sigma icon indicating copy to clipboard operation
sigma copied to clipboard
verified publisher icon SigmaHQ

fix: make use of enriched auditd fields

Open phantinuss opened this issue 7 months ago • 0 comments

Summary of the Pull Request

Changelog

fix: OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd - use ENRICHED field fix: Audio Capture - use ENRICHED field fix: Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall - use ENRICHED field fix: Disable ASLR Via Personality Syscall - Linux - use ENRICHED field fix: System Info Discovery via Sysinfo Syscall - use ENRICHED field fix: Special File Creation via Mknod Syscall - use ENRICHED field fix: Webshell Remote Command Execution - use ENRICHED field fix: OMIGOD SCX RunAsProvider ExecuteScript - use ENRICHED field

Example Log Event

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

phantinuss avatar Jun 05 '25 12:06 phantinuss