valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #1755 from SigmaHQ/rule-devel

Browse Source 
Different rule updates
This commit is contained in:
Florian Roth 2021-07-28 18:56:28 +02:00 committed by GitHub
commit 5ce5465559
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 14 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
rules/proxy/proxy_ua_malware.yml
View File

@ -71,6 +71,7 @@ detection:
- 'agent *'
- 'AutoIt' # Suspicious - base-lining recommended
- 'IczelionDownLoad'
- 'Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 10.0; .NET4.0C; .NET4.0E; Tablet PC 2.0)' # https://unit42.paloaltonetworks.com/thor-plugx-variant/
condition: selection
fields:
- ClientIP

4
rules/windows/builtin/win_av_relevant_match.yml
View File

@ -3,14 +3,14 @@ id: 78bc5783-81d9-4d73-ac97-59f6db4f72a8
description: This detection method points out highly relevant Antivirus events
author: Florian Roth
date: 2017/02/19
modified: 2021/01/07
modified: 2021/07/28
logsource:
product: windows
service: application
detection:
keywords:
Message|contains:
- "HTool"
- "HTool-"
- "Hacktool"
- "ASP/Backdoor"
- "JSP/Backdoor"

13
rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml
View File

@ -12,7 +12,7 @@ tags:
- cve.2021-1675
- cve.2021-34527
date: 2021/07/04
modified: 2021/07/08
modified: 2021/07/28
logsource:
product: windows
category: registry_event
@ -25,7 +25,16 @@ detection:
TargetObject|contains|all:
- 'legitprinter'
- '\Control\Print\Environments\Windows'
condition: selection or selection_alt
selection_print:
TargetObject|contains:
- '\Control\Print\Environments'
- '\CurrentVersion\Print\Printers'
selection_kiwi:
TargetObject|contains:
- 'Gentil Kiwi'
- 'mimikatz printer'
- 'Kiwi Legit Printer'
condition: selection or selection_alt or (selection_print and selection_kiwi)
falsepositives:
- Legitimate installation of printer driver QMS 810, Texas Instruments microLaser printer (unlikely)
level: critical