frack113

icon company perpetual reboot icon location France icon location Human log analyzer. Dark side hunter

Results 108 comments of frack113

Make id attribute required for each rule

Hello, There is the [id](https://github.com/SigmaHQ/sigma/wiki/Specification#rule-identification) It is recommended but not mandatory. BUT In the SigmaHQ github to pass the test you must have one unique [test_missing_id](tests/test_rules.py). Link between rule are...

proxy_susp_flash_download_loc.yml: c-uri inst. of c-uri-query and r-dns inst of c-uri-stem, proxy_ua_susp.yml: Avoid adobe false positives

HI, I dig a little for web / proxy log but I did not find the `r-dns` find this `date-time,x-edge-location,sc-bytes,c-ip,cs-method,cs(Host),cs-uri-stem,sc-status,cs(Referer),cs(User-Agent),cs-uri-query,cs(Cookie),x-edge-result-type,x-edge-request-id,x-host-header,cs-protocol,cs-bytes,time-taken,x-forwarded-for,ssl-protocol,ssl-cipher,x-edge-response-result-type `

proxy_susp_flash_download_loc.yml: c-uri inst. of c-uri-query and r-dns inst of c-uri-stem, proxy_ua_susp.yml: Avoid adobe false positives

> Thank you for the feedback! Where did you find the listing of the proxy fields? I have google a lot for "parsing proxy web log" but sometime I should...

Need help in creating sigma rules

Hello, Rule are agains log so I use to works with the windows events. ### artefact command_line contains : \temp\\ process_name endwith: lsass.exe

sigma/rules/generic/generic_brute_force.yml

Hi, What is the trouble ? My tests : ``` C:\FrackSigma\sigma\tools>python sigmac -t splunk -c .\config\splunk-windows.yml ..\rules\generic\generic_brute_force.yml action="failure" | eventstats dc(category) as val by dst_ip | search val > 30...

Issue in CVE-2021-4034 Exploitation Attempt

Hi, I have try with https://github.com/ly4k/PwnKit on Ubuntu 20.04. Get only the syscall rule part valid in the auditd log. So It is `or`

Issue in CVE-2021-4034 Exploitation Attempt

It is 2 auditd event so the condition need to use the [near](https://github.com/SigmaHQ/sigma/wiki/Specification) ` condition: proctitle near syscall ` Will try again PwnKit may I have miss a line or...

Issue in CVE-2021-4034 Exploitation Attempt

A `tail -f` without grep 😄 ``` type=PROCTITLE msg=audit(1644047676.819:4441): proctitle="(null)" type=SYSCALL msg=audit(1644047676.827:4442): arch=c000003e syscall=87 success=yes exit=0 a0=564e07b4f8e0 a1=7fff214e98f0 a2=0 a3=100 items=2 ppid=1898 pid=12081 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0...

Issue in CVE-2021-4034 Exploitation Attempt

Thanks for the information. I have restart the VM ,and replay find the first proctitle="(null)" (8 in a short time-lapse) get the id and copy the log ``` type=PROCTITLE msg=audit(1644052278.488:2391):...

powershell_aadinternals_commandlets.yml

I wonder if it is possible to optimize the query by splitting it in several rules like in https://o365blog.com/aadinternals/ When trigger the SOC operator will have a very list of...