frack113
frack113
Hello When convert a rule with the `cidr` get an error ```bash sigma convert -t splunk -p splunk_windows .\rules\windows\network_connection\net_connection_win_script_wan.yml Parsing Sigma rules [####################################] 100% Error while conversion: ORing CIDR matching...
### Summary of the Pull Request Add rules to try to detect the process injection methods available on atomic red team ### Changelog new: Potential Calc Injection new: Potential Explorer...
### Summary of the Pull Request the attacker can search for computers with Unconstrained Delegation https://pentestlab.blog/2022/03/21/unconstrained-delegation/ ### Changelog new: Unconstrained Delegation Discovery ### Example Log Event ```xml - - 4104...
### Summary of the Pull Request Upgrade test_logsource.py to pySigma ### Changelog chore: Upgrade test_logsource.py to pySigma fix: HackTool - LaZagne Execution - fix logsource ### Example Log Event ###...
### Summary of the Pull Request Add new rules with the Microsoft-IIS-Configuration/Operational channel test with aurora lite ```yaml windows-iis-configuration: product: windows service: iis-configuration sources: - "WinEventLog:Microsoft-IIS-Configuration/Operational" ``` ### Changelog new:...
### Summary of the Pull Request Winscp rule from https://blogs.blackberry.com/en/2024/07/akira-ransomware-targets-the-latam-airline-industry Winscp can be use with "-" or "/" 😄 ### Changelog new: Winscp Launch From Uncommon Folder new: Winscp CLI...
### Summary of the Pull Request See many RegAsm without commandline in sandboxes As you can put spaces to the end to bypass the detection , I check if there...
Add a new modifer to check if the field data is empty or null. Some telemetry use `-` too * name: ? * type: boolean ```yaml myfield|?: false ```` will...
from discution #137 Add a new modifier to allow for conditions on datetime fields
### Summary of the Pull Request setup16.exe as lolbin https://www.hexacorn.com/blog/2024/10/12/the-sweet16-the-oldbin-lolbin-called-setup16-exe/ Potential Command Line Path Traversal Evasion Attempt cover by Rule_Id 1327381e-6ab0-4f38-b583-4c1b8346a56b setup16 NEED a `.lst` file but as I don't...