Josh
Josh
### Summary of the Pull Request Modification of the detection logic to include the double comma attack: https://packetstormsecurity.com/files/177084/Windows-Defender-Detection-Mitigation-Bypass.html ### Changelog Moved `RunHTMLApplication` to a new line in the `CommandLine|contains|all:` clause...
* **Contributor Name:@ImLordOfTheRing** * **Application/Executable:Adobe Update service spawning process RuntimeCustomHook.exe** * **WTF Behavior Description: During the update process it appears that Adobe accesses and modifies windows\sytem32\restore\MachineGuid.txt which may trigger detections...
the restsearch API supports filtering events by org and that could and should be a native feature in the Splunk app
There are times where you need to compare two substrings that you pull apart using Regex and in Splunk you can easily use named capture groups. Consider the following query:...
### Summary of the Pull Request Added a new rule to identify outbound RDP connections from a domain controller using placeholders. ### Changelog New: net_connection_win_rdp_from_dc.yml ### Example Log Event >...
Request: Using the fields: key to define the values() from a |stats command in correlation searches
Currently the correlations search can only reveal the data that is included in a detection if it is part of the explicit logic of the detection or if it is...
``` sigma convert --target 'splunk' --pipeline /home/jump/git/win_evt_pipeline.yml /home/jump/git/sigma/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml --skip-unsupported Parsing Sigma rules [####################################] 100% [default] dispatch.earliest_time = -30d dispatch.latest_time = now enableSched = 1 cron_schedule = */15 * * *...
Take the following rule and example: ```yaml title: Suspicious DNS Query with B64 Encoded String id: 4153a907-2451-4e4f-a578-c52bb6881432 status: experimental description: Detects suspicious DNS queries using base64 encoding author: Florian Roth...