mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-06 09:25:17 +00:00
Add deprecated status
This commit is contained in:
parent
e9d163cdd1
commit
c49b0d49fa
@ -1,6 +1,6 @@
|
|||||||
title: Suspicious PowerShell Download
|
title: Suspicious PowerShell Download
|
||||||
id: 65531a81-a694-4e31-ae04-f8ba5bc33759
|
id: 65531a81-a694-4e31-ae04-f8ba5bc33759
|
||||||
status: experimental
|
status: deprecated
|
||||||
description: Detects suspicious PowerShell download command
|
description: Detects suspicious PowerShell download command
|
||||||
tags:
|
tags:
|
||||||
- attack.execution
|
- attack.execution
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
title: Suspicious PowerShell Invocations - Generic
|
title: Suspicious PowerShell Invocations - Generic
|
||||||
id: 3d304fda-78aa-43ed-975c-d740798a49c1
|
id: 3d304fda-78aa-43ed-975c-d740798a49c1
|
||||||
status: experimental
|
status: deprecated
|
||||||
description: Detects suspicious PowerShell invocation command parameters
|
description: Detects suspicious PowerShell invocation command parameters
|
||||||
tags:
|
tags:
|
||||||
- attack.execution
|
- attack.execution
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
title: Suspicious PowerShell Invocations - Specific
|
title: Suspicious PowerShell Invocations - Specific
|
||||||
id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c
|
id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c
|
||||||
status: experimental
|
status: deprecated
|
||||||
description: Detects suspicious PowerShell invocation command parameters
|
description: Detects suspicious PowerShell invocation command parameters
|
||||||
tags:
|
tags:
|
||||||
- attack.execution
|
- attack.execution
|
||||||
|
@ -22,3 +22,4 @@ detection:
|
|||||||
falsepositives:
|
falsepositives:
|
||||||
- App-V clients
|
- App-V clients
|
||||||
level: medium
|
level: medium
|
||||||
|
status: deprecated
|
@ -19,3 +19,4 @@ detection:
|
|||||||
falsepositives:
|
falsepositives:
|
||||||
- App-V clients
|
- App-V clients
|
||||||
level: medium
|
level: medium
|
||||||
|
status: deprecated
|
@ -1,6 +1,6 @@
|
|||||||
title: Mimikatz Detection LSASS Access
|
title: Mimikatz Detection LSASS Access
|
||||||
id: 0d894093-71bc-43c3-8c4d-ecfc28dcf5d9
|
id: 0d894093-71bc-43c3-8c4d-ecfc28dcf5d9
|
||||||
status: experimental
|
status: deprecated
|
||||||
description: Detects process access to LSASS which is typical for Mimikatz (0x1000 PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION "only old
|
description: Detects process access to LSASS which is typical for Mimikatz (0x1000 PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION "only old
|
||||||
versions", 0x0010 PROCESS_VM_READ)
|
versions", 0x0010 PROCESS_VM_READ)
|
||||||
references:
|
references:
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
title: RClone Execution
|
title: RClone Execution
|
||||||
id: a0d63692-a531-4912-ad39-4393325b2a9c
|
id: a0d63692-a531-4912-ad39-4393325b2a9c
|
||||||
status: experimental
|
status: deprecated
|
||||||
description: Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc
|
description: Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc
|
||||||
tags:
|
tags:
|
||||||
- attack.exfiltration
|
- attack.exfiltration
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
title: Suspicious Esentutl Use
|
title: Suspicious Esentutl Use
|
||||||
id: 56a8189f-11b2-48c8-8ca7-c54b03c2fbf7
|
id: 56a8189f-11b2-48c8-8ca7-c54b03c2fbf7
|
||||||
status: experimental
|
status: deprecated
|
||||||
description: Detects flags often used with the LOLBAS Esentutl for malicious activity. It could be used in rare cases by administrators to access locked files or during maintenance.
|
description: Detects flags often used with the LOLBAS Esentutl for malicious activity. It could be used in rare cases by administrators to access locked files or during maintenance.
|
||||||
author: Florian Roth
|
author: Florian Roth
|
||||||
date: 2020/05/23
|
date: 2020/05/23
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
title: Rclone Execution via Command Line or PowerShell
|
title: Rclone Execution via Command Line or PowerShell
|
||||||
id: cb7286ba-f207-44ab-b9e6-760d82b84253
|
id: cb7286ba-f207-44ab-b9e6-760d82b84253
|
||||||
description: Detects Rclone which is commonly used by ransomware groups for exfiltration
|
description: Detects Rclone which is commonly used by ransomware groups for exfiltration
|
||||||
status: experimental
|
status: deprecated
|
||||||
date: 2021/05/26
|
date: 2021/05/26
|
||||||
author: Aaron Greetham (@beardofbinary) - NCC Group
|
author: Aaron Greetham (@beardofbinary) - NCC Group
|
||||||
references:
|
references:
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
title: Activity Related to NTDS.dit Domain Hash Retrieval
|
title: Activity Related to NTDS.dit Domain Hash Retrieval
|
||||||
id: b932b60f-fdda-4d53-8eda-a170c1d97bbd
|
id: b932b60f-fdda-4d53-8eda-a170c1d97bbd
|
||||||
status: experimental
|
status: deprecated
|
||||||
description: Detects suspicious commands that could be related to activity that uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely
|
description: Detects suspicious commands that could be related to activity that uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely
|
||||||
author: Florian Roth, Michael Haag
|
author: Florian Roth, Michael Haag
|
||||||
date: 2019/01/16
|
date: 2019/01/16
|
||||||
|
@ -386,6 +386,8 @@ class TestRules(unittest.TestCase):
|
|||||||
"stable",
|
"stable",
|
||||||
"test",
|
"test",
|
||||||
"experimental",
|
"experimental",
|
||||||
|
"deprecated",
|
||||||
|
"unsupported"
|
||||||
]
|
]
|
||||||
for file in self.yield_next_rule_file_path(self.path_to_rules):
|
for file in self.yield_next_rule_file_path(self.path_to_rules):
|
||||||
status_str = self.get_rule_part(file_path=file, part_name="status")
|
status_str = self.get_rule_part(file_path=file, part_name="status")
|
||||||
@ -393,6 +395,9 @@ class TestRules(unittest.TestCase):
|
|||||||
if not status_str in valid_status:
|
if not status_str in valid_status:
|
||||||
print(Fore.YELLOW + "Rule {} has a invalid 'status' (check wiki).".format(file))
|
print(Fore.YELLOW + "Rule {} has a invalid 'status' (check wiki).".format(file))
|
||||||
faulty_rules.append(file)
|
faulty_rules.append(file)
|
||||||
|
elif status_str == "unsupported":
|
||||||
|
print(Fore.YELLOW + "Rule {} has the unsupported 'status', can not be in rules directory".format(file))
|
||||||
|
faulty_rules.append(file)
|
||||||
|
|
||||||
self.assertEqual(faulty_rules, [], Fore.RED +
|
self.assertEqual(faulty_rules, [], Fore.RED +
|
||||||
"There are rules with malformed 'status' fields. (check https://github.com/SigmaHQ/sigma/wiki/Specification)")
|
"There are rules with malformed 'status' fields. (check https://github.com/SigmaHQ/sigma/wiki/Specification)")
|
||||||
|
@ -24,7 +24,10 @@ class SigmaRuleFilter:
|
|||||||
"high" : 2,
|
"high" : 2,
|
||||||
"critical" : 3
|
"critical" : 3
|
||||||
}
|
}
|
||||||
STATES = ["experimental",
|
STATES = [
|
||||||
|
"unsupported",
|
||||||
|
"deprecated",
|
||||||
|
"experimental",
|
||||||
"test",
|
"test",
|
||||||
"stable"]
|
"stable"]
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user