Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Multiple Fixes & Enhancements #4427

Merged
merged 31 commits into from
Oct 4, 2023
Merged

Multiple Fixes & Enhancements #4427

Show file tree
Hide file tree
Changes from 27 commits
Commits
Show all changes
31 commits
Select commit Hold shift + click to select a range
d5f55d2
fix: fp found in testing
nasbench Sep 7, 2023
2fa57a3
chore: fix fp and move rules
nasbench Sep 7, 2023
276cd6b
chore: update metadata
nasbench Sep 7, 2023
c9b79fa
Create file_event_win_dump_file_creation.yml
nasbench Sep 8, 2023
8326538
feat: update loldrivers rules
nasbench Sep 10, 2023
e9ffe92
fix: closes #4437
nasbench Sep 11, 2023
01d6414
fix: closes #4438
nasbench Sep 11, 2023
022907b
Update dns_query_win_remote_access_software_domains_non_browsers.yml
nasbench Sep 11, 2023
b77e9d2
fix: update filters for dead drop resolvers rule
nasbench Sep 11, 2023
8c488b6
Merge branch 'master' into service-creation-update
nasbench Sep 11, 2023
0f1d19d
feat: updates & move
nasbench Sep 12, 2023
bdd86ab
Merge branch 'SigmaHQ:master' into service-creation-update
nasbench Sep 16, 2023
6a7c631
feat: update sysmon rules and mapping
nasbench Sep 16, 2023
9f5f7e2
feat: multiple updates and fixes
nasbench Sep 18, 2023
0468bf3
feat: more updates
nasbench Sep 28, 2023
47b8f01
feat: update driver rule
nasbench Sep 28, 2023
8dd203f
feat: more updates
nasbench Sep 28, 2023
fc452f1
fix: remove hkcu usage
nasbench Sep 28, 2023
f4dea12
fix: issues
nasbench Sep 29, 2023
db1e228
Update proc_creation_win_driverquery_usage.yml
nasbench Sep 29, 2023
3cf23e8
fix: wording
phantinuss Oct 2, 2023
e8df0dd
fix: wording
phantinuss Oct 2, 2023
7ef52f9
fix: wording
phantinuss Oct 2, 2023
8786ec7
fix: wording
phantinuss Oct 2, 2023
835ede5
Update rules/windows/dns_query/dns_query_win_dns_server_discovery_via…
nasbench Oct 4, 2023
89db082
Update rules/windows/process_creation/proc_creation_win_browsers_inli…
nasbench Oct 4, 2023
6777607
Update rules/windows/process_creation/proc_creation_win_browsers_chro…
nasbench Oct 4, 2023
2e12209
Update registry_event_apt_oceanlotus_registry.yml
nasbench Oct 4, 2023
7b4be4b
Update rules/windows/network_connection/net_connection_win_powershell…
nasbench Oct 4, 2023
043241d
Update rules/windows/process_creation/proc_creation_win_wmic_terminat…
nasbench Oct 4, 2023
7fdb6b3
Update driver_load_win_mal_poortry_driver.yml
nasbench Oct 4, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions ...ad/driver_load_win_mal_poortry_driver.yml → ...ws/driver_load_win_mal_poortry_driver.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
title: Usage Of Malicious POORTRY Signed Driver
id: 91bc09e7-674d-4cf5-8d86-ed5d8bdb95a6
status: experimental
status: deprecated
description: Detects the load of the signed poortry driver used by UNC3944 as reported by Mandiant and Sentinel One.
references:
- https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022/12/16
modified: 2022/12/30
modified: 2023/09/12
tags:
- attack.privilege_escalation
- attack.t1543
Expand Down
4 changes: 2 additions & 2 deletions ...ad_win_vuln_avast_anti_rootkit_driver.yml → ...ad_win_vuln_avast_anti_rootkit_driver.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
title: Vulnerable AVAST Anti Rootkit Driver Load
id: 7c676970-af4f-43c8-80af-ec9b49952852
status: experimental
status: deprecated
description: Detects the load of a signed and vulnerable AVAST Anti Rootkit driver often used by threat actors or malware for stopping and disabling AV and EDR products
references:
- https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022/07/28
modified: 2022/12/30
modified: 2023/09/12
tags:
- attack.privilege_escalation
- attack.t1543.003
Expand Down
4 changes: 2 additions & 2 deletions ...load/driver_load_win_vuln_dell_driver.yml → ...dows/driver_load_win_vuln_dell_driver.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
title: Vulnerable Dell BIOS Update Driver Load
id: 21b23707-60d6-41bb-96e3-0f0481b0fed9
status: experimental
status: deprecated
description: Detects the load of the vulnerable Dell BIOS update driver as reported in CVE-2021-21551
references:
- https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/
author: Florian Roth (Nextron Systems)
date: 2021/05/05
modified: 2022/12/30
modified: 2023/09/12
tags:
- attack.privilege_escalation
- cve.2021.21551
Expand Down
Loading