sigma
PrintNightmare
Our great sponsors
| sigma | PrintNightmare | |
|---|---|---|
| 41 | 7 | |
| 7,624 | 809 | |
| 3.4% | - | |
| 9.8 | 3.8 | |
| 2 days ago | almost 3 years ago | |
| Python | ||
| GNU General Public License v3.0 or later | - |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
sigma
-
Sigma rules in real life
Sigma rules https://github.com/SigmaHQ/sigma its value, I get it. Here’s a post https://www.linkedin.com/posts/nasreddinebencherchali_detection-blueteam-sigma-activity-7104868070069817344-mn91?utm_source=share&utm_medium=member_desktop detailing that 31 Sigma rules from the Sigma repository are triggering on different stages of the attack as described here https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/
-
Looking for feedback on a security-related project idea
Idea: A free and open-source web repository of Sigma detections where users can find, contribute, and suggest edits to detections. All user contributions will go through a StackExchange-style moderation queue. Built-in conversion from Sigma to the query language of your choice.
-
SOC SIEM Use Cases for First Internship
If you want more ideas/inspiration, or even just a starting point for baseline rule logic check out https://github.com/SigmaHQ/sigma https://github.com/SigmaHQ/sigma and look into the different rules folders there.
-
How do you actually threat hunt?
Agreed in general. But with stuff like SIGMA, I'd lean towards stuff should going into git. Better version control, your docs can be markdown and live right next to your threat library, you can strap on CI/CD (so you can deploy/run stuff as part of a pipeline). Confluence is a great start, but it doesn't scale well.
- Open Source SIEM Tools
-
Detection Engineering Source Websites
Have a look a sigma rules: https://github.com/SigmaHQ/sigma
- Scheduling query to look for whenever net group is ran.
- Scheduling querying that looks for anytime net group is ran.
-
3CX Customers suffering intrusions
Sigma: https://github.com/SigmaHQ/sigma/pull/4151/files Yara: https://github.com/Neo23x0/signature-base/blob/master/yara/gen\_mal\_3cx\_compromise\_mar23.yar source: https://twitter.com/cyb3rops/status/1641130326830333984?s=20
-
Any Suggestions On Creating A Detection Rule In Defender For CVE-2023-23397
I created a Defender Advanced Hunting query based of the Sigma rule https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml
PrintNightmare
- Sorry but I'm confused as how to mitigate PrintNightmare
-
latest vulnerability without patch]
[(https://github.com/afwu/PrintNightmare)
-
Critical Vulnerability: PrintNightmare Exposes Windows Servers to Remote Code Execution
Based on this writeup of the exploit https://github.com/afwu/PrintNightmare I think it should actually prevent an attack since it would stop the malicous driver from being loaded onto the target but it's probably the best to wait for the guys at huntress when they get a little more breathing space with Kaseya.
-
Microsoft Tries, Fails to Patch Critical Windows Vulnerability. Chaos Ensues
It is exploited by calling a remote procedure call function called rpcAddPrinterDriver. There is a buggy check that lets a user without the adequate privileges to load a driver on the remote system.
Since remote functions can be called locally as well, this is both a remote code execution (RCE) and local privilege escalation (LPE). For more information, see the original source: https://github.com/afwu/PrintNightmare
- PrintNightmare (CVE-2021-1675): Remote code execution in Windows Spooler Service
- afwu/PrintNightmare
What are some alternatives?
Wazuh - Wazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads.
CVE-2021-1675 - C# and Impacket implementation of PrintNightmare CVE-2021-1675/CVE-2021-34527
sysmon-config - Sysmon configuration file template with default high-quality event tracing
atomic-red-team - Small and highly portable detection tests based on MITRE's ATT&CK.
wazuh-ruleset - Wazuh - Ruleset
velociraptor - Digging Deeper....
OpenSIEM-Logstash-Parsing - SIEM Logstash parsing for more than hundred technologies
detection-rules - Rules for Elastic Security's detection engine
CVE-2021-1675 - CVE-2021-1675 Detection Info
HELK - The Hunting ELK
splunk-spl - SPL cheatsheet for Splunk.
RedELK - Red Team's SIEM - tool for Red Teams used for tracking and alarming about Blue Team activities as well as better usability in long term operations.