2837671f38
Merge PR #4782 from @pratinavchandra - Add Launch Agent/Daemon Execution Via Launchctl
...
new: Launch Agent/Daemon Execution Via Launchctl
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-05-13 16:55:33 +02:00
bd454b60aa
Merge PR #4818 from @swachchhanda000 - Add Potentially Suspicious Child Process Of KeyScrambler.exe
...
new: Potentially Suspicious Child Process Of KeyScrambler.exe
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-05-13 13:48:35 +02:00
fb3a72b433
Merge PR #4852 from @frack113 - Add Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock
...
new: Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-05-13 13:18:39 +02:00
7d6f32d1be
Merge PR #4850 from @frack113 - Cleanup rule conditions to align with standard
...
chore: Cleanup conditions
update: Scheduled Task Creation From Potential Suspicious Parent Location - Add additional "temporary folder" locations.
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-05-13 12:10:33 +02:00
aaf51bf880
Merge PR #4830 from @frack113 - Enhance Wbadmin based rules
...
new: All Backups Deleted Via Wbadmin.EXE
new: Sensitive File Dump Via Wbadmin.EXE
new: File Recovery From Backup Via Wbadmin.EXE
new: Sensitive File Recovery From Backup Via Wbadmin.EXE
update: Windows Backup Deleted Via Wbadmin.EXE - Enhance logic and increase coverage
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-05-13 11:15:30 +02:00
9341930635
Merge PR #4851 from @frack113 - Fix typo in modifier usage
...
fix: Forest Blizzard APT - Process Creation Activity - Typo in modifier
2024-05-13 10:36:01 +02:00
6412c1a02b
Merge PR #4822 from @hasselj - Add Potentially Suspicious Malware Callback Communication - Linux
...
new: Potentially Suspicious Malware Callback Communication - Linux
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-05-10 17:07:43 +02:00
fe26ffa0f2
Merge PR #4838 from @frack113 - Add Access To Windows Outlook Mail Files By Uncommon Application
...
new: Access To Windows Outlook Mail Files By Uncommon Application
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-05-10 16:56:57 +02:00
0192a5207e
Merge PR #4839 from @joshnck - Add New RDP Connection Initiated From Domain Controller
...
new: New RDP Connection Initiated From Domain Controller
---------
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-05-10 16:32:09 +02:00
b175b15033
Merge PR #4845 from @ahmedfarou22 - Proxy WebDAV Rule Improvements/New Rule
...
new: Suspicious External WebDAV Execution
remove: Search-ms and WebDAV Suspicious Indicators in URL
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-05-10 16:16:42 +02:00
392e3a39c8
Merge PR #4843 from @frack113 - Add New-NetFirewallRule usage related rules
...
new: New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE
new: New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet
new: New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet - ScriptBlock
update: New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application - Add new EID and paths
update: Uncommon New Firewall Rule Added In Windows Firewall Exception List - Add new EID and paths
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-05-10 15:58:39 +02:00
7cdcb7605c
Merge PR #4844 from @frack113 - Update UAC based rules
...
update: UAC Disabled - update metadata
new: UAC Secure Desktop Prompt Disabled
new: UAC Notification Disabled
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-05-10 13:39:30 +02:00
2cfa9a2d1f
Merge PR #4847 from @frack113 - Update test Workflow to use pySigma-validators-sigmahq
...
chore: update workflow to use "pySigma-validators-sigmahq"
2024-05-10 10:32:54 +02:00
f7ec533704
Merge PR #4841 from @nasbench - Promote older rules status from experimental to test
...
chore: promote older rules status from "experimental" to "test"
2024-05-02 10:34:25 +02:00
45b93fcfab
Merge PR #4842 from @nasbench - Archive new rule references and update cache file
...
chore: archive new rule references and update cache file
2024-05-02 10:33:45 +02:00
39db80478e
Merge PR #4834 from @CertainlyP - Add Outbound Network Connection Initiated By Microsoft Dialer
...
Create Release / Create Release (push) Waiting to run
new: Outbound Network Connection Initiated By Microsoft Dialer
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-04-29 12:54:38 +02:00
6ac6153976
Merge PR #4836 from @jamesc-grafana - Update AWS Rule to use fieldref modifier instead of contains
...
update: AWS User Login Profile Was Modified - use fieldref instead of contains modifier
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-04-29 12:53:54 +02:00
481337a8c3
Merge PR #4837 from @nasbench - fix fp reported in #4820
...
fix: ADS Zone.Identifier Deleted By Uncommon Application - Filter out "chrome" and "firefox" processes.
2024-04-26 15:39:44 +02:00
f61c1f4509
Merge PR #4832 from @nasbench - Update LOLBIN rules
...
update: Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE - Update logic to add additional variation of the extensions
update: Arbitrary File Download Via ConfigSecurityPolicy.EXE - Update description
update: C# IL Code Compilation Via Ilasm.EXE - Add flags to increase accuracy of the rule instead of it focusing on "any" execution
update: COM Object Execution via Xwizard.EXE - Update logic
update: JScript Compiler Execution - Update metadata
update: ManageEngine Endpoint Central Dctask64.EXE Potential Abuse - Update logic to account for flags and increase accuracy
update: Potential Application Whitelisting Bypass via Dnx.EXE - Update description
update: Potential Arbitrary Command Execution Via FTP.EXE - Use "windash" modifier and update description
update: Potential Arbitrary File Download Via Cmdl32.EXE - Remove unnecessary spaces to account for flags being at the end.
update: Renamed ZOHO Dctask64 Execution - Add additional imphash values
update: Windows Kernel Debugger Execution - Reduce level to "medium"
update: Xwizard.EXE Execution From Non-Default Location - Update description
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2024-04-26 13:40:11 +02:00
22b3416fee
Merge PR #4829 from @frack113 - Add Network Connection Initiated By RegAsm.EXE
...
new: Network Connection Initiated By RegAsm.EXE
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2024-04-25 16:31:56 +02:00
c31507f74e
Merge PR #4824 from @dan21san - New PUA SoftPerfect
...
new: PUA - SoftPerfect Netscan Execution
---------
Co-authored-by: Degasperi <Daniel.Degasperi.ext@wuerth-phoenix.com >
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-04-25 15:18:58 +02:00
7a947f43f8
Merge PR #4827 from @netgrain - New analytic for python pth files
...
new: Python Path Configuration File Creation - Linux
new: Python Path Configuration File Creation - Macos
new: Python Path Configuration File Creation - Windows
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-04-25 14:57:26 +02:00
2ef1a3b096
Merge PR #4825 from @netgrain - New analytic for CVE-2024-3400
...
new: Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - File Creation
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-04-25 14:46:07 +02:00
b349447e7d
Merge PR #4826 from @nasbench - Add coverage for CVE-2024-3400
...
new: Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2024-04-24 14:59:24 +02:00
8f8ce06ffb
Merge PR #4833 from @nasbench - New rules related to Forest Blizzard activity
...
new: Forest Blizzard APT - Custom Protocol Handler Creation
new: Forest Blizzard APT - Custom Protocol Handler DLL Registry Set
new: Forest Blizzard APT - File Creation Activity
new: Forest Blizzard APT - JavaScript Constrained File Creation
new: Forest Blizzard APT - Process Creation Activity
2024-04-24 10:04:28 +02:00
e1a713d264
Merge PR #4823 from @pratinavchandra - Update CLI flag for Gatekeeper Bypass via Xattr
...
update: Gatekeeper Bypass via Xattr - Update command line flag
---------
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com >
2024-04-19 11:10:38 +02:00
a1a3b29692
Merge PR #4795 from @signalblur - Update Linux Command History Tampering rule
...
update: Linux Command History Tampering - Increase coverage to include other history files
---------
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2024-04-17 14:28:17 +02:00
5b4bfd6ffd
Merge PR #4814 from @nikitah4x - Add new rule to detect MFA bypass in Cisco Duo
...
new: Cisco Duo Successful MFA Authentication Via Bypass Code
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-04-17 12:28:38 +02:00
86ca651ea6
Merge PR #4801 from @signalblur - Add Pnscan rule
...
new: Pnscan Binary Data Transmission Activity
---------
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2024-04-16 14:36:41 +02:00
4dc77dc175
Merge PR #4819 from @fukusuket - Fix regex escape
...
fix: Invoke-Obfuscation Via Stdin - explicitly escape { to make it clear that it is a literal
2024-04-16 12:57:45 +02:00
1a85bc5b5a
Merge PR #4799 from @fukusuket - Fix typo in selection name
...
chore: fix typo in selection name
2024-04-15 17:01:15 +02:00
ae49e3a465
Merge PR #4787 from @ya0guang - Fix typo in test_logsource.py
...
chore: fix typo in `test_logsource.py`
2024-04-15 17:00:21 +02:00
9e6952ec6a
Merge PR #4789 from @ya0guang - Fix typo in test_rules.py
...
chore: fix typo in `test_rules.py` condition
2024-04-15 16:58:02 +02:00
a235795ddd
Merge PR #4790 from @ya0guang - Update test_rules.py
...
chore: fix typo in `test_rules.py`
2024-04-15 16:56:41 +02:00
8c46c94a60
Merge PR #4798 from @PiRomant - Update Hashes field to use contains modifier
...
update: HackTool - CoercedPotato Execution - Update Hashes field to use contains modifier
update: HackTool - HandleKatz LSASS Dumper Execution - Update Hashes field to use contains modifier
update: HackTool - SysmonEOP Execution - Update Hashes field to use contains modifier
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-04-15 16:43:49 +02:00
045a9a5faa
Merge PR #4803 from @frack113 - Update regex based rules
...
update: Invoke-Obfuscation CLIP+ Launcher - PowerShell Module - Remove unnecessary starting wildcard
update: Invoke-Obfuscation STDIN+ Launcher - PowerShell Module - Remove unnecessary starting wildcard
update: Invoke-Obfuscation VAR+ Launcher - PowerShell Module - Remove unnecessary starting wildcard
update: Invoke-Obfuscation Via Stdin - PowerShell Module - Remove unnecessary starting wildcard
update: Invoke-Obfuscation Via Use Clip - PowerShell Module - Remove unnecessary starting wildcard
update: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module - Remove unnecessary starting wildcard
update: Invoke-Obfuscation CLIP+ Launcher - PowerShell - Remove unnecessary starting wildcard
update: Invoke-Obfuscation STDIN+ Launcher - Powershell - Remove unnecessary starting wildcard
update: Invoke-Obfuscation VAR+ Launcher - PowerShell - Remove unnecessary starting wildcard
update: Invoke-Obfuscation Via Stdin - Powershell - Remove unnecessary starting wildcard
update: Invoke-Obfuscation Via Use Clip - Powershell - Remove unnecessary starting wildcard
update: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell - Remove unnecessary starting wildcard
update: Invoke-Obfuscation STDIN+ Launcher - Update rule to use regex for better accuracy in CLI
update: Invoke-Obfuscation VAR+ Launcher - Update rule to use regex for better accuracy in CLI
update: Invoke-Obfuscation Via Stdin - Update rule to use regex for better accuracy in CLI
update: Invoke-Obfuscation Via Use Clip - Update rule to use regex for better accuracy in CLI
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2024-04-15 16:37:15 +02:00
b40d86599c
Merge PR #4806 from @swachchhanda000 - Potential KeyScrambler.exe DLL Side-loading
...
new: Potential KeyScrambler.exe DLL Side-loading
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-04-15 13:58:20 +02:00
691dca6fd2
Merge PR #4808 from @frack113 - FP Bad practice GPO
...
fix: Windows Binaries Write Suspicious Extensions - Add new filter for when "bat" or "powershell" scripts are written via GPO to run at startup.
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-04-15 13:43:35 +02:00
8687ba8ce6
Merge PR #4813 from @frack113 - Add Image to avoid FP
...
fix: File And SubFolder Enumeration Via Dir Command - Fix false positive with Firefox and similar CLI apps.
---------
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com >
2024-04-15 13:42:32 +02:00
c21a4e10b8
Merge PR #4807 from @frack113 - Update ATT&CK tags
...
chore: update ATT&CK tags for `Active Directory Structure Export Via Csvde.EXE`
2024-04-15 10:46:47 +02:00
f21281ab29
Merge PR #4815 from - Add new malware user-Agent
2024-04-15 10:26:56 +02:00
9104b4d22b
Merge PR #4816 from @nasbench - Archive new rule references and update cache file
...
chore: archive new rule references and update cache file
2024-04-15 10:25:48 +02:00
626a6fc6e3
Merge pull request #4811 from ruppde/master
...
Update proc_creation_lnx_exploit_cve_2024_3094_sshd_child_process.yml
2024-04-14 09:25:37 +02:00
f8ca605446
docs: added modification date
2024-04-14 08:32:09 +02:00
146c91c4b9
Update proc_creation_lnx_exploit_cve_2024_3094_sshd_child_process.yml
...
Fix FP reported by @Neo23x0
2024-04-12 19:25:13 +02:00
93b71ec1bb
Update proc_creation_win_exploit_cve_2017_11882.yml ( #4810 )
...
Removed https://embedi[.]com/ link as it points to a malaysian casino page now, added a different short blog and the github PoC.
2024-04-12 07:26:46 +02:00
9078b857a1
Merge PR #4805 from @phantinuss - fix: FP with chocolatey shimgen tool
...
fix: Dynamic .NET Compilation Via Csc.EXE - FP with chocolatey
2024-04-09 12:34:37 +02:00
4319f5807f
Merge PR #4802 from @phantinuss - FP Fixes
...
fix: Windows Binaries Write Suspicious Extensions - fix selection
fix: Rundll32 Execution With Uncommon DLL Extension - add optional filter for MS Edge update
2024-04-05 08:47:18 +02:00
6505e72604
Merge PR #4797 from @phantinuss - fix: filter PS1 policy check for AppLocker mode
...
fix: Windows Binaries Write Suspicious Extensions - filter PS1 policy check for AppLocker mode
2024-04-03 10:08:50 +02:00
71ae004b32
Merge PR #4794 from @ruppde - Potential Exploitation of CVE-2024-3094
...
new: Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
Co-authored-by: Thomas Patzke <thomas@patzke.org >
2024-04-02 15:01:14 +02:00
pratinavchandra