 13:27:56 +01:00
c99d1f1876
fix: add some missing fields
2023-02-15 13:25:59 +01:00
8876b4ba01
added SprintCSP.dll for StorSvc DLL Hijack
2023-02-15 11:37:18 +00:00
5b3f97776a
Merge pull request #4042 from nasbench/localpotato-binary-rule
...
feat: add localpotato binary rule
2023-02-15 12:30:41 +01:00
c42db7489d
Merge branch 'SigmaHQ:master' into master
2023-02-15 11:30:22 +00:00
96d774babd
removed file_event_win_storsvc_dll_hijack.yml
...
as suggested by nasbench
2023-02-15 11:29:57 +00:00
ff4242dadd
feat: add new application vulnerability rules ( #4034 )
2023-02-15 12:29:53 +01:00
51ed166480
Merge branch 'SigmaHQ:master' into master
2023-02-15 11:26:53 +00:00
5aeedfa813
fix: increase severity
2023-02-14 23:35:09 +01:00
8506dcaec8
feat: add related field
2023-02-14 23:34:14 +01:00
cbbf443eb5
feat: add localpotato binary rule
2023-02-14 19:57:26 +01:00
514eeb63fd
fix: typo in related field
2023-02-14 19:43:20 +01:00
7b86bea7ac
fix: add missing modified
2023-02-14 19:30:19 +01:00
2ef681291a
feat: more rules updates
2023-02-14 19:30:18 +01:00
4f59a13d46
feat: update wmic rules
2023-02-14 19:30:18 +01:00
d9d9227910
feat: new rule related to CVE-2022-21587 ( #4037 )
2023-02-14 14:30:12 +01:00
c0bda80e3e
Added file_event_win_storsvc_dll_hijack.yml
2023-02-14 15:06:53 +05:30
a79abaaf45
Merge pull request #4033 from qasimqlf/patch-32
...
feat: add missing `OriginalFileName` field
2023-02-13 14:48:10 +01:00
1adec45ca6
fix: add OriginalFileName ( #4032 )
2023-02-13 14:40:54 +01:00
ab611c29ba
fix: updated condition ( #4031 )
2023-02-13 14:37:33 +01:00
7b435afa4d
feat: add missing OriginalFileName field
2023-02-11 23:04:18 +05:00
da61cf17bd
Merge pull request #4028 from securepeacock/patch-39
...
Create proc_creation_win_userdomain_variable_enumeration.yml
2023-02-11 07:23:32 +01:00
095b41370f
Merge pull request #4027 from nasbench/nasbench-rule-devel
...
feat: updates and enhancements
2023-02-10 10:59:14 +01:00
6623dec47b
fix: some stylistic issues
2023-02-10 10:56:37 +01:00
1d89b041ae
fix: change title from domain to wbesites
2023-02-10 10:49:52 +01:00
5e3aae4970
fix: apply suggestions from code review
...
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
2023-02-10 10:38:45 +01:00
677ae061c5
Merge pull request #4030 from BlueTeamNinja/patch-1
...
fix: remove trailing space from logic
2023-02-10 10:35:20 +01:00
38e160cac2
Merge pull request #4029 from nasbench/fix-sigmac-modifier-bug
...
fix: add new edge case handling
2023-02-10 08:48:58 +01:00
82d0b9e10c
fix: add missing modified and improve test
2023-02-10 00:56:07 +01:00
5f6258fe57
fix: add missing modified
2023-02-10 00:48:13 +01:00
82cde0e10c
feat: update rules related to onenote and more
2023-02-10 00:40:16 +01:00
bea7614718
Remove Trailing space
...
The trailing space causes this rule not to trigger when the extension is used (cmd.exe), eg:
CommandLine: "C:\Windows\system32\cmd.exe" /r < "C:\Users\Administrator\desktop\test.txt"
2023-02-09 18:07:56 -05:00
c67782b098
fix: add new edge case
...
Add edge case handling for when converting rules that use one of the new modifiers introduced in PySIGMA
2023-02-09 23:35:56 +01:00
dda55238d4
Create proc_creation_win_userdomain_variable_enumeration.yml
2023-02-09 16:59:06 -05:00
c4d8be3780
fix: duplicate titles
2023-02-09 16:06:09 +01:00
da012ad80d
fix: resolves #4014
2023-02-09 15:48:13 +01:00
c8c32bf1d4
feat: add missing OriginalFileName field ( #4026 )
...
Add missing 'rundll32' OriginalFileName field to some process creation rules
2023-02-09 15:09:23 +01:00
ba80fc1372
Merge pull request #4024 from nasbench/nasbench-rule-devel
...
feat: updates and enhancements
2023-02-09 14:50:04 +01:00
ebb4ae0949
Merge pull request #4018 from signus/20230207-onenote-childproc
...
fix: add new fp filter
2023-02-09 14:49:35 +01:00
9ddedc8958
fix: add fp filter
2023-02-09 14:27:12 +01:00
288914fe42
Add common childprocess filter for OneNote
...
Slight reoranization of the rule with an additional relevant reference.
Additionally adds the `filter_common_childproc` filter to
`proc_creation_win_susp_microsoft_onenote_child_process.yml` for common
processes that are launched from OneNote. OneNote will commonly launch
`Teams.exe -Embedded` for opening documents in Teams, as well as
`FileCoAuth.exe` when people are sharing/editing specific documents
through OneNote. For some organizations these can create enough noise
that it may be warranted to filter out as a part of the rule. Thusfar
malicious execution for `Teams.exe` and `FileCoAuth.exe` have not been
observed.
2023-02-09 14:20:22 +01:00
6d14a14f9e
fix: typos
...
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2023-02-09 13:09:46 +01:00
135bd53b4c
Merge pull request #4025 from nasbench/registry-rules-update
...
feat: registry rules update
2023-02-09 12:12:20 +01:00
8c1a5fb834
fix: remove sysmon definition
...
Removed this definition for now as it's too generic and "obvious"
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
2023-02-09 11:01:58 +01:00
a24012b2b5
fix: apply suggestions
2023-02-09 10:41:41 +01:00
Nasreddine Bencherchali