Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 9d58e38

Browse files
nasbenchnasbench
authored
Merge PR SigmaHQ#5769 from @nasbench - fix keywords rule and remove the fields field
remove: Space After Filename - Logic was incorrect and untested update: Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - Update selection update: JexBoss Command Sequence - Update the selection to use the |all modifier. chore: remove any usage of the fields field to prepare for deprecation in the spec.
1 parent bbbfb67 commit 9d58e38

202 files changed

Lines changed: 10 additions & 731 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

rules/linux/builtin/lnx_space_after_filename_.yml renamed to deprecated/linux/lnx_space_after_filename_.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,10 @@
11
title: Space After Filename
22
id: 879c3015-c88b-4782-93d7-07adf92dbcb7
3-
status: test
3+
status: deprecated
44
description: Detects space after filename
55
author: Ömer Günal
66
date: 2020-06-17
7-
modified: 2021-11-27
7+
modified: 2025-11-22
88
tags:
99
- attack.execution
1010
- attack.t1059

rules-emerging-threats/2014/TA/Axiom/proc_creation_win_apt_zxshell.yml

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -26,9 +26,6 @@ detection:
2626
- 'zxFunction'
2727
- 'RemoteDiskXXXXX'
2828
condition: selection
29-
fields:
30-
- CommandLine
31-
- ParentCommandLine
3229
falsepositives:
3330
- Unlikely
3431
level: critical

rules-emerging-threats/2017/Exploits/CVE-2017-11882/proc_creation_win_exploit_cve_2017_11882.yml

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -24,8 +24,6 @@ detection:
2424
selection:
2525
ParentImage|endswith: '\EQNEDT32.EXE'
2626
condition: selection
27-
fields:
28-
- CommandLine
2927
falsepositives:
3028
- Unknown
3129
level: critical

rules-emerging-threats/2017/Malware/Fireball/proc_creation_win_malware_fireball.yml

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -22,9 +22,6 @@ detection:
2222
- 'rundll32.exe'
2323
- 'InstallArcherSvc'
2424
condition: selection
25-
fields:
26-
- CommandLine
27-
- ParentCommandLine
2825
falsepositives:
2926
- Unknown
3027
level: high

rules-emerging-threats/2017/Malware/PlugX/proc_creation_win_malware_plugx_susp_exe_locations.yml

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -91,9 +91,6 @@ detection:
9191
- '\Windows Resource Kit\'
9292
- '\Microsoft.NET\'
9393
condition: ( selection_cammute and not filter_cammute ) or ( selection_chrome_frame and not filter_chrome_frame ) or ( selection_devemu and not filter_devemu ) or ( selection_gadget and not filter_gadget ) or ( selection_hcc and not filter_hcc ) or ( selection_hkcmd and not filter_hkcmd ) or ( selection_mc and not filter_mc ) or ( selection_msmpeng and not filter_msmpeng ) or ( selection_msseces and not filter_msseces ) or ( selection_oinfo and not filter_oinfo ) or ( selection_oleview and not filter_oleview ) or ( selection_rc and not filter_rc )
94-
fields:
95-
- CommandLine
96-
- ParentCommandLine
9794
falsepositives:
9895
- Unknown
9996
level: high

rules-emerging-threats/2017/Malware/WannaCry/proc_creation_win_malware_wannacry.yml

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -39,9 +39,6 @@ detection:
3939
selection_cmd:
4040
CommandLine|contains: '@[email protected]'
4141
condition: 1 of selection_*
42-
fields:
43-
- CommandLine
44-
- ParentCommandLine
4542
falsepositives:
4643
- Unknown
4744
level: critical

rules-emerging-threats/2018/Exploits/CVE-2018-13379/web_cve_2018_13379_fortinet_preauth_read_exploit.yml

Lines changed: 0 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -20,10 +20,6 @@ detection:
2020
- 'lang=/../../'
2121
- '/dev/cmdb/sslvpn_websession'
2222
condition: selection
23-
fields:
24-
- client_ip
25-
- url
26-
- response
2723
falsepositives:
2824
- Unknown
2925
level: critical

rules-emerging-threats/2018/Exploits/CVE-2018-2894/web_cve_2018_2894_weblogic_exploit.yml

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -21,9 +21,6 @@ detection:
2121
selection:
2222
cs-uri-query: '*/config/keystore/*.js*'
2323
condition: selection
24-
fields:
25-
- c-ip
26-
- c-dns
2724
falsepositives:
2825
- Unknown
2926
level: critical

rules-emerging-threats/2019/Exploits/CVE-2019-11510/web_cve_2019_11510_pulsesecure_exploit.yml

Lines changed: 0 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -18,11 +18,6 @@ detection:
1818
selection:
1919
cs-uri-query: '*?/dana/html5acc/guacamole/*'
2020
condition: selection
21-
fields:
22-
- client_ip
23-
- vhost
24-
- url
25-
- response
2621
falsepositives:
2722
- Unknown
2823
level: critical

rules-emerging-threats/2019/Exploits/CVE-2019-19781/web_cve_2019_19781_citrix_exploit.yml

Lines changed: 0 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -28,11 +28,6 @@ detection:
2828
- '/vpns/portal/scripts/'
2929
- '.pl'
3030
condition: 1 of selection_*
31-
fields:
32-
- client_ip
33-
- vhost
34-
- url
35-
- response
3631
falsepositives:
3732
- Unknown
3833
level: critical

0 commit comments

Comments
 (0)