509120a735
Merge PR #4986 from @djlukic - Multiple FP fixes
...
fix: A Rule Has Been Deleted From The Windows Firewall Exception List - Exclude WinSxS
fix: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation - Exclude "amsiprovider_x64"
fix: Uncommon AppX Package Locations - Exclude additional MS cdn domain
fix: Uncommon New Firewall Rule Added In Windows Firewall Exception List - Enhance filters and exclude empty path
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-08-29 20:41:50 +02:00
9c7b8bcd55
Merge PR #4987 from @peterydzynski - Fix System Network Discovery - macOS
...
fix: System Network Discovery - macOS - Add additional filter for `wifivelocityd`
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-08-29 20:30:47 +02:00
2851ef5d16
Merge PR #4961 from @tsale - Add multiples rules and updates
...
fix: Potential Privilege Escalation via Local Kerberos Relay over LDAP - Add new exclusion
fix: Sdiagnhost Calling Suspicious Child Process - Add new filters
new: Antivirus Filter Driver Disallowed On Dev Drive - Registry
new: ChromeLoader Malware Execution
new: Emotet Loader Execution Via .LNK File
new: Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC
new: FakeUpdates/SocGholish Activity
new: File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell
new: HackTool - SharpWSUS/WSUSpendu Execution
new: HackTool - SOAPHound Execution
new: Hiding User Account Via SpecialAccounts Registry Key - CommandLine
new: Injected Browser Process Spawning Rundll32 - GuLoader Activity
new: Kerberoasting Activity - Initial Query
new: Manual Execution of Script Inside of a Compressed File
new: Obfuscated PowerShell OneLiner Execution
new: OneNote.EXE Execution of Malicious Embedded Scripts
new: Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon
new: Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution
new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1
new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2
new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3
new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4
new: Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE
new: Python Function Execution Security Warning Disabled In Excel
new: Python Function Execution Security Warning Disabled In Excel - Registry
new: Raspberry Robin Initial Execution From External Drive
new: Raspberry Robin Subsequent Execution of Commands
new: Remote Access Tool - Action1 Arbitrary Code Execution and Remote Sessions
new: Remote Access Tool - Ammy Admin Agent Execution
new: Remote Access Tool - Cmd.EXE Execution via AnyViewer
new: Serpent Backdoor Payload Execution Via Scheduled Task
new: Uncommon Connection to Active Directory Web Services
new: Ursnif Redirection Of Discovery Commands
update: Potential CVE-2022-29072 Exploitation Attempt - Add additional shells and flags
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-08-29 19:21:47 +02:00
4cd51a3dd5
Merge PR #4937 from @nasbench - Multiple updates and fixes
...
fix: Bad Opsec Defaults Sacrificial Processes With Improper Arguments - Exclude additional edge cases
fix: Relevant Anti-Virus Signature Keywords In Application Log - Exclude common keywords found in legitimate programs
fix: Suspicious Child Process Of Wermgr.EXE - Add new exclusions
fix: Uncommon Sigverif.EXE Child Process - Exclude werfault.exe
fix: Wusa.EXE Executed By Parent Process Located In Suspicious Location - Exclude ".msu" files
fix: Xwizard.EXE Execution From Non-Default Location - Exclude "WinSxS"
update: Cab File Extraction Via Wusa.EXE - Move to TH folder
update: COM Object Execution via Xwizard.EXE - Update logic
update: Potential DLL Injection Via AccCheckConsole - Enhance coverage and logic
update: Potential DLL Sideloading Activity Via ExtExport.EXE - Metadata and logic update
update: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities - Increase coverage
update: Process Memory Dump via RdrLeakDiag.EXE - Enhance coverage
2024-08-29 14:43:32 +02:00
5550ccd280
Merge PR #4985 from @secDre4mer - Update Potential Active Directory Reconnaissance/Enumeration Via LDAP
...
update: Potential Active Directory Reconnaissance/Enumeration Via LDAP - add enumeration of distinguished names
2024-08-27 13:36:15 +02:00
5c4f599e3a
Merge PR #4982 from @X-Junior - Update scheduled task related rules
...
update: Suspicious Windows Service Tampering - Add additional services and PsService.EXE
update: Disable Important Scheduled Task - Add `\Windows\ExploitGuard\ExploitGuard MDM policy Refresh`
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-08-26 10:20:57 +02:00
29dce312bc
Merge PR #4947 from @omaramin17 - Add DNS Query To Put.io - DNS Client
...
new: DNS Query To Put.io - DNS Client
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-08-23 12:08:08 +02:00
9b3c363cd0
Merge PR #4954 from @omaramin17 - Update multiple rules with additional sharing domains
...
update: BITS Transfer Job Download From File Sharing Domains - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: New Connection Initiated To Potential Dead Drop Resolver Domain - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Suspicious Download From File-Sharing Website Via Bitsadmin - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Suspicious File Download From File Sharing Domain Via Curl.EXE - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Suspicious File Download From File Sharing Domain Via Wget.EXE - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Suspicious File Download From File Sharing Websites - File Stream - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Suspicious Remote AppX Package Locations - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
update: Unusual File Download From File Sharing Websites - File Stream - Add additional domains, `*.trycloudflare.com`, `*.pages.dev`, `*.w3spaces.com` and `*.workers.dev`
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-08-23 11:16:06 +02:00
17d1977449
Merge PR #4969 from @Mahir-Ali-khan - Add Potential File Override/Append Via SET Command
...
new: Potential File Override/Append Via SET Command
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-08-22 23:31:52 +02:00
b1a2d412da
Merge PR #4965 from @omaramin17 - Add Driver Added To Disallowed Images In HVCI - Registry
...
new: Driver Added To Disallowed Images In HVCI - Registry
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-08-21 15:38:53 +02:00
a21ab6763b
Merge PR #4951 from @omaramin17 - Add Hidden Flag Set On File/Directory Via Chflags - MacOS
...
new: Hidden Flag Set On File/Directory Via Chflags - MacOS
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-08-21 15:25:47 +02:00
78abfd5700
Merge PR #4977 from @cyb3rjy0t - Add User Risk and MFA Registration Policy Updated
...
new: User Risk and MFA Registration Policy Updated
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-08-21 14:46:20 +02:00
d1143955c7
Merge PR #4978 from @cyb3rjy0t - Add Multi Factor Authentication Disabled For User Account
...
new: Multi Factor Authentication Disabled For User Account
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-08-21 13:11:57 +02:00
0504f18f6b
Merge PR #4948 from @omaramin17 - Add Data Export From MSSQL Table Via BCP.EXE
...
new: Data Export From MSSQL Table Via BCP.EXE
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
Thanks: @Mahir-Ali-khan
2024-08-20 14:26:12 +02:00
7e93682e0d
Merge PR #4974 from @tsale - Add Potentially Suspicious Rundll32.EXE Execution of UDL File
...
new: Potentially Suspicious Rundll32.EXE Execution of UDL File
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-08-16 21:16:56 +02:00
adff65f9aa
Merge PR #4973 from @frack113 - Fix date format for some rules along with a broken logsource field
...
chore: update date format for some rules
fix: HackTool - LaZagne Execution - Fix incorrect logsource
2024-08-16 12:37:51 +02:00
8bf0ef1253
Merge PR #4970 from @nasbench - Archive new rule references and update cache file
...
chore: archive new rule references and update cache file
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2024-08-15 11:13:47 +02:00
6901221767
Merge PR #4967 from @nasbench - Revert accidental change introduced in #4950
...
chore: fix `Powershell Token Obfuscation - Powershell` - Revert accidental change introduced in #4950
2024-08-13 02:59:39 +02:00
760597da11
Merge PR #4923 from frack113 - Update test_rules.py to remove the tests covered by pySigma-validators-sigmahq v0.7.0
...
chore: Update `test_rules.py` to remove the tests covered by `pySigma-validators-sigmahq` v0.7.0
2024-08-12 12:09:18 +02:00
4c017020dd
Merge PR #4956 from @frack113 - Update promote_rules_status script to use the native datetime.date
...
chore: workflow - update `promote_rules_status` script to use the native `datetime.date`
2024-08-12 12:04:30 +02:00
598d29f811
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
...
chore: change tags, date, modified fields to comply with v2 of the Sigma spec.
chore: update the related type from `obsoletes` to `obsolete`.
chore: update local json schema to the latest version.
2024-08-12 12:02:50 +02:00
c8a376179b
Merge PR #4964 from @fukusuket - Fix rules to not use Lookahead regex
...
fix: Powershell Token Obfuscation - Powershell - Changed to not use Lookahead regex
fix: Powershell Token Obfuscation - Process Creation - Changed to not use Lookahead regex
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-08-11 11:54:46 +02:00
1180176417
Merge PR #4963 from @nasbench - Fix Startup Item File Created - MacOS
...
fix: Startup Item File Created - MacOS - Fix broken logic and update metadata information
2024-08-11 01:39:36 +02:00
bfc5586e43
Merge PR #4949 from @omaramin17 - Add new rules related to Hdiutil usage
...
new: Disk Image Mounting Via Hdiutil - MacOS
new: Disk Image Creation Via Hdiutil - MacOS
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-08-10 19:18:35 +02:00
ace902b68f
Merge PR #4957 from @peterydzynski - Update regex for Powershell Token Obfuscation rules
...
update: Powershell Token Obfuscation - Process Creation - Optimized used regex
update: Powershell Token Obfuscation - Powershell - Optimized used regex
chore: Fixed SigmaHQ conventions broken links
2024-08-10 13:26:42 +02:00
dbba992bc3
Merge PR #4960 from @fukusuket - Update unreachable/broken references
...
chore: Unix Shell Configuration Modification - Update unreachable/broken references
chore: JNDIExploit Pattern - Update unreachable/broken references
chore: Load Of RstrtMgr.DLL By A Suspicious Process - Update unreachable/broken references
chore: Load Of RstrtMgr.DLL By An Uncommon Process - Update unreachable/broken references
chore: Potential appverifUI.DLL Sideloading - Update unreachable/broken references
chore: Potential Dead Drop Resolvers - Update unreachable/broken references
chore: HackTool - SecurityXploded Execution - Update unreachable/broken references
chore: Suspicious Processes Spawned by Java.EXE - Update unreachable/broken references
chore: Shell Process Spawned by Java.EXE - Update unreachable/broken references
chore: New Firewall Rule Added Via Netsh.EXE - Update unreachable/broken references
chore: PUA - AdvancedRun Execution - Update unreachable/broken references
chore: PUA - AdvancedRun Suspicious Execution - Update unreachable/broken references
chore: PUA - NSudo Execution - Update unreachable/broken references
chore: Windows Processes Suspicious Parent Directory - Update unreachable/broken references
chore: Suspect Svchost Activity - Update unreachable/broken references
chore: Whoami.EXE Execution From Privileged Process - Update unreachable/broken references
chore: Turla PNG Dropper Service - Update unreachable/broken references
chore: Exploiting SetupComplete.cmd CVE-2019-1378 - Update unreachable/broken references
chore: Log4j RCE CVE-2021-44228 Generic - Update unreachable/broken references
chore: Log4j RCE CVE-2021-44228 in Fields - Update unreachable/broken references
chore: .Class Extension URI Ending Request - Update unreachable/broken references
chore: DLL Call by Ordinal Via Rundll32.EXE - Update unreachable/broken references
2024-08-10 12:52:28 +02:00
51d0119a58
Merge PR #4959 from @frack113 - Freeze pySigma to 0.11.9 before migration to v2
...
chore: freeze pySigma before migrating all rules to v2
2024-08-10 11:26:33 +02:00
8ff9cd8d20
Merge PR #4958 from @fukusuket - Update unreachable/broken references
...
chore: Credential Dumping Tools Accessing LSASS Memory
chore: Potential MFA Bypass Using Legacy Client Authentication
chore: Possible DC Shadow Attack
chore: Potential Privileged System Service Operation - SeLoadDriverPrivilege
chore: Remote Thread Creation In Uncommon Target Image
chore: RDP File Creation From Suspicious Application
chore: Suspicious PROCEXP152.sys File Created In TMP
chore: Outbound Network Connection Initiated By Microsoft Dialer
chore: NTFS Alternate Data Stream
chore: PowerShell Get-Process LSASS in ScriptBlock
chore: Windows Firewall Profile Disabled
chore: Potentially Suspicious GrantedAccess Flags On LSASS
chore: HackTool - PCHunter Execution
chore: Mstsc.EXE Execution With Local RDP File
chore: Suspicious Mstsc.EXE Execution With Local RDP File
chore: Mstsc.EXE Execution From Uncommon Parent
chore: PowerShell Get-Process LSASS
chore: LSASS Access From Program In Potentially Suspicious Folder
chore: Uncommon GrantedAccess Flags On LSASS
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
Thanks: @fukusuket
2024-08-10 01:23:58 +02:00
8254c4f36d
Merge PR #4955 from @joshnck - Fix agentexecutor.exe related rules
...
fix: AgentExecutor PowerShell Execution - Exclude `Microsoft.Management.Services.IntuneWindowsAgent.exe`
fix: Suspicious AgentExecutor PowerShell Execution - Exclude `Microsoft.Management.Services.IntuneWindowsAgent.exe`
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-08-07 16:01:47 +02:00
a47edba68d
Merge PR #4941 from @dbertho - Update Outlook Persistence related rules / Specula
...
update: Potential Persistence Via Outlook Home Page - Update the logic to account for additional sub keys.
update: Potential Persistence Via Outlook Today Page - Update the logic to account for the "URL" value.
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-08-07 13:49:59 +02:00
4989d43ae9
Merge PR #4946 from @swachchhanda000 - Add Suspicious Process Masquerading As SvcHost.EXE
...
new: Suspicious Process Masquerading As SvcHost.EXE
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-08-07 10:48:12 +02:00
22f02953b5
Merge PR #4952 from @joshnck - Fix Potential DLL Sideloading Of DbgModel.DLL
...
fix: Potential DLL Sideloading Of DbgModel.DLL - Exclude Dell Support Assistant
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-08-07 10:25:18 +02:00
782f0f524e
Merge PR #4945 from @GtUGtHGtNDtEUaE - Fix typo in field name for rules leveraging EID 5145
...
fix: Remote Task Creation via ATSVC Named Pipe - Fixed field name from `Accesses` to `AccessList`
fix: Persistence and Execution at Scale via GPO Scheduled Task - Fixed field name from `Accesses` to `AccessList`
fix: Remote Service Activity via SVCCTL Named Pipe - Fixed field name from `Accesses` to `AccessList`
2024-08-01 22:46:23 +02:00
c5e352c270
Merge PR #4944 from @YamatoSecurity - Add missing expand modifier
...
fix: Userdomain Variable Enumeration - Add missing `expand` modifier
2024-08-01 14:12:35 +02:00
3359340f21
Merge PR #4763 from @swachchhanda000 - New rules related to Raspberry Robin TTPs
...
new: Potential Raspberry Robin Aclui Dll SideLoading
new: Potential Raspberry Robin Registry Set Internet Settings ZoneMap
---------
Co-authored-by: Swachchhanda Shrawan Poudel <logpoint-admin@NP-SSP-MBP-01.local >
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-08-01 11:18:12 +02:00
b8e67f13d5
Merge PR #4943 from @nasbench - Archive new rule references and update cache file
...
chore: archive new rule references and update cache file
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2024-08-01 10:26:40 +02:00
6b78144668
Merge PR #4942 from @nasbench - promote older rules status from experimental to test
...
chore: promote older rules status from experimental to test
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2024-08-01 10:26:14 +02:00
6800135a02
Merge PR #4885 from @LucaInfoSec - Add Potential CSharp Streamer RAT Loading .NET Executable Image
...
new: Potential CSharp Streamer RAT Loading .NET Executable Image
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-07-31 15:10:20 +02:00
42f90bb5d0
Merge PR #4929 from @DefenderDaniel - Add Clipboard Data Collection Via Pbpaste
...
new: Clipboard Data Collection Via Pbpaste
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-07-31 13:57:48 +02:00
65d76a30aa
Merge PR #4934 from @X-Junior - Update and add new file_access rules
...
fix: Access To Potentially Sensitive Sysvol Files By Uncommon Applications - Fix error in filter modifier
new: Access To Chromium Browsers Sensitive Files By Uncommon Applications
new: Access To Crypto Currency Wallets By Uncommon Applications
update: Access To .Reg/.Hive Files By Uncommon Applications - Update filters and move to threat hunting folder
update: Access To Browser Credential Files By Uncommon Applications - Update filters and move to threat hunting folder
update: Access To Windows Credential History File By Uncommon Applications - Update filters
update: Access To Windows DPAPI Master Keys By Uncommon Applications - Update filters
update: Access To Windows Outlook Mail Files By Uncommon Applications - Update filters and move to threat hunting folder
update: Credential Manager Access By Uncommon Applications - Update filters
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-07-31 10:33:46 +02:00
41dfd8ff0c
Merge PR #4940 from @fukusuket - Update unreachable references blog.menasec[.]net
...
chore: Suspicious CLR Logs Creation
chore: Remote Task Creation via ATSVC Named Pipe - Zeek
chore: Possible Impacket SecretDump Remote Activity - Zeek
chore: Suspicious PsExec Execution - Zeek
chore: AD Privileged Users or Groups Reconnaissance
chore: Remote Task Creation via ATSVC Named Pipe
chore: Impacket PsExec Execution
chore: Possible Impacket SecretDump Remote Activity
chore: Suspicious PsExec Execution
chore: Remote Service Activity via SVCCTL Named Pipe
chore: Suspicious DotNET CLR Usage Log Artifact
chore: DotNet CLR DLL Loaded By Scripting Applications
chore: Potential Credential Dumping Activity Via LSASS
chore: DNS RCE CVE-2020-1350
---------
thanks: @fukusuket
2024-07-31 10:16:56 +02:00
b72317356a
Merge PR #4938 from @frack113 - Add CVE-2024-37085 detection rules
...
new: Potential Exploitation of CVE-2024-37085 - Suspicious Creation Of ESX Admins Group
new: Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-07-30 11:02:29 +02:00
e1803cbc8e
Merge PR #4931 from @romain-gaillard - Add additional GitHub audit detection rules
...
new: Github SSH Certificate Configuration Changed
new: Github Fork Private Repositories Setting Enabled/Cleared
new: Github Repository/Organization Transferred
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-07-29 23:17:11 +02:00
b4efa2198a
Merge PR #4933 from @fornotes - Add Remote Thread Created In Shell Application
...
new : Remote Thread Created In Shell Application
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-07-29 22:48:11 +02:00
7f5e0ccb0b
Merge PR #4936 from @Alex-Walston - Add Potential APT FIN7 Exploitation Activity
...
new: Potential APT FIN7 Exploitation Activity
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-07-29 14:13:10 +02:00
779111a0dd
Merge PR #4928 from @nasbench - Fix FPs and issues found in testing
...
fix: Potential DLL Sideloading Of DbgModel.DLL - Update selection name to match the condition
fix: NTLM Logon - Remove unnecessary field
fix: Potential Commandline Obfuscation Using Unicode Characters - Remove legitimate currency characters as they could be used in document names
fix: Suspicious SYSTEM User Process Creation - Update `ping` filter to account for other FP variants found in the wild.
2024-07-24 09:22:49 +02:00
ab325541c2
Merge PR #4924 from @fornotes - Fix Anydesk Temporary Artefact
...
fix: Anydesk Temporary Artefact - Remove unnecessary logic from the detection section.
2024-07-23 15:09:22 +02:00
6df2ba31ba
Merge PR #4919 from @MATTANDERS0N - Added new detections related BOINC
...
new: Headless Process Launched Via Conhost.EXE
new: Potential BOINC Software Execution (UC-Berkeley Signature)
new: Powershell Executed From Headless ConHost Process
new: Process Launched Without Image Name
new: Renamed BOINC Client Execution
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-07-23 15:06:26 +02:00
b53c9bd2f6
Merge PR #4920 from @fornotes - Update file_access based rules
...
new: Unattend.XML File Access Attempt
new: Microsoft Teams Sensitive File Access By Uncommon Application
remove: Suspicious File Event With Teams Objects
remove: Suspicious Unattend.xml File Access
chore: rename multiple `file_access` rules to follow the SigmaHQ convention
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-07-22 18:53:48 +02:00
29d06798b3
Merge PR #4922 from @romain-gaillard - Update Github High Risk Configuration Disabled
...
update: Github High Risk Configuration Disabled - Add `business_advanced_security.disabled`, `business_advanced_security.disabled_for_new_repos`, `business_advanced_security.disabled_for_new_user_namespace_repos`, `business_advanced_security.user_namespace_repos_disabled`, `org.advanced_security_disabled_for_new_repos`, `org.advanced_security_disabled_on_all_repos`
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-07-22 10:43:48 +02:00
Djordje Lukic