Rules Update

wagga40 · Sep 14, 2024 · c7af7e3 · c7af7e3
1 parent 3586220
commit c7af7e3
Show file tree

Hide file tree

Showing 14 changed files with 145 additions and 31 deletions.
diff --git a/pdm.lock b/pdm.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -9,11 +9,11 @@ dependencies = [
     "requests>=2.32.3",
     "urllib3>=2.2.3",
     "progressbar2>=4.5.0",
-    "pymisp>=2.4.197",
+    "pymisp>=2.4.198",
     "PyYAML>=6.0.2",
     "ruamel-yaml>=0.18.6",
     "termcolor>=2.4.0",
-    "pysigma>=0.11.13",
+    "pysigma>=0.11.14",
     "pysigma-pipeline-sysmon>=1.0.4",
     "pysigma-pipeline-windows>=1.2.0",
 ]

diff --git a/rules_linux.json b/rules_linux.json
@@ -3308,7 +3308,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ( = 'pkexec' AND  = 'The value for environment variable XAUTHORITY contains suscipious content' AND  = '[USER=root] [TTY=/dev/pts/0]')"
+            "SELECT * FROM logs WHERE ( = 'pkexec' AND  = 'The value for environment variable XAUTHORITY contains suspicious content' AND  = '[USER=root] [TTY=/dev/pts/0]')"
         ],
         "filename": "lnx_auth_pwnkit_local_privilege_escalation.yml"
     }

diff --git a/rules_windows_generic.json b/rules_windows_generic.json
@@ -24180,7 +24180,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((CommandLine LIKE '%7z.exe a -v500m -mx9 -r0 -p%' ESCAPE '\\' OR CommandLine LIKE '%7z.exe a -mx9 -r0 -p%' ESCAPE '\\') AND CommandLine LIKE '%.zip%' ESCAPE '\\' AND CommandLine LIKE '%.txt%' ESCAPE '\\') OR ((CommandLine LIKE '%7z.exe a -v500m -mx9 -r0 -p%' ESCAPE '\\' OR CommandLine LIKE '%7z.exe a -mx9 -r0 -p%' ESCAPE '\\') AND CommandLine LIKE '%.zip%' ESCAPE '\\' AND CommandLine LIKE '%.log%' ESCAPE '\\') OR (ParentCommandLine LIKE '%wscript.exe%' ESCAPE '\\' AND ParentCommandLine LIKE '%.vbs%' ESCAPE '\\' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Windows%' ESCAPE '\\' AND CommandLine LIKE '%.dll,Tk\\_%' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND (ParentCommandLine LIKE '%C:\\\\Windows%' ESCAPE '\\' OR ParentCommandLine LIKE '%.dll%' ESCAPE '\\') AND CommandLine LIKE '%cmd.exe /C %' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\' AND CommandLine = '')))"
+            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (((CommandLine LIKE '%7z.exe a -v500m -mx9 -r0 -p%' ESCAPE '\\' OR CommandLine LIKE '%7z.exe a -mx9 -r0 -p%' ESCAPE '\\') AND CommandLine LIKE '%.zip%' ESCAPE '\\' AND CommandLine LIKE '%.txt%' ESCAPE '\\') OR ((CommandLine LIKE '%7z.exe a -v500m -mx9 -r0 -p%' ESCAPE '\\' OR CommandLine LIKE '%7z.exe a -mx9 -r0 -p%' ESCAPE '\\') AND CommandLine LIKE '%.zip%' ESCAPE '\\' AND CommandLine LIKE '%.log%' ESCAPE '\\') OR (ParentCommandLine LIKE '%wscript.exe%' ESCAPE '\\' AND ParentCommandLine LIKE '%.vbs%' ESCAPE '\\' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Windows%' ESCAPE '\\' AND CommandLine LIKE '%.dll,Tk\\_%' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%C:\\\\Windows%' ESCAPE '\\' AND ParentCommandLine LIKE '%.dll%' ESCAPE '\\' AND CommandLine LIKE '%cmd.exe /C %' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\' AND CommandLine = '')))"
         ],
         "filename": "proc_creation_win_apt_unc2452_cmds.yml"
     },