dbf4e05309
Merge branch 'SigmaHQ:master' into nasbench-rule-devel
2023-02-21 22:16:07 +01:00
63888f7a53
feat: multiple fixes and updates
2023-02-21 22:15:30 +01:00
ecc41ad20b
fix: FP with chocolatey
2023-02-21 16:38:05 +01:00
0a734bde8c
Merge pull request #4061 from wagga40/master
...
Typo correction
2023-02-20 17:29:48 +01:00
41e844e0cc
fix: add missing modified
2023-02-20 17:08:48 +01:00
848a64fa69
Create proc_creation_macos_persistence_via_plistbuddy.yml ( #4057 )
2023-02-20 14:15:31 +01:00
d0af939108
Create proc_creation_macos_enable_guest_account.yml ( #4054 )
2023-02-20 14:13:52 +01:00
7387648bb1
Update proc_creation_win_mstsc_remote_connection.yml
2023-02-20 14:13:26 +01:00
f9a73c7a79
Update proc_creation_macos_create_account.yml ( #4052 )
2023-02-20 14:13:06 +01:00
e7492c0f75
Update proc_creation_win_apt_cozy_bear_phishing_campaign_indicators.yml
2023-02-20 14:12:51 +01:00
fae6d7066a
Update and rename proc_creation_win_apt_cozy_bear_phishing_campaing_indicators.yml to proc_creation_win_apt_cozy_bear_phishing_campaign_indicators.yml
2023-02-20 14:12:32 +01:00
71b849146c
Update proc_creation_win_certutil_export_pfx.yml
2023-02-20 14:11:48 +01:00
ffc9044b07
Update registry_add_persistence_amsi_providers.yml
2023-02-20 14:11:11 +01:00
2d283ff885
Update and rename file_event_win_apt_cozy_bear_phishing_campaing_indicators.yml to file_event_win_apt_cozy_bear_phishing_campaign_indicators.yml
2023-02-20 14:10:03 +01:00
cbc9a10eba
Update java_xxe_exploitation_attempt.yml
2023-02-20 14:08:28 +01:00
b1866adb07
Merge pull request #4049 from nasbench/nasbench-rule-devel
...
feat: new rules, updates and fixes
2023-02-20 13:44:04 +01:00
2ec65de9a2
fix: taskName property
2023-02-20 16:08:53 +05:00
ae469ddefe
New rules added for LockBit and Reddit used for C2. ( #4045 )
2023-02-20 12:07:02 +01:00
f0afc4cce6
fix: apply suggestions from code review
...
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2023-02-20 12:06:37 +01:00
e327427f13
Merge pull request #4048 from YamatoSecurity/update-powershell-usage-of-base64-IEX
...
added other potential IEX strings
2023-02-18 07:13:14 +01:00
1d4a6dee3d
fix: more fp
2023-02-17 23:23:31 +01:00
6a0b38291f
fix: fp found in baseline
2023-02-17 23:16:42 +01:00
1dba328ddc
fix: add missing modified
2023-02-17 22:52:09 +01:00
9c673bbb15
added other potential IEX strings
2023-02-18 05:51:40 +09:00
2ae212f5ab
fix: remove unnecessary filter
2023-02-17 21:36:54 +01:00
ee7d1d9890
feat: add reference
2023-02-17 19:58:26 +01:00
787ea00ff7
feat: new rule for events.asp technique
2023-02-17 19:41:14 +01:00
c965a8dca0
Update proc_creation_macos_binary_padding.yml
...
Updated the modified field
reference link is same, I have a PR in ART Repo for the same, which is yet to be verified, maybe if it's allowed the man pages of "truncate" and "dd" can be referenced
Discarding the filter, there should either be "of="(output file) or a redirection or append symbol
2023-02-17 23:16:28 +05:30
68c052aab7
feat: updates and fixes
2023-02-17 17:51:44 +01:00
45ff572bd2
Update proc_creation_macos_binary_padding.yml
...
Minor changes
2023-02-17 18:22:26 +05:30
afc6198da8
Update proc_creation_macos_binary_padding.yml
...
Few minor changes, increasing the precision of the rule and reducing the possible false positives.
2023-02-17 18:05:55 +05:30
164b3a36b6
Merge pull request #4043 from nasbench/certutil-other-updates
...
feat: certutil rules updates + other fixes
2023-02-16 11:45:08 +01:00
c56f7932e0
Merge pull request #4041 from nasbench/wmic-rules-updates
...
feat: wmic rules update + other fixes
2023-02-16 11:38:16 +01:00
151171848a
Merge pull request #4038 from nasbench/nasbench-rule-devel
...
feat: updates and enhancements
2023-02-16 11:30:15 +01:00
416c10e0d3
fix: yaml error in description
2023-02-16 11:15:06 +01:00
4142819114
fix: apply suggestions from code review
...
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2023-02-16 11:06:57 +01:00
362f4e4e60
fix: apply suggestions from code review
...
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2023-02-16 11:05:38 +01:00
e2068c5cd0
Merge pull request #4001 from mbabinski/master
...
feat: new rule related to Right-to-left override character in the CLI
2023-02-16 10:54:13 +01:00
088ff06cc3
fix: apply suggestions from code review
...
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2023-02-16 10:46:29 +01:00
e2acd4a276
fix: add missing space
2023-02-16 01:40:01 +01:00
927affe24a
fix: update metadata
2023-02-16 01:39:16 +01:00
0634364e5c
Updated rule with YAML unicode escaping
2023-02-15 14:54:37 -08:00
f951fc7536
fix: remove unrelated bitsadmin selection
2023-02-15 21:18:38 +01:00
d56da92948
fix: broken selection
2023-02-15 19:58:48 +01:00
7ec76db26c
Merge branch 'master' into wmic-rules-updates
2023-02-15 19:58:11 +01:00
58e5201317
feat: update bitsadmin rules and other
2023-02-15 19:55:40 +01:00
c168a7ad00
feat: update certutil rules
2023-02-15 19:55:39 +01:00
e52edb69c4
Merge pull request #4039 from fornotes/master
...
Added New Rule for LPE via StorSvc DLL Hijack
2023-02-15 19:18:39 +01:00
39e957d7ee
fix: update title
2023-02-15 19:11:39 +01:00
33207aa7ab
fix: change link to permalink
2023-02-15 13:37:05 +01:00
Nasreddine Bencherchali