8721fa654c
Merge PR #5479 from @swachchhanda000 - Webdav CVE-2025-33053 RCE vulnerability
...
new: Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Image Load
new: Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Process Access
new: Potential Exploitation of RCE Vulnerability CVE-2025-33053
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2025-06-13 13:30:14 +02:00
dfed136f16
Merge PR #5477 from @phantinuss - chore: update MITRE tag t1219 to t1219.002
...
chore: update MITRE tag t1219 to t1219.002
2025-06-13 10:00:52 +02:00
b7908efab9
Merge PR #5473 from @frack113 - chore: add ET and TH tags
...
chore: Add emerging-threats tags
chore: Add threat-hunting tags
2025-06-12 10:21:24 +02:00
73ce21b574
Merge PR #5416 from @swachchhanda000 - Detection of SAP NetViewer CVE-2025-31324 exploitation via webserver logs
...
new: Potential SAP NetViewer Webshell Command Execution
new: Potential Java WebShell Upload in SAP NetViewer Server
chore: unpin pySigma validator version
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-06-11 11:28:24 +02:00
74fc1c74ec
Merge PR #5451 from @frack113 - chore: cleanup metadata
...
chore: 🧹 Remove redundant modified field
chore: 🧹 Use Mitre tags instead of url
chore: 🧹 Use permalink for github file reference
chore: 🧹 Order emerging-threats Exploits rules
2025-06-04 13:33:36 +02:00
ec827cccb6
Merge PR #5448 from @nasbench - Promote older rules status from experimental to test
...
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-06-02 13:29:48 +02:00
585bd7d487
Merge PR #5429 from @swachchhanda000 - Katz stealer malware
...
new: DNS Query To Katz Stealer Domains
new: Katz Stealer DLL Loaded
new: DNS Query To Katz Stealer Domains - Network
new: Katz Stealer Suspicious User-Agent
new: Suspicious File Access to Browser Credential Storage
new: Registry Export of Third-Party Credentials
update: Enumeration for 3rd Party Creds From CLI - Updated the condition to update FP
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2025-05-26 10:33:24 +02:00
b9e11ba205
Merge PR #5427 from @swachchhanda000 - Add Potential Exploitation of CVE-2025-4427/4428 Ivanti EPMM Pre-Auth RCE
...
new: Potential Exploitation of CVE-2025-4427/4428 Ivanti EPMM Pre-Auth RCE
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2025-05-20 23:00:06 +02:00
350fec2f51
Merge PR #5397 from @nasbench - Promote older rules status from experimental to test
...
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-05-20 22:58:46 +02:00
83b9ff50bc
Merge PR #5418 from @frack113 - chore: 🧹 Update MITRE V17 DLL tags
...
chore: Update MITRE T1574.002 as is now merge into T1574.001 in the V17
2025-05-15 12:17:10 +02:00
85fd5958bc
Merge PR #5261 from @swachchhanda000 - Add Suspicious CrushFTP Child Process
...
new: Suspicious CrushFTP Child Process
---------
Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com >
2025-04-17 21:43:35 +02:00
3d17247df5
Merge PR #5263 from @RG9n - Add Suspicious Process Spawned by CentreStack Portal AppPool
...
new: Suspicious Process Spawned by CentreStack Portal AppPool
---------
Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com >
2025-04-17 21:42:56 +02:00
07c285ca29
Merge PR #5265 form @tsale - Update Obfuscated PowerShell OneLiner Execution and author of multiple rules
...
update: Obfuscated PowerShell OneLiner Execution - Enhance logic to increase coverage.
---------
Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com >
2025-04-17 21:42:17 +02:00
29ad6f9617
Merge PR #5249 from @nasbench - Promote older rules status from experimental to test
...
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-04-17 00:41:35 +02:00
3946f672f0
Merge PR #5256 from @nasbench - Update Potential CVE-2023-23397 Exploitation Attempt - SMB
...
fix: Potential CVE-2023-23397 Exploitation Attempt - SMB - Add filters for IP format when ingesting XML raw event
2025-04-10 15:07:45 +02:00
c72928b430
Merge PR #5241 from @Neo23x0 - Update Potential CVE-2023-23397 Exploitation Attempt - SMB
...
fix: Potential CVE-2023-23397 Exploitation Attempt - SMB - Fix the IP block covering EventID 30804 as it does not contain an IP as a field but as a string
---------
Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com >
2025-04-07 11:10:52 +02:00
78a78c79ff
Merge PR #5229 from @dsplice - Update Potential APT FIN7 Exploitation Activity
...
update: Potential APT FIN7 Exploitation Activity - Add false positive description
2025-03-16 03:19:44 +01:00
64852d95a9
Merge PR #5216 from @nasbench - Promote older rules status from experimental to test
...
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-03-05 00:23:27 +01:00
3fb1894a79
Merge PR #5136 from @Eyezuhk - Add Potential CVE-2024-35250 Exploitation Activity
...
new: Potential CVE-2024-35250 Exploitation Activity
---------
Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com >
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
2025-02-24 12:58:40 +01:00
0a34bc4d50
Merge PR #5192 from @whichbuffer - Add Kalambur Backdoor Curl TOR SOCKS Proxy Execution
...
new: Kalambur Backdoor Curl TOR SOCKS Proxy Execution
---------
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com >
2025-02-17 12:33:20 +01:00
2bfb0935a0
Merge PR #5177 from @nasbench - promote older rules status from experimental to test
...
Create Release / Create Release (push) Has been cancelled
chore: promote older rules status from `experimental` to `test`
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-02-03 18:23:12 +01:00
62f6d27977
Merge PR #5169 from @frack113 - Add missing detection.emerging-threats tags
...
chore: add missing `detection.emerging-threats` tags
2025-01-30 21:30:17 +01:00
48d5c5064c
Merge PR #5168 from @defensivedepth - Prepend algo to hash values
...
fix: HackTool - Dumpert Process Dumper Execution - prepend MD5 to hash value
fix: Forest Blizzard APT - Process Creation Activity - prepend SHA256 to hash value
fix: ManageEngine Endpoint Central Dctask64.EXE Potential Abuse - prepend IMPHASH to hash value
fix: Renamed ZOHO Dctask64 Execution - prepend IMPASH to hash value
2025-01-22 22:29:33 +01:00
b162730502
Merge PR #5159 from @Neo23x0 - Fix Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation
...
fix: Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation - Add filter for `\Windows\SoftwareDistribution\Download\`
2025-01-15 12:25:00 +01:00
fad4742996
Merge PR #5155 from @samuelmonsempessenthorus - Add CVE-2024-49113 Exploitation Attempt - LDAP Nightmare
...
new: CVE-2024-49113 Exploitation Attempt - LDAP Nightmare
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2025-01-08 23:16:36 +01:00
8734022722
Merge PR #5149 from @nasbench - Promote older rules status from experimental to test
...
chore: promote older rules status from experimental to test
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2025-01-06 15:36:19 +01:00
a9423d69c3
Merge PR #5123 from @jstnk9 - Add new sigma rules related to lummac and RATs behaviors observed ITW
...
new: Lummac Stealer Activity - Execution Of More.com And Vbc.exe
new : File Creation Related To RAT Clients
---------
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com >
2024-12-19 17:56:18 +01:00
17dcad456f
Merge PR #5116 from @Neo23x0 - Add rules and updates related to Cleo exploitation
...
new: CVE-2024-50623 Exploitation Attempt - Cleo
update: Webshell Detection With Command Line Keywords - Add suspicious powershell commandline keywords
---------
Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com >
2024-12-14 22:44:55 +02:00
6048be5a7a
Merge PR #5106 from @nasbench - Add SID version of integrity levels
...
chore: add SID version of IntegrityLevel
fix: Suspicious Process By Web Server Process - Fix typo in "ntdsutil" process name
2024-12-01 23:29:17 +01:00
9367349016
Merge PR #5101 from @nasbench - Promote older rules status from experimental to test
...
chore: promote older rules status from experimental to test
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2024-12-01 13:40:32 +01:00
d804e9cba1
Merge PR #5088 from @frack113 - Remove custom dedicated hash fields from sigmac
...
update: GALLIUM IOCs - remove custom dedicated hash fields
update: Malicious DLL Load By Compromised 3CXDesktopApp - remove custom dedicated hash fields
update: Potential Compromised 3CXDesktopApp Execution - remove custom dedicated hash fields
update: HackTool Named File Stream Created - remove custom dedicated hash fields
update: PUA - Process Hacker Driver Load - remove custom dedicated hash fields
update: PUA - System Informer Driver Load - remove custom dedicated hash fields
update: Vulnerable HackSys Extreme Vulnerable Driver Load - remove custom dedicated hash fields
update: Vulnerable WinRing0 Driver Load - remove custom dedicated hash fields
update: WinDivert Driver Load - remove custom dedicated hash fields
update: HackTool - SharpEvtMute DLL Load - remove custom dedicated hash fields
update: HackTool - CoercedPotato Execution - remove custom dedicated hash fields
update: HackTool - CreateMiniDump Execution - remove custom dedicated hash fields
update: Hacktool Execution - Imphash - remove custom dedicated hash fields
update: HackTool - GMER Rootkit Detector and Remover Execution - remove custom dedicated hash fields
update: HackTool - HandleKatz LSASS Dumper Execution - remove custom dedicated hash fields
update: HackTool - Impersonate Execution - remove custom dedicated hash fields
update: HackTool - LocalPotato Execution - remove custom dedicated hash fields
update: HackTool - PCHunter Execution - remove custom dedicated hash fields
update: HackTool - PPID Spoofing SelectMyParent Tool Execution - remove custom dedicated hash fields
update: HackTool - Stracciatella Execution - remove custom dedicated hash fields
update: HackTool - SysmonEOP Execution - remove custom dedicated hash fields
update: HackTool - UACMe Akagi Execution - remove custom dedicated hash fields
update: HackTool - Windows Credential Editor (WCE) Execution - remove custom dedicated hash fields
update: MpiExec Lolbin - remove custom dedicated hash fields
update: PUA - Fast Reverse Proxy (FRP) Execution - remove custom dedicated hash fields
update: PUA- IOX Tunneling Tool Execution - remove custom dedicated hash fields
update: PUA - Nimgrab Execution - remove custom dedicated hash fields
update: PUA - NPS Tunneling Tool Execution - remove custom dedicated hash fields
update: PUA - Process Hacker Execution - remove custom dedicated hash fields
update: PUA - System Informer Execution - remove custom dedicated hash fields
update: Remote Access Tool - NetSupport Execution From Unusual Location - remove custom dedicated hash fields
update: Renamed AdFind Execution - remove custom dedicated hash fields
update: Renamed AutoIt Execution - remove custom dedicated hash fields
update: Renamed NetSupport RAT Execution - remove custom dedicated hash fields
update: Renamed PAExec Execution - remove custom dedicated hash fields
update: Potential SquiblyTwo Technique Execution - remove custom dedicated hash fields
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-11-25 09:30:14 +01:00
f533350560
Merge PR #5065 from @nasbench - Promote older rules status from experimental to test
...
chore: promote older rules status from `experimental` to `test`
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2024-11-01 10:21:04 +01:00
08c52c367c
Merge PR #5027 from @nasbench - Promote older rules status from experimental to test
...
chore: promote older rules status from experimental to test
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2024-10-01 14:56:09 +02:00
236db73778
Merge PR #5006 from @frack113 - Fix UNC2452 Process Creation Patterns
...
fix: UNC2452 Process Creation Patterns - Add the missing `all` modifier
2024-09-13 11:17:23 +02:00
132482818e
Merge PR #5007 from @fukusuket - Fix unreachable GitHub URL references
...
chore: CVE-2021-1675 Print Spooler Exploitation Filename Pattern - Fix unreachable GitHub URL references
chore: HackTool - DInjector PowerShell Cradle Execution - Fix unreachable GitHub URL references
chore: InstallerFileTakeOver LPE CVE-2021-41379 File Create Event - Fix unreachable GitHub URL references
chore: LPE InstallerFileTakeOver PoC CVE-2021-41379 - Fix unreachable GitHub URL references
chore: Malicious PowerShell Scripts - FileCreation - Fix unreachable GitHub URL references
chore: Malicious PowerShell Scripts - PoshModule - Fix unreachable GitHub URL references
chore: Possible CVE-2021-1675 Print Spooler Exploitation - Fix unreachable GitHub URL references
chore: Potential NT API Stub Patching - Fix unreachable GitHub URL references
chore: Potential PrintNightmare Exploitation Attempt - Fix unreachable GitHub URL references
chore: Potential RDP Exploit CVE-2019-0708 - Fix unreachable GitHub URL references
chore: Potential SAM Database Dump - Fix unreachable GitHub URL references
chore: Scanner PoC for CVE-2019-0708 RDP RCE Vuln - Fix unreachable GitHub URL references
chore: Suspicious Rejected SMB Guest Logon From IP - Fix unreachable GitHub URL references
chore: Windows Spooler Service Suspicious Binary Load - Fix unreachable GitHub URL references
2024-09-13 11:14:11 +02:00
839f5636f5
Merge PR #4991 from @nasbench - Promote older rules status from experimental to test
...
chore: promote older rules status from `experimental` to `test`
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2024-09-02 10:01:36 +02:00
2851ef5d16
Merge PR #4961 from @tsale - Add multiples rules and updates
...
fix: Potential Privilege Escalation via Local Kerberos Relay over LDAP - Add new exclusion
fix: Sdiagnhost Calling Suspicious Child Process - Add new filters
new: Antivirus Filter Driver Disallowed On Dev Drive - Registry
new: ChromeLoader Malware Execution
new: Emotet Loader Execution Via .LNK File
new: Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC
new: FakeUpdates/SocGholish Activity
new: File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell
new: HackTool - SharpWSUS/WSUSpendu Execution
new: HackTool - SOAPHound Execution
new: Hiding User Account Via SpecialAccounts Registry Key - CommandLine
new: Injected Browser Process Spawning Rundll32 - GuLoader Activity
new: Kerberoasting Activity - Initial Query
new: Manual Execution of Script Inside of a Compressed File
new: Obfuscated PowerShell OneLiner Execution
new: OneNote.EXE Execution of Malicious Embedded Scripts
new: Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon
new: Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution
new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1
new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2
new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3
new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4
new: Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE
new: Python Function Execution Security Warning Disabled In Excel
new: Python Function Execution Security Warning Disabled In Excel - Registry
new: Raspberry Robin Initial Execution From External Drive
new: Raspberry Robin Subsequent Execution of Commands
new: Remote Access Tool - Action1 Arbitrary Code Execution and Remote Sessions
new: Remote Access Tool - Ammy Admin Agent Execution
new: Remote Access Tool - Cmd.EXE Execution via AnyViewer
new: Serpent Backdoor Payload Execution Via Scheduled Task
new: Uncommon Connection to Active Directory Web Services
new: Ursnif Redirection Of Discovery Commands
update: Potential CVE-2022-29072 Exploitation Attempt - Add additional shells and flags
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-08-29 19:21:47 +02:00
598d29f811
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
...
chore: change tags, date, modified fields to comply with v2 of the Sigma spec.
chore: update the related type from `obsoletes` to `obsolete`.
chore: update local json schema to the latest version.
2024-08-12 12:02:50 +02:00
dbba992bc3
Merge PR #4960 from @fukusuket - Update unreachable/broken references
...
chore: Unix Shell Configuration Modification - Update unreachable/broken references
chore: JNDIExploit Pattern - Update unreachable/broken references
chore: Load Of RstrtMgr.DLL By A Suspicious Process - Update unreachable/broken references
chore: Load Of RstrtMgr.DLL By An Uncommon Process - Update unreachable/broken references
chore: Potential appverifUI.DLL Sideloading - Update unreachable/broken references
chore: Potential Dead Drop Resolvers - Update unreachable/broken references
chore: HackTool - SecurityXploded Execution - Update unreachable/broken references
chore: Suspicious Processes Spawned by Java.EXE - Update unreachable/broken references
chore: Shell Process Spawned by Java.EXE - Update unreachable/broken references
chore: New Firewall Rule Added Via Netsh.EXE - Update unreachable/broken references
chore: PUA - AdvancedRun Execution - Update unreachable/broken references
chore: PUA - AdvancedRun Suspicious Execution - Update unreachable/broken references
chore: PUA - NSudo Execution - Update unreachable/broken references
chore: Windows Processes Suspicious Parent Directory - Update unreachable/broken references
chore: Suspect Svchost Activity - Update unreachable/broken references
chore: Whoami.EXE Execution From Privileged Process - Update unreachable/broken references
chore: Turla PNG Dropper Service - Update unreachable/broken references
chore: Exploiting SetupComplete.cmd CVE-2019-1378 - Update unreachable/broken references
chore: Log4j RCE CVE-2021-44228 Generic - Update unreachable/broken references
chore: Log4j RCE CVE-2021-44228 in Fields - Update unreachable/broken references
chore: .Class Extension URI Ending Request - Update unreachable/broken references
chore: DLL Call by Ordinal Via Rundll32.EXE - Update unreachable/broken references
2024-08-10 12:52:28 +02:00
3359340f21
Merge PR #4763 from @swachchhanda000 - New rules related to Raspberry Robin TTPs
...
new: Potential Raspberry Robin Aclui Dll SideLoading
new: Potential Raspberry Robin Registry Set Internet Settings ZoneMap
---------
Co-authored-by: Swachchhanda Shrawan Poudel <logpoint-admin@NP-SSP-MBP-01.local >
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-08-01 11:18:12 +02:00
6800135a02
Merge PR #4885 from @LucaInfoSec - Add Potential CSharp Streamer RAT Loading .NET Executable Image
...
new: Potential CSharp Streamer RAT Loading .NET Executable Image
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-07-31 15:10:20 +02:00
41dfd8ff0c
Merge PR #4940 from @fukusuket - Update unreachable references blog.menasec[.]net
...
chore: Suspicious CLR Logs Creation
chore: Remote Task Creation via ATSVC Named Pipe - Zeek
chore: Possible Impacket SecretDump Remote Activity - Zeek
chore: Suspicious PsExec Execution - Zeek
chore: AD Privileged Users or Groups Reconnaissance
chore: Remote Task Creation via ATSVC Named Pipe
chore: Impacket PsExec Execution
chore: Possible Impacket SecretDump Remote Activity
chore: Suspicious PsExec Execution
chore: Remote Service Activity via SVCCTL Named Pipe
chore: Suspicious DotNET CLR Usage Log Artifact
chore: DotNet CLR DLL Loaded By Scripting Applications
chore: Potential Credential Dumping Activity Via LSASS
chore: DNS RCE CVE-2020-1350
---------
thanks: @fukusuket
2024-07-31 10:16:56 +02:00
b72317356a
Merge PR #4938 from @frack113 - Add CVE-2024-37085 detection rules
...
new: Potential Exploitation of CVE-2024-37085 - Suspicious Creation Of ESX Admins Group
new: Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-07-30 11:02:29 +02:00
7f5e0ccb0b
Merge PR #4936 from @Alex-Walston - Add Potential APT FIN7 Exploitation Activity
...
new: Potential APT FIN7 Exploitation Activity
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-07-29 14:13:10 +02:00
313578eeaa
Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes
...
fix: Dllhost.EXE Initiated Network Connection To Non-Local IP Address - Filter out additional Microsoft IP block and moved to the threat hunting folder due to large amount of matches based on VT data
fix: Forest Blizzard APT - File Creation Activity - Fix typo in filename
fix: New RUN Key Pointing to Suspicious Folder - Enhance filter to fix new false positive found in testing
new: COM Object Hijacking Via Modification Of Default System CLSID Default Value
new: CVE-2023-1389 Potential Exploitation Attempt - Unauthenticated Command Injection In TP-Link Archer AX21
new: DPAPI Backup Keys And Certificate Export Activity IOC
new: DSInternals Suspicious PowerShell Cmdlets
new: DSInternals Suspicious PowerShell Cmdlets - ScriptBlock
new: HackTool - RemoteKrbRelay Execution
new: HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators
new: HackTool - SharpDPAPI Execution
new: Hypervisor Enforced Paging Translation Disabled
new: PDF File Created By RegEdit.EXE
new: Periodic Backup For System Registry Hives Enabled
new: Renamed Microsoft Teams Execution
new: Windows LAPS Credential Dump From Entra ID
remove: Potential Persistence Via COM Hijacking From Suspicious Locations - Deprecated because of incorrect logic, replaced by "790317c0-0a36-4a6a-a105-6e576bf99a14"
update: DLL Call by Ordinal Via Rundll32.EXE - Reduced level to "medium" and moved to the threat hunting folder due to the fact that calling by ordinal can be seen by many legitimate utilities. An initial baseline needs to be set for the rule to be promoted.
update: Msiexec.EXE Initiated Network Connection Over HTTP - Reduced level to low and moved to the threat hunting folder due to large amount of matches based on VT data
update: MSSQL Add Account To Sysadmin Role - Update the "Provider_Name" to use a contains in order to account for other third party providers.
update: MSSQL Disable Audit Settings - Update the "Provider_Name" to use a contains in order to account for other third party providers.
update: MSSQL Server Failed Logon - Update the "Provider_Name" to use a contains in order to account for other third party providers.
update: MSSQL Server Failed Logon From External Network - Update the "Provider_Name" to use a contains in order to account for other third party providers.
update: MSSQL SPProcoption Set - Update the "Provider_Name" to use a contains in order to account for other third party providers.
update: MSSQL XPCmdshell Option Change - Update the "Provider_Name" to use a contains in order to account for other third party providers.
update: MSSQL XPCmdshell Suspicious Execution - Update the "Provider_Name" to use a contains in order to account for other third party providers.
update: Network Connection Initiated By AddinUtil.EXE - increase level to "high" and promote the status to "test" based on VT data
update: Network Connection Initiated To AzureWebsites.NET By Non-Browser Process - Reduced the level to "medium" and added filters for "null" and empty values based on VT data
update: Office Application Initiated Network Connection Over Uncommon Ports - Add port "143" based on Microsoft "Microsoft 365 URLs and IP address ranges" document
update: Office Application Initiated Network Connection To Non-Local IP - Add "outlook.exe" to the list of processes and filter multiple IP ranges based on Microsoft "Microsoft 365 URLs and IP address ranges" document
update: Password Protected Compressed File Extraction Via 7Zip - Reduced level to "low" and moved to the threat hunting folder due to large amount of matches based on VT data
update: Potential Dead Drop Resolvers - Add filters for "null" and empty values based on VT data
update: Potential Privilege Escalation via Local Kerberos Relay over LDAP - Update metadata information
update: Potential Shellcode Injection - Reduced level to "medium" and moved to the threat hunting folder due multiple FP with third party softwares
update: Potential Suspicious Execution From GUID Like Folder Names - Reduced level to "low" and moved to the threat hunting folder
update: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities - Add additional EventLog and ETW providers to increase coverage
update: Potentially Suspicious Execution From Parent Process In Public Folder - Update logic to add Image names in addition to the previous CommandLines
update: Potentially Suspicious PowerShell Child Processes - Reduced level to "medium" and moved to the threat hunting folder due to large amount of matches based on VT data. As well as the logic doesn't look for anything suspicious but "child processes" that might be "uncommon".
update: Process Execution From A Potentially Suspicious Folder - Update metadata and remove "\Users\Public" to avoid false positives
update: Recon Command Output Piped To Findstr.EXE - Update the logic to user "wildcards" instead of spaces to cover different variants and increase the coverage.
update: Suspicious Electron Application Child Processes - Remove unnecessary filters
update: Suspicious Non-Browser Network Communication With Google API - Add filters for "null" and empty values based on VT data
update: System File Execution Location Anomaly - Enhance filters
update: Uncommon Child Process Of Setres.EXE - Update logic and metadata
update: Uncommon Link.EXE Parent Process - Enhance the filters and metadata
update: Windows Defender Threat Detection Service Disabled - Add french keyword for "stopped" to increase coverage for windows os that uses the french language
---------
Thanks: cY83rR0H1t
Thanks: CTI-Driven
Thanks: BIitzkrieg
Thanks: DFIR-jwedd
Thanks: Snp3r
2024-07-17 11:04:05 +02:00
3c7fcf6bbb
Merge PR #4916 from @frack113 - Move some rules to Emerging-Threats folder
...
chore: OceanLotus Registry Activity - move to emerging-threats
chore: OilRig APT Registry Persistence - move to emerging-threats
chore: Potential Ursnif Malware Activity - Registry - move to emerging-threats
chore: Leviathan Registry Key Activity - move to emerging-threats
2024-07-17 10:28:18 +02:00
c2915a678b
Merge PR #4912 from @nasbench - update pySigma-validators-sigmahq to version 0.7.0 and sigma_cli_conf.yml
...
chore: update `pySigma-validators-sigmahq` to version 0.7.0 and `sigma_cli_conf.yml`
---------
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
2024-07-11 11:24:01 +02:00
0bb6f0c0d7
Merge PR #4831 from @swachchhanda000 - Add Kapeka backdoor related Sigma rules
...
new: Kapeka Backdoor Autorun Persistence
new: Kapeka Backdoor Configuration Persistence
new: Kapeka Backdoor Execution Via RunDLL32.EXE
new: Kapeka Backdoor Loaded Via Rundll32.EXE
new: Kapeka Backdoor Persistence Activity
new: Kapeka Backdoor Scheduled Task Creation
new: Potential Kapeka Decrypted Backdoor Indicator
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-07-04 00:17:47 +02:00
0511e57c81
Merge PR #4898 from @ruppde - Fix Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process
...
fix: Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process - Remove `selection_2` as it generates tons of false positives.
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-07-03 19:48:53 +02:00
47085e9489
Merge PR #4891 from @nasbench - Promote older rules status from experimental to test
...
chore: promote older rules status from experimental to test
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2024-07-01 10:42:32 +02:00
Swachchhanda Shrawan Poudel