security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule tuning] Fix spacing in reference URLs (#1455)

Browse Source 
(cherry picked from commit 655f7d91d0)
This commit is contained in:
Justin Ibarra
2021-08-31 15:59:06 -08:00
committed by github-actions[bot]
parent 20a814c47f
commit 2a2bcbd870
5 changed files with 9 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/12/23"
maturity = "production"
updated_date = "2021/03/03"
updated_date = "2021/08/25"
[rule]
author = ["Elastic"]
@@ -17,7 +17,7 @@ license = "Elastic License v2"
name = "Potential Privacy Control Bypass via TCCDB Modification"
references = [
"https://applehelpwriter.com/2016/08/29/discovering-how-dropbox-hacks-your-mac/",
"https://github.com/bp88/JSS-Scripts/blob/master/TCC.db Modifier.sh",
"https://github.com/bp88/JSS-Scripts/blob/master/TCC.db%20Modifier.sh",
"https://medium.com/@mattshockl/cve-2020-9934-bypassing-the-os-x-transparency-consent-and-control-tcc-framework-for-4e14806f1de8",
]
risk_score = 47
rules/macos/persistence_docker_shortcuts_plist_modification.toml
+2 -3
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/12/18"
maturity = "production"
updated_date = "2021/03/03"
updated_date = "2021/08/25"
[rule]
author = ["Elastic"]
@@ -16,8 +16,7 @@ license = "Elastic License v2"
name = "Persistence via Docker Shortcut Modification"
references = [
"""
https://github.com/specterops/presentations/raw/master/Leo
Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf
https://github.com/specterops/presentations/raw/master/Leo%20Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf
""",
]
risk_score = 47
rules/macos/persistence_finder_sync_plugin_pluginkit.toml
+2 -3
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/12/18"
maturity = "production"
updated_date = "2021/03/03"
updated_date = "2021/08/25"
[rule]
author = ["Elastic"]
@@ -17,8 +17,7 @@ license = "Elastic License v2"
name = "Finder Sync Plugin Registered and Enabled"
references = [
"""
https://github.com/specterops/presentations/raw/master/Leo
Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf
https://github.com/specterops/presentations/raw/master/Leo%20Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf
""",
]
risk_score = 47
rules/ml/ml_linux_anomalous_kernel_module_arguments.toml
+1 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/09/03"
maturity = "production"
updated_date = "2021/03/03"
updated_date = "2021/08/25"
[rule]
anomaly_threshold = 25
@@ -21,7 +21,6 @@ interval = "15m"
license = "Elastic License v2"
machine_learning_job_id = "linux_rare_kernel_module_arguments"
name = "Anomalous Kernel Module Activity"
references = ["references"]
risk_score = 21
rule_id = "37b0816d-af40-40b4-885f-bb162b3c88a9"
severity = "low"
rules/windows/privilege_escalation_unusual_parentchild_relationship.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/02/18"
maturity = "production"
updated_date = "2021/03/03"
updated_date = "2021/08/25"
[rule]
author = ["Elastic"]
@@ -15,7 +15,7 @@ language = "eql"
license = "Elastic License v2"
name = "Unusual Parent-Child Relationship"
references = [
"https://github.com/sbousseaden/Slides/blob/master/Hunting MindMaps/PNG/Windows Processes TH.map.png",
"https://github.com/sbousseaden/Slides/blob/master/Hunting MindMaps/PNG/Windows Processes%20TH.map.png",
"https://www.andreafortuna.org/2017/06/15/standard-windows-processes-a-brief-reference/",
]
risk_score = 47