frack113 comments

Results 108 comments of


                                            frack113

Create proc_creation_win_code_devtunnel_tunneling.yaml

Sorry, As the file extension was `yaml` not `yml` , some validation workflows were not used.

Add rule: Office Macro Phishing Initial Access detection

Hi, There is allready the https://github.com/SigmaHQ/sigma/blob/b062d8ad650054cd20836d5ba38031090b8d8c33/rules/windows/process_creation/proc_creation_win_office_susp_child_processes.yml You can use https://sigmasearchengine.com/ to search

Proc creation lnx exfiltration data via sftp protocol (winscp tool)

HI, Thanks. The Eventid 23 is for FileDelete. I find "WinSCP has a setting enabled by default that transfers files larger than 100kb to a temporary file name (with the...

detect vacuuming of journald as clearing syslog

for `references` https://www.virustotal.com/gui/file/54d60fd58d7fa3475fa123985bfc1594df26da25c1f5fbc7dfdba15876dd8ac5/behavior

Analytic for WDAC Policy abuse

Need to change the file name as it is a duplicate.

Version 2.1 - New modifier to check if field is empty or null

Sorry , forget this one ... It took me less than a year to answer it 😄 Yes, it is not usefull

Add CVE-2025-24985 detection rule

Hi, The file path "CVE_2025_24985/detect_vhd_mount.yml" is invalid and the workflow can not be done. It has to be "rules-emerging-threats/2025/Exploits/CVE_2025_24985/detect_vhd_mount.yml" Can you change it ? Thanks

feat: SAP Netweaver CVE-2025-31324 Potential Exploitation

Why not use `/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/` for the path ?

Updated and Added rule related to Autorun Registry

hello, Can you give me some references for the new run keys ? thanks

feat: Security Event Logging Disabled Via MiniNt Registry Key

LGTM