a9423d69c3
Merge PR #5123 from @jstnk9 - Add new sigma rules related to lummac and RATs behaviors observed ITW
...
new: Lummac Stealer Activity - Execution Of More.com And Vbc.exe
new : File Creation Related To RAT Clients
---------
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com >
2024-12-19 17:56:18 +01:00
17dcad456f
Merge PR #5116 from @Neo23x0 - Add rules and updates related to Cleo exploitation
...
new: CVE-2024-50623 Exploitation Attempt - Cleo
update: Webshell Detection With Command Line Keywords - Add suspicious powershell commandline keywords
---------
Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com >
2024-12-14 22:44:55 +02:00
6048be5a7a
Merge PR #5106 from @nasbench - Add SID version of integrity levels
...
chore: add SID version of IntegrityLevel
fix: Suspicious Process By Web Server Process - Fix typo in "ntdsutil" process name
2024-12-01 23:29:17 +01:00
9367349016
Merge PR #5101 from @nasbench - Promote older rules status from experimental to test
...
chore: promote older rules status from experimental to test
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2024-12-01 13:40:32 +01:00
d804e9cba1
Merge PR #5088 from @frack113 - Remove custom dedicated hash fields from sigmac
...
update: GALLIUM IOCs - remove custom dedicated hash fields
update: Malicious DLL Load By Compromised 3CXDesktopApp - remove custom dedicated hash fields
update: Potential Compromised 3CXDesktopApp Execution - remove custom dedicated hash fields
update: HackTool Named File Stream Created - remove custom dedicated hash fields
update: PUA - Process Hacker Driver Load - remove custom dedicated hash fields
update: PUA - System Informer Driver Load - remove custom dedicated hash fields
update: Vulnerable HackSys Extreme Vulnerable Driver Load - remove custom dedicated hash fields
update: Vulnerable WinRing0 Driver Load - remove custom dedicated hash fields
update: WinDivert Driver Load - remove custom dedicated hash fields
update: HackTool - SharpEvtMute DLL Load - remove custom dedicated hash fields
update: HackTool - CoercedPotato Execution - remove custom dedicated hash fields
update: HackTool - CreateMiniDump Execution - remove custom dedicated hash fields
update: Hacktool Execution - Imphash - remove custom dedicated hash fields
update: HackTool - GMER Rootkit Detector and Remover Execution - remove custom dedicated hash fields
update: HackTool - HandleKatz LSASS Dumper Execution - remove custom dedicated hash fields
update: HackTool - Impersonate Execution - remove custom dedicated hash fields
update: HackTool - LocalPotato Execution - remove custom dedicated hash fields
update: HackTool - PCHunter Execution - remove custom dedicated hash fields
update: HackTool - PPID Spoofing SelectMyParent Tool Execution - remove custom dedicated hash fields
update: HackTool - Stracciatella Execution - remove custom dedicated hash fields
update: HackTool - SysmonEOP Execution - remove custom dedicated hash fields
update: HackTool - UACMe Akagi Execution - remove custom dedicated hash fields
update: HackTool - Windows Credential Editor (WCE) Execution - remove custom dedicated hash fields
update: MpiExec Lolbin - remove custom dedicated hash fields
update: PUA - Fast Reverse Proxy (FRP) Execution - remove custom dedicated hash fields
update: PUA- IOX Tunneling Tool Execution - remove custom dedicated hash fields
update: PUA - Nimgrab Execution - remove custom dedicated hash fields
update: PUA - NPS Tunneling Tool Execution - remove custom dedicated hash fields
update: PUA - Process Hacker Execution - remove custom dedicated hash fields
update: PUA - System Informer Execution - remove custom dedicated hash fields
update: Remote Access Tool - NetSupport Execution From Unusual Location - remove custom dedicated hash fields
update: Renamed AdFind Execution - remove custom dedicated hash fields
update: Renamed AutoIt Execution - remove custom dedicated hash fields
update: Renamed NetSupport RAT Execution - remove custom dedicated hash fields
update: Renamed PAExec Execution - remove custom dedicated hash fields
update: Potential SquiblyTwo Technique Execution - remove custom dedicated hash fields
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-11-25 09:30:14 +01:00
f533350560
Merge PR #5065 from @nasbench - Promote older rules status from experimental to test
...
chore: promote older rules status from `experimental` to `test`
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2024-11-01 10:21:04 +01:00
08c52c367c
Merge PR #5027 from @nasbench - Promote older rules status from experimental to test
...
chore: promote older rules status from experimental to test
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2024-10-01 14:56:09 +02:00
236db73778
Merge PR #5006 from @frack113 - Fix UNC2452 Process Creation Patterns
...
fix: UNC2452 Process Creation Patterns - Add the missing `all` modifier
2024-09-13 11:17:23 +02:00
132482818e
Merge PR #5007 from @fukusuket - Fix unreachable GitHub URL references
...
chore: CVE-2021-1675 Print Spooler Exploitation Filename Pattern - Fix unreachable GitHub URL references
chore: HackTool - DInjector PowerShell Cradle Execution - Fix unreachable GitHub URL references
chore: InstallerFileTakeOver LPE CVE-2021-41379 File Create Event - Fix unreachable GitHub URL references
chore: LPE InstallerFileTakeOver PoC CVE-2021-41379 - Fix unreachable GitHub URL references
chore: Malicious PowerShell Scripts - FileCreation - Fix unreachable GitHub URL references
chore: Malicious PowerShell Scripts - PoshModule - Fix unreachable GitHub URL references
chore: Possible CVE-2021-1675 Print Spooler Exploitation - Fix unreachable GitHub URL references
chore: Potential NT API Stub Patching - Fix unreachable GitHub URL references
chore: Potential PrintNightmare Exploitation Attempt - Fix unreachable GitHub URL references
chore: Potential RDP Exploit CVE-2019-0708 - Fix unreachable GitHub URL references
chore: Potential SAM Database Dump - Fix unreachable GitHub URL references
chore: Scanner PoC for CVE-2019-0708 RDP RCE Vuln - Fix unreachable GitHub URL references
chore: Suspicious Rejected SMB Guest Logon From IP - Fix unreachable GitHub URL references
chore: Windows Spooler Service Suspicious Binary Load - Fix unreachable GitHub URL references
2024-09-13 11:14:11 +02:00
839f5636f5
Merge PR #4991 from @nasbench - Promote older rules status from experimental to test
...
chore: promote older rules status from `experimental` to `test`
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2024-09-02 10:01:36 +02:00
2851ef5d16
Merge PR #4961 from @tsale - Add multiples rules and updates
...
fix: Potential Privilege Escalation via Local Kerberos Relay over LDAP - Add new exclusion
fix: Sdiagnhost Calling Suspicious Child Process - Add new filters
new: Antivirus Filter Driver Disallowed On Dev Drive - Registry
new: ChromeLoader Malware Execution
new: Emotet Loader Execution Via .LNK File
new: Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC
new: FakeUpdates/SocGholish Activity
new: File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell
new: HackTool - SharpWSUS/WSUSpendu Execution
new: HackTool - SOAPHound Execution
new: Hiding User Account Via SpecialAccounts Registry Key - CommandLine
new: Injected Browser Process Spawning Rundll32 - GuLoader Activity
new: Kerberoasting Activity - Initial Query
new: Manual Execution of Script Inside of a Compressed File
new: Obfuscated PowerShell OneLiner Execution
new: OneNote.EXE Execution of Malicious Embedded Scripts
new: Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon
new: Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution
new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1
new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2
new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3
new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4
new: Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE
new: Python Function Execution Security Warning Disabled In Excel
new: Python Function Execution Security Warning Disabled In Excel - Registry
new: Raspberry Robin Initial Execution From External Drive
new: Raspberry Robin Subsequent Execution of Commands
new: Remote Access Tool - Action1 Arbitrary Code Execution and Remote Sessions
new: Remote Access Tool - Ammy Admin Agent Execution
new: Remote Access Tool - Cmd.EXE Execution via AnyViewer
new: Serpent Backdoor Payload Execution Via Scheduled Task
new: Uncommon Connection to Active Directory Web Services
new: Ursnif Redirection Of Discovery Commands
update: Potential CVE-2022-29072 Exploitation Attempt - Add additional shells and flags
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-08-29 19:21:47 +02:00
598d29f811
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
...
chore: change tags, date, modified fields to comply with v2 of the Sigma spec.
chore: update the related type from `obsoletes` to `obsolete`.
chore: update local json schema to the latest version.
2024-08-12 12:02:50 +02:00
dbba992bc3
Merge PR #4960 from @fukusuket - Update unreachable/broken references
...
chore: Unix Shell Configuration Modification - Update unreachable/broken references
chore: JNDIExploit Pattern - Update unreachable/broken references
chore: Load Of RstrtMgr.DLL By A Suspicious Process - Update unreachable/broken references
chore: Load Of RstrtMgr.DLL By An Uncommon Process - Update unreachable/broken references
chore: Potential appverifUI.DLL Sideloading - Update unreachable/broken references
chore: Potential Dead Drop Resolvers - Update unreachable/broken references
chore: HackTool - SecurityXploded Execution - Update unreachable/broken references
chore: Suspicious Processes Spawned by Java.EXE - Update unreachable/broken references
chore: Shell Process Spawned by Java.EXE - Update unreachable/broken references
chore: New Firewall Rule Added Via Netsh.EXE - Update unreachable/broken references
chore: PUA - AdvancedRun Execution - Update unreachable/broken references
chore: PUA - AdvancedRun Suspicious Execution - Update unreachable/broken references
chore: PUA - NSudo Execution - Update unreachable/broken references
chore: Windows Processes Suspicious Parent Directory - Update unreachable/broken references
chore: Suspect Svchost Activity - Update unreachable/broken references
chore: Whoami.EXE Execution From Privileged Process - Update unreachable/broken references
chore: Turla PNG Dropper Service - Update unreachable/broken references
chore: Exploiting SetupComplete.cmd CVE-2019-1378 - Update unreachable/broken references
chore: Log4j RCE CVE-2021-44228 Generic - Update unreachable/broken references
chore: Log4j RCE CVE-2021-44228 in Fields - Update unreachable/broken references
chore: .Class Extension URI Ending Request - Update unreachable/broken references
chore: DLL Call by Ordinal Via Rundll32.EXE - Update unreachable/broken references
2024-08-10 12:52:28 +02:00
3359340f21
Merge PR #4763 from @swachchhanda000 - New rules related to Raspberry Robin TTPs
...
new: Potential Raspberry Robin Aclui Dll SideLoading
new: Potential Raspberry Robin Registry Set Internet Settings ZoneMap
---------
Co-authored-by: Swachchhanda Shrawan Poudel <logpoint-admin@NP-SSP-MBP-01.local >
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-08-01 11:18:12 +02:00
6800135a02
Merge PR #4885 from @LucaInfoSec - Add Potential CSharp Streamer RAT Loading .NET Executable Image
...
new: Potential CSharp Streamer RAT Loading .NET Executable Image
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-07-31 15:10:20 +02:00
41dfd8ff0c
Merge PR #4940 from @fukusuket - Update unreachable references blog.menasec[.]net
...
chore: Suspicious CLR Logs Creation
chore: Remote Task Creation via ATSVC Named Pipe - Zeek
chore: Possible Impacket SecretDump Remote Activity - Zeek
chore: Suspicious PsExec Execution - Zeek
chore: AD Privileged Users or Groups Reconnaissance
chore: Remote Task Creation via ATSVC Named Pipe
chore: Impacket PsExec Execution
chore: Possible Impacket SecretDump Remote Activity
chore: Suspicious PsExec Execution
chore: Remote Service Activity via SVCCTL Named Pipe
chore: Suspicious DotNET CLR Usage Log Artifact
chore: DotNet CLR DLL Loaded By Scripting Applications
chore: Potential Credential Dumping Activity Via LSASS
chore: DNS RCE CVE-2020-1350
---------
thanks: @fukusuket
2024-07-31 10:16:56 +02:00
b72317356a
Merge PR #4938 from @frack113 - Add CVE-2024-37085 detection rules
...
new: Potential Exploitation of CVE-2024-37085 - Suspicious Creation Of ESX Admins Group
new: Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-07-30 11:02:29 +02:00
7f5e0ccb0b
Merge PR #4936 from @Alex-Walston - Add Potential APT FIN7 Exploitation Activity
...
new: Potential APT FIN7 Exploitation Activity
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-07-29 14:13:10 +02:00
313578eeaa
Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes
...
fix: Dllhost.EXE Initiated Network Connection To Non-Local IP Address - Filter out additional Microsoft IP block and moved to the threat hunting folder due to large amount of matches based on VT data
fix: Forest Blizzard APT - File Creation Activity - Fix typo in filename
fix: New RUN Key Pointing to Suspicious Folder - Enhance filter to fix new false positive found in testing
new: COM Object Hijacking Via Modification Of Default System CLSID Default Value
new: CVE-2023-1389 Potential Exploitation Attempt - Unauthenticated Command Injection In TP-Link Archer AX21
new: DPAPI Backup Keys And Certificate Export Activity IOC
new: DSInternals Suspicious PowerShell Cmdlets
new: DSInternals Suspicious PowerShell Cmdlets - ScriptBlock
new: HackTool - RemoteKrbRelay Execution
new: HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators
new: HackTool - SharpDPAPI Execution
new: Hypervisor Enforced Paging Translation Disabled
new: PDF File Created By RegEdit.EXE
new: Periodic Backup For System Registry Hives Enabled
new: Renamed Microsoft Teams Execution
new: Windows LAPS Credential Dump From Entra ID
remove: Potential Persistence Via COM Hijacking From Suspicious Locations - Deprecated because of incorrect logic, replaced by "790317c0-0a36-4a6a-a105-6e576bf99a14"
update: DLL Call by Ordinal Via Rundll32.EXE - Reduced level to "medium" and moved to the threat hunting folder due to the fact that calling by ordinal can be seen by many legitimate utilities. An initial baseline needs to be set for the rule to be promoted.
update: Msiexec.EXE Initiated Network Connection Over HTTP - Reduced level to low and moved to the threat hunting folder due to large amount of matches based on VT data
update: MSSQL Add Account To Sysadmin Role - Update the "Provider_Name" to use a contains in order to account for other third party providers.
update: MSSQL Disable Audit Settings - Update the "Provider_Name" to use a contains in order to account for other third party providers.
update: MSSQL Server Failed Logon - Update the "Provider_Name" to use a contains in order to account for other third party providers.
update: MSSQL Server Failed Logon From External Network - Update the "Provider_Name" to use a contains in order to account for other third party providers.
update: MSSQL SPProcoption Set - Update the "Provider_Name" to use a contains in order to account for other third party providers.
update: MSSQL XPCmdshell Option Change - Update the "Provider_Name" to use a contains in order to account for other third party providers.
update: MSSQL XPCmdshell Suspicious Execution - Update the "Provider_Name" to use a contains in order to account for other third party providers.
update: Network Connection Initiated By AddinUtil.EXE - increase level to "high" and promote the status to "test" based on VT data
update: Network Connection Initiated To AzureWebsites.NET By Non-Browser Process - Reduced the level to "medium" and added filters for "null" and empty values based on VT data
update: Office Application Initiated Network Connection Over Uncommon Ports - Add port "143" based on Microsoft "Microsoft 365 URLs and IP address ranges" document
update: Office Application Initiated Network Connection To Non-Local IP - Add "outlook.exe" to the list of processes and filter multiple IP ranges based on Microsoft "Microsoft 365 URLs and IP address ranges" document
update: Password Protected Compressed File Extraction Via 7Zip - Reduced level to "low" and moved to the threat hunting folder due to large amount of matches based on VT data
update: Potential Dead Drop Resolvers - Add filters for "null" and empty values based on VT data
update: Potential Privilege Escalation via Local Kerberos Relay over LDAP - Update metadata information
update: Potential Shellcode Injection - Reduced level to "medium" and moved to the threat hunting folder due multiple FP with third party softwares
update: Potential Suspicious Execution From GUID Like Folder Names - Reduced level to "low" and moved to the threat hunting folder
update: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities - Add additional EventLog and ETW providers to increase coverage
update: Potentially Suspicious Execution From Parent Process In Public Folder - Update logic to add Image names in addition to the previous CommandLines
update: Potentially Suspicious PowerShell Child Processes - Reduced level to "medium" and moved to the threat hunting folder due to large amount of matches based on VT data. As well as the logic doesn't look for anything suspicious but "child processes" that might be "uncommon".
update: Process Execution From A Potentially Suspicious Folder - Update metadata and remove "\Users\Public" to avoid false positives
update: Recon Command Output Piped To Findstr.EXE - Update the logic to user "wildcards" instead of spaces to cover different variants and increase the coverage.
update: Suspicious Electron Application Child Processes - Remove unnecessary filters
update: Suspicious Non-Browser Network Communication With Google API - Add filters for "null" and empty values based on VT data
update: System File Execution Location Anomaly - Enhance filters
update: Uncommon Child Process Of Setres.EXE - Update logic and metadata
update: Uncommon Link.EXE Parent Process - Enhance the filters and metadata
update: Windows Defender Threat Detection Service Disabled - Add french keyword for "stopped" to increase coverage for windows os that uses the french language
---------
Thanks: cY83rR0H1t
Thanks: CTI-Driven
Thanks: BIitzkrieg
Thanks: DFIR-jwedd
Thanks: Snp3r
2024-07-17 11:04:05 +02:00
3c7fcf6bbb
Merge PR #4916 from @frack113 - Move some rules to Emerging-Threats folder
...
chore: OceanLotus Registry Activity - move to emerging-threats
chore: OilRig APT Registry Persistence - move to emerging-threats
chore: Potential Ursnif Malware Activity - Registry - move to emerging-threats
chore: Leviathan Registry Key Activity - move to emerging-threats
2024-07-17 10:28:18 +02:00
c2915a678b
Merge PR #4912 from @nasbench - update pySigma-validators-sigmahq to version 0.7.0 and sigma_cli_conf.yml
...
chore: update `pySigma-validators-sigmahq` to version 0.7.0 and `sigma_cli_conf.yml`
---------
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
2024-07-11 11:24:01 +02:00
0bb6f0c0d7
Merge PR #4831 from @swachchhanda000 - Add Kapeka backdoor related Sigma rules
...
new: Kapeka Backdoor Autorun Persistence
new: Kapeka Backdoor Configuration Persistence
new: Kapeka Backdoor Execution Via RunDLL32.EXE
new: Kapeka Backdoor Loaded Via Rundll32.EXE
new: Kapeka Backdoor Persistence Activity
new: Kapeka Backdoor Scheduled Task Creation
new: Potential Kapeka Decrypted Backdoor Indicator
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-07-04 00:17:47 +02:00
0511e57c81
Merge PR #4898 from @ruppde - Fix Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process
...
fix: Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process - Remove `selection_2` as it generates tons of false positives.
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-07-03 19:48:53 +02:00
47085e9489
Merge PR #4891 from @nasbench - Promote older rules status from experimental to test
...
chore: promote older rules status from experimental to test
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2024-07-01 10:42:32 +02:00
d84959e50f
Merge PR #4867 from @nasbench - Promote older rules status from experimental to test
...
chore: promote older rules status from experimental to test
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2024-06-03 10:29:22 +02:00
48f2d09699
Merge PR #4784 from @tomaszdyduch - Add new DarkGate activity related rule
...
new: DarkGate - Drop DarkGate Loader In C:\Temp Directory
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-05-31 14:53:22 +02:00
7d6f32d1be
Merge PR #4850 from @frack113 - Cleanup rule conditions to align with standard
...
chore: Cleanup conditions
update: Scheduled Task Creation From Potential Suspicious Parent Location - Add additional "temporary folder" locations.
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-05-13 12:10:33 +02:00
9341930635
Merge PR #4851 from @frack113 - Fix typo in modifier usage
...
fix: Forest Blizzard APT - Process Creation Activity - Typo in modifier
2024-05-13 10:36:01 +02:00
f7ec533704
Merge PR #4841 from @nasbench - Promote older rules status from experimental to test
...
chore: promote older rules status from "experimental" to "test"
2024-05-02 10:34:25 +02:00
2ef1a3b096
Merge PR #4825 from @netgrain - New analytic for CVE-2024-3400
...
new: Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - File Creation
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-04-25 14:46:07 +02:00
b349447e7d
Merge PR #4826 from @nasbench - Add coverage for CVE-2024-3400
...
new: Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2024-04-24 14:59:24 +02:00
8f8ce06ffb
Merge PR #4833 from @nasbench - New rules related to Forest Blizzard activity
...
new: Forest Blizzard APT - Custom Protocol Handler Creation
new: Forest Blizzard APT - Custom Protocol Handler DLL Registry Set
new: Forest Blizzard APT - File Creation Activity
new: Forest Blizzard APT - JavaScript Constrained File Creation
new: Forest Blizzard APT - Process Creation Activity
2024-04-24 10:04:28 +02:00
f8ca605446
docs: added modification date
2024-04-14 08:32:09 +02:00
146c91c4b9
Update proc_creation_lnx_exploit_cve_2024_3094_sshd_child_process.yml
...
Fix FP reported by @Neo23x0
2024-04-12 19:25:13 +02:00
93b71ec1bb
Update proc_creation_win_exploit_cve_2017_11882.yml ( #4810 )
...
Removed https://embedi[.]com/ link as it points to a malaysian casino page now, added a different short blog and the github PoC.
2024-04-12 07:26:46 +02:00
71ae004b32
Merge PR #4794 from @ruppde - Potential Exploitation of CVE-2024-3094
...
new: Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
Co-authored-by: Thomas Patzke <thomas@patzke.org >
2024-04-02 15:01:14 +02:00
a8e1ecd658
Merge PR #4791 from @nasbench - Promote older rules status from experimental to test
...
chore: promote older rules status from experimental to test
Co-authored-by: nasbench <nasbench@users.noreply.github.com >
2024-04-01 15:14:10 +02:00
f0395b815b
Merge PR #4774 from @nasbench - Fix and update multiple rules
...
Create Release / Create Release (push) Waiting to run
fix: EVTX Created In Uncommon Location - Reduce level and remove filters
fix: Files With System Process Name In Unsuspected Locations - Add additional paths
fix: New RUN Key Pointing to Suspicious Folder
new: CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection
new: MaxMpxCt Registry Value Changed
update: Potentially Suspicious CMD Shell Output Redirect - Enhance logic
update: Suspicious Command Patterns In Scheduled Task Creation - Enhance logic
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2024-03-26 19:09:21 +01:00
8cbcaea48a
Merge PR #4783 from @nasbench - Update registry rules logic and fix some false positives
...
fix: New TimeProviders Registered With Uncommon DLL Name - Add new legitimate entry to avoid FPs
new: Service Binary in User Controlled Folder
remove: Adwind RAT / JRAT - Registry
remove: Service Binary in Uncommon Folder
update: Add Port Monitor Persistence in Registry - Update logic to avoid hardcoded HKLM values
update: Change Winevt Channel Access Permission Via Registry - Update logic to avoid hardcoded HKLM values
update: CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry - Add more entries to increase coverage and update metadata information
update: Default RDP Port Changed to Non Standard Port - Update logic to avoid hardcoded HKLM values
update: Disable Administrative Share Creation at Startup - Update logic to avoid hardcoded HKLM values
update: Disable Microsoft Defender Firewall via Registry - Update logic to avoid hardcoded HKLM values
update: Disable Windows Event Logging Via Registry - Update logic to avoid hardcoded HKLM values
update: Displaying Hidden Files Feature Disabled - Update logic to avoid hardcoded HKLM values
update: FlowCloud Registry Marker - Update logic to avoid hardcoded HKLM values
update: New PortProxy Registry Entry Added - Update logic to avoid hardcoded HKLM values
update: Potential CobaltStrike Service Installations - Registry - Update logic to avoid hardcoded HKLM values
update: Register New IFiltre For Persistence - Update logic to avoid hardcoded HKLM values
update: Registry Persistence via Service in Safe Mode - Update logic to avoid hardcoded HKLM values
update: Run Once Task Configuration in Registry - Update logic to avoid hardcoded HKLM values
update: Security Support Provider (SSP) Added to LSA Configuration - Update logic to avoid hardcoded HKLM values
update: ServiceDll Hijack - Update logic to avoid hardcoded HKLM values
update: Sysmon Driver Altitude Change - Update logic to avoid hardcoded HKLM values
update: Windows Defender Service Disabled - Registry - Update logic to avoid hardcoded HKLM values
---------
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2024-03-26 13:28:49 +01:00
c0f7733837
Merge PR #4781 from @nasbench - KamiKakaBot Malware Related Rules
...
new: Potential KamiKakaBot Activity - Lure Document Execution
new: Potential KamiKakaBot Activity - Shutdown Schedule Task Creation
new: Potential KamiKakaBot Activity - Winlogon Shell Persistence
---------
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
2024-03-25 12:35:50 +01:00
6abf058185
Merge PR #4765 from @frack113 - Update additional rules to use the cidr modifier
...
update: Communication To Uncommon Destination Ports - Add link-local address range
update: Dfsvc.EXE Network Connection To Non-Local IPs - Update rule to use cidr modifier
update: Microsoft Sync Center Suspicious Network Connections - Add link-local address range
update: Network Connection Initiated By PowerShell Process - Update rule to use cidr modifier
update: Office Application Initiated Network Connection To Non-Local IP - Update rule to use cidr modifier
update: Outbound Network Connection To Public IP Via Winlogon - Add link-local address range
update: Potential CVE-2023-23397 Exploitation Attempt - SMB - Update rule to use cidr modifier
update: Potentially Suspicious Malware Callback Communication - Add link-local address range
update: Potentially Suspicious Wuauclt Network Connection - Update rule to use cidr modifier
update: Publicly Accessible RDP Service - Add link-local address range
update: RDP Over Reverse SSH Tunnel - Update rule to use cidr modifier
update: Rundll32 Internet Connection - Add link-local address range
update: Script Initiated Connection to Non-Local Network - Update rule to use cidr modifier
update: Search-ms and WebDAV Suspicious Indicators in URL - Add link-local address range
update: Search-ms and WebDAV Suspicious Indicators in URL - Add link-local address range
update: WebDav Put Request - Update rule to use cidr modifier
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-03-13 14:51:21 +01:00
48baf1187b
Merge PR #4752 from @frack113 - Update rules to use the windash modifier
...
update: File Enumeration Via Dir Command - Update logic to use a wildcard in addition, for better accuracy.
chore: update multiple rules to use the windash modifier
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-03-11 12:01:30 +01:00
4384ce73fe
Merge PR #4751 from @swachchhanda000 - Add Potential Raspberry Robin CPL Execution Activity rule
...
new: Potential Raspberry Robin CPL Execution Activity
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-03-07 11:39:27 +01:00
0108cdc344
Merge PR #4745 from @nasbench - Promote older rules status from experimental to test
...
chore: promote older rules status from experimental to test
2024-03-01 15:38:35 +01:00
8af1ab8cac
Merge PR #4738 from @nasbench - Small fixes and metadata updates
...
new: HackTool - CobaltStrike Malleable Profile Patterns - Proxy
remove: CobaltStrike Malformed UAs in Malleable Profiles
remove: CobaltStrike Malleable (OCSP) Profile
remove: CobaltStrike Malleable Amazon Browsing Traffic Profile
remove: CobaltStrike Malleable OneDrive Browsing Traffic Profile
remove: iOS Implant URL Pattern
update: Chafer Malware URL Pattern - Reduce level to high and move to ET folder
2024-02-26 22:01:53 +01:00
49bd839ecf
Merge PR #4727 from @frack113 - Refactor the condition field to align with the standard
...
chore: refactor the `condition` field to align with the standard
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-02-26 21:51:24 +01:00
1fb3ce596a
Merge PR #4718 from @qasimqlf - Update ATT&CK Mapping For Some Rules
...
chore: update ATT&CK tagging for multiple rules
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-02-26 17:09:30 +01:00
906797e3d1
Merge PR #4735 from @nasbench - Slash&Grab Exploitation Related Rule Updates
...
new: Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE
new: Remote Access Tool - ScreenConnect Backstage Mode Anomaly 2
new: Remote Access Tool - ScreenConnect Remote Execution
new: Remote Access Tool - Simple Help Execution
new: ScreenConnect - SlashAndGrab Exploitation Indicators
new: Suspicious File Download From IP Via Wget.EXE - Paths
new: User Added To Highly Privileged Group
update: Suspicious PowerShell IEX Execution Patterns - Enhance coverage by adding new "IEX" variant
update: Weak or Abused Passwords In CLI - Add additional password seen abused in the wild
2024-02-23 23:57:44 +01:00
df6d7ae381
Merge PR #4732 from @MATTANDERS0N - Add rules related to CVE-2024-1709 & CVE-2024-1708 exploitation
...
new: CVE-2024-1708 - ScreenConnect Path Traversal Exploitation
new: ScreenConnect User Database Modification
new: CVE-2024-1709 - ScreenConnect Authentication Bypass Exploitation
new: CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security
new: ScreenConnect User Database Modification - Security
---------
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com >
2024-02-21 23:54:31 +01:00
857f7478e2
Merge PR #4729 from @nasbench - Add DPRK C2 DNS Indicator Rule
...
new: DPRK Threat Actor - C2 Communication DNS Indicators
2024-02-20 12:38:52 +01:00
jstnk9