[pull] master from SigmaHQ:master #2
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
There was a problem hiding this comment.
Welcome @pull[bot] 👋
It looks like this is your first pull request on the Sigma rules repository!
Please make sure to read the SigmaHQ conventions document to make sure your contribution is adhering to best practices and has all the necessary elements in place for a successful approval.
Thanks again, and welcome to the Sigma community! 😃
new: Container With A hostPath Mount Created new: Creation Of Pod In System Namespace new: Deployment Deleted From Kubernetes Cluster new: Kubernetes Events Deleted new: Kubernetes Secrets Enumeration new: New Kubernetes Service Account Created new: Potential Remote Command Execution In Pod Container new: Potential Sidecar Injection Into Running Deployment new: Privileged Container Deployed new: RBAC Permission Enumeration Attempt --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
fix: EVTX Created In Uncommon Location - Reduce level and remove filters fix: Files With System Process Name In Unsuspected Locations - Add additional paths fix: New RUN Key Pointing to Suspicious Folder new: CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection new: MaxMpxCt Registry Value Changed update: Potentially Suspicious CMD Shell Output Redirect - Enhance logic update: Suspicious Command Patterns In Scheduled Task Creation - Enhance logic --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
…t.exe update: Suspicious Volume Shadow Copy VSS_PS.dll Load - regularly loaded by wsmprovhost.exe
new: Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> Co-authored-by: Thomas Patzke <thomas@patzke.org>
…pLocker mode fix: Windows Binaries Write Suspicious Extensions - filter PS1 policy check for AppLocker mode
fix: Windows Binaries Write Suspicious Extensions - fix selection fix: Rundll32 Execution With Uncommon DLL Extension - add optional filter for MS Edge update
fix: Dynamic .NET Compilation Via Csc.EXE - FP with chocolatey
Removed https://embedi[.]com/ link as it points to a malaysian casino page now, added a different short blog and the github PoC.
Fix FP reported by @Neo23x0
Update proc_creation_lnx_exploit_cve_2024_3094_sshd_child_process.yml
…y - Linux` update: Password Policy Discovery - Linux - Add additional new paths for "pam.d" , namely "/etc/pam.d/common-account", "/etc/pam.d/common-auth" and "/etc/pam.d/auth" --------- Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
…LL Call Via Ordinal` new: Suspicious ShellExec_RunDLL Call Via Ordinal --------- Co-authored-by: Swachchhanda Shrawan Poudel <logpoint-admin@NP-SSP-MBP-02.local> Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
fix: NetNTLM Downgrade Attack - Registry - Tune the rule for specific registry values in order to reduce FP rate. --------- Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
…S RDS Cluster` new: Modification or Deletion of an AWS RDS Cluster --------- Co-authored-by: Ivan.Saakov <ivan.saakov@indriver.com> Co-authored-by: nasbench <nasreddineb@splunk.com> Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
…scovery - Linux` update: Local System Accounts Discovery - Linux - Add additional binaries to read password files such as "less" and "emacs" as well as additional password file locations such as "/etc/pwd.db"
…ification Of Default System CLSID Default Value`
update: COM Object Hijacking Via Modification Of Default System CLSID Default Value - Add {603D3801-BD81-11d0-A3A5-00C04FD706EC}
---------
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
…n with SDelete` update: Potential Secure Deletion with SDelete - Enhance metadata --------- Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
update: Process Discovery - Add additional processes like "htop" and "atop" --------- Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
…Via Kill` update: Terminate Linux Process Via Kill - Add "xkill" --------- Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
…exploitation new: CVE-2024-50623 Exploitation Attempt - Cleo update: Webshell Detection With Command Line Keywords - Add suspicious powershell commandline keywords --------- Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
… Command Line - PowerShell Classic` fix: bXOR Operator Usage In PowerShell Command Line - PowerShell Classic - Update the logic to remove unrelated keywords and reduce unwanted matches. --------- Co-authored-by: Djordje Lukic <djordje.lukic@binalyze.com> Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
…nd RATs behaviors observed ITW new: Lummac Stealer Activity - Execution Of More.com And Vbc.exe new : File Creation Related To RAT Clients --------- Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
…t usage new: QuickAssist Execution new: DNS Query Request By QuickAssist.EXE --------- Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
…guration Created` new: New AWS Lambda Function URL Configuration Created --------- Co-authored-by: Ivan.Saakov <ivan.saakov@indriver.com> Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
…ce Tampering` update: Suspicious Windows Service Tampering - Add additional services
fix: Relevant Anti-Virus Signature Keywords In Application Log - Enhances the `HTool` string to avoid unintended matches. fix: Uncommon AppX Package Locations - Add `https://installer.teams.static.microsoft/` fix: BITS Transfer Job With Uncommon Or Suspicious Remote TLD - Add `dn.onenote.net/` and `cdn.office.net/` fix: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation - Add filter for `Kaspersky` and `mDNS Responder`
update: Suspicious Non PowerShell WSMAN COM Provider - Update regex to use `\s+` to account for different parsers update: Renamed Powershell Under Powershell Channel - Update regex to use `\s+` to account for different parsers --------- Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
…xploitation Attempt - LDAP Nightmare` new: CVE-2024-49113 Exploitation Attempt - LDAP Nightmare --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.1)
Can you help keep this open source service alive? 💖 Please sponsor : )