From ac848f74c4ce460078032327a416059ae597f296 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Wed, 24 Apr 2024 17:29:59 +0200 Subject: [PATCH] =?UTF-8?q?fix:=20=F0=9F=90=9B=20Yaml=20error?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- sigma_rule.csv | 6 ++++++ yml/00682c9f-7df4-4df8-950b-6dcaaa3ad9af.yml | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/sigma_rule.csv b/sigma_rule.csv index 189ed882..0f3147ba 100644 --- a/sigma_rule.csv +++ b/sigma_rule.csv @@ -3199,11 +3199,17 @@ file_event_win_exploit_cve_2024_1709_user_database_modification_screenconnect.ym web_exploit_cve_2024_1709_screenconnect.yml;False win_security_exploit_cve_2024_1709_user_database_modification_screenconnect.yml;False proc_creation_lnx_exploit_cve_2024_3094_sshd_child_process.yml;False +paloalto_globalprotect_os_command_injection.yml;False proc_creation_win_malware_kamikakabot_lnk_lure_execution.yml;False proc_creation_win_malware_kamikakabot_schtasks_persistence.yml;False registry_set_malware_kamikakabot_winlogon_persistence.yml;False proc_creation_win_malware_raspberry_robin_rundll32_shell32_cpl_exection.yml;False dns_query_win_apt_dprk_malicious_domains.yml;False +file_event_win_apt_forest_blizzard_activity.yml;False +file_event_win_apt_forest_blizzard_constrained_js.yml;False +proc_creation_win_apt_forest_blizzard_activity.yml;False +registry_set_apt_forest_blizzard_custom_protocol_handler.yml;False +registry_set_apt_forest_blizzard_custom_protocol_handler_dll.yml;False file_event_win_apt_unknown_exploitation_indicators.yml;False microsoft365_susp_email_forwarding_activity.yml;False okta_password_health_report_query.yml;False diff --git a/yml/00682c9f-7df4-4df8-950b-6dcaaa3ad9af.yml b/yml/00682c9f-7df4-4df8-950b-6dcaaa3ad9af.yml index 5009db18..8367dd47 100644 --- a/yml/00682c9f-7df4-4df8-950b-6dcaaa3ad9af.yml +++ b/yml/00682c9f-7df4-4df8-950b-6dcaaa3ad9af.yml @@ -13,7 +13,7 @@ technique: - T1059.003 os: - windows -description: |-- +description: |- Simulate DarkGate malware's second stage by writing a VBscript to disk directly from the command prompt then executing it. The script will execute 'whoami' then exit. executor: command_prompt