Kostas
2851ef5d16
fix: Potential Privilege Escalation via Local Kerberos Relay over LDAP - Add new exclusion fix: Sdiagnhost Calling Suspicious Child Process - Add new filters new: Antivirus Filter Driver Disallowed On Dev Drive - Registry new: ChromeLoader Malware Execution new: Emotet Loader Execution Via .LNK File new: Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC new: FakeUpdates/SocGholish Activity new: File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell new: HackTool - SharpWSUS/WSUSpendu Execution new: HackTool - SOAPHound Execution new: Hiding User Account Via SpecialAccounts Registry Key - CommandLine new: Injected Browser Process Spawning Rundll32 - GuLoader Activity new: Kerberoasting Activity - Initial Query new: Manual Execution of Script Inside of a Compressed File new: Obfuscated PowerShell OneLiner Execution new: OneNote.EXE Execution of Malicious Embedded Scripts new: Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon new: Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1 new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2 new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3 new: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4 new: Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE new: Python Function Execution Security Warning Disabled In Excel new: Python Function Execution Security Warning Disabled In Excel - Registry new: Raspberry Robin Initial Execution From External Drive new: Raspberry Robin Subsequent Execution of Commands new: Remote Access Tool - Action1 Arbitrary Code Execution and Remote Sessions new: Remote Access Tool - Ammy Admin Agent Execution new: Remote Access Tool - Cmd.EXE Execution via AnyViewer new: Serpent Backdoor Payload Execution Via Scheduled Task new: Uncommon Connection to Active Directory Web Services new: Ursnif Redirection Of Discovery Commands update: Potential CVE-2022-29072 Exploitation Attempt - Add additional shells and flags --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
63 lines
3.2 KiB
YAML
63 lines
3.2 KiB
YAML
validators:
|
|
- all
|
|
- -tlptag
|
|
- -tlpv1_tag
|
|
- -sigmahq_logsource_known
|
|
- -sigmahq_fieldname_cast
|
|
- -sigmahq_filename_prefix
|
|
- -sigmahq_categorie_eventid
|
|
- -sigmahq_ofselection_condition
|
|
exclusions:
|
|
# escaped_wildcard
|
|
021310d9-30a6-480a-84b7-eaa69aeb92bb: escaped_wildcard
|
|
1114e048-b69c-4f41-bc20-657245ae6e3f: escaped_wildcard
|
|
204b17ae-4007-471b-917b-b917b315c5db: escaped_wildcard
|
|
214e8f95-100a-4e04-bb31-ef6cba8ce07e: escaped_wildcard
|
|
220457c1-1c9f-4c2e-afe6-9598926222c1: escaped_wildcard
|
|
252902e3-5830-4cf6-bf21-c22083dfd5cf: escaped_wildcard
|
|
2d3cdeec-c0db-45b4-aa86-082f7eb75701: escaped_wildcard
|
|
304810ed-8853-437f-9e36-c4975c3dfd7e: escaped_wildcard
|
|
31d68132-4038-47c7-8f8e-635a39a7c174: escaped_wildcard
|
|
32d56ea1-417f-44ff-822b-882873f5f43b: escaped_wildcard
|
|
4281cb20-2994-4580-aa63-c8b86d019934: escaped_wildcard
|
|
434c08ba-8406-4d15-8b24-782cb071a691: escaped_wildcard
|
|
435e10e4-992a-4281-96f3-38b11106adde: escaped_wildcard
|
|
52d8b0c6-53d6-439a-9e41-52ad442ad9ad: escaped_wildcard
|
|
586a8d6b-6bfe-4ad9-9d78-888cd2fe50c3: escaped_wildcard
|
|
7857f021-007f-4928-8b2c-7aedbe64bb82: escaped_wildcard
|
|
7dc2dedd-7603-461a-bc13-15803d132355: escaped_wildcard
|
|
8fe1c584-ee61-444b-be21-e9054b229694: escaped_wildcard
|
|
904e8e61-8edf-4350-b59c-b905fc8e810c: escaped_wildcard
|
|
9637e8a5-7131-4f7f-bdc7-2b05d8670c43: escaped_wildcard
|
|
a36ce77e-30db-4ea0-8795-644d7af5dfb4: escaped_wildcard
|
|
a4824fca-976f-4964-b334-0621379e84c4: escaped_wildcard
|
|
a8f29a7b-b137-4446-80a0-b804272f3da2: escaped_wildcard
|
|
afe52666-401e-4a02-b4ff-5d128990b8cb: escaped_wildcard
|
|
c2993223-6da8-4b1a-88ee-668b8bf315e9: escaped_wildcard
|
|
c37510b8-2107-4b78-aa32-72f251e7a844: escaped_wildcard
|
|
c462f537-a1e3-41a6-b5fc-b2c2cef9bf82: escaped_wildcard
|
|
c73124a7-3e89-44a3-bdc1-25fe4df754b1: escaped_wildcard
|
|
f3f21ce1-cdef-4bfc-8328-ed2e826f5fac: escaped_wildcard
|
|
d84c0ded-edd7-4123-80ed-348bb3ccc4d5: escaped_wildcard
|
|
db885529-903f-4c5d-9864-28fe199e6370: escaped_wildcard
|
|
dd218fb6-4d02-42dc-85f0-a0a376072efd: escaped_wildcard
|
|
dde85b37-40cd-4a94-b00c-0b8794f956b5: escaped_wildcard
|
|
e06ac91d-b9e6-443d-8e5b-af749e7aa6b6: escaped_wildcard
|
|
f57f8d16-1f39-4dcb-a604-6c73d9b54b3d: escaped_wildcard
|
|
f6de6525-4509-495a-8a82-1f8b0ed73a00: escaped_wildcard
|
|
fb502828-2db0-438e-93e6-801c7548686d: escaped_wildcard
|
|
59e938ff-0d6d-4dc3-b13f-36cc28734d4e: escaped_wildcard
|
|
2e7bbd54-2f26-476e-b4a1-ba5f1a012614: escaped_wildcard
|
|
7c9340a9-e2ee-4e43-94c5-c54ebbea1006: escaped_wildcard
|
|
7aaa5739-12fc-41aa-b98b-23ec27d42bdf: escaped_wildcard
|
|
95724fc1-a258-4674-97db-a30351981c5a: escaped_wildcard
|
|
# number_as_string
|
|
5c84856b-55a5-45f1-826f-13f37250cf4e: number_as_string
|
|
85b88e05-dadc-430b-8a9e-53ff1cd30aae: number_as_string
|
|
749c9f5e-b353-4b90-a9c1-05243357ca4b: number_as_string
|
|
# specific_instead_of_generic_logsource
|
|
693a44e9-7f26-4cb6-b787-214867672d3a: specific_instead_of_generic_logsource
|
|
23b71bc5-953e-4971-be4c-c896cda73fc2: specific_instead_of_generic_logsource
|
|
8ac03a65-6c84-4116-acad-dc1558ff7a77: specific_instead_of_generic_logsource
|
|
c3e5c1b1-45e9-4632-b242-27939c170239: specific_instead_of_generic_logsource
|