You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: config/uberAgent-ESA-am-sigma-high-windows.conf
+5-5Lines changed: 5 additions & 5 deletions
Original file line number
Diff line number
Diff line change
@@ -383,7 +383,7 @@ EventType = File.Create
383
383
Tag = potential-file-extension-spoofing-using-right-to-left-override
384
384
RiskScore = 75
385
385
Annotation = {"mitre_attack": ["T1036.002"]}
386
-
Query = (File.Path like r"%\\u202e%" or File.Path like r"%[U+202E]%") and (File.Path like r"%3pm.%" or File.Path like r"%4pm.%" or File.Path like r"%cod.%" or File.Path like r"%fdp.%" or File.Path like r"%ftr.%" or File.Path like r"%gepj.%" or File.Path like r"%gnp.%" or File.Path like r"%gpj.%" or File.Path like r"%ism.%" or File.Path like r"%lmth.%" or File.Path like r"%nls.%" or File.Path like r"%piz.%" or File.Path like r"%slx.%" or File.Path like r"%tdo.%" or File.Path like r"%vsc.%" or File.Path like r"%vwm.%" or File.Path like r"%xcod.%" or File.Path like r"%xslx.%" or File.Path like r"%xtpp.%")
386
+
Query = (File.Path like r"%\\u202e%" or File.Path like r"%[U+202E]%" or File.Path like r"%%") and (File.Path like r"%3pm.%" or File.Path like r"%4pm.%" or File.Path like r"%cod.%" or File.Path like r"%fdp.%" or File.Path like r"%ftr.%" or File.Path like r"%gepj.%" or File.Path like r"%gnp.%" or File.Path like r"%gpj.%" or File.Path like r"%ism.%" or File.Path like r"%lmth.%" or File.Path like r"%nls.%" or File.Path like r"%piz.%" or File.Path like r"%slx.%" or File.Path like r"%tdo.%" or File.Path like r"%vsc.%" or File.Path like r"%vwm.%" or File.Path like r"%xcod.%" or File.Path like r"%xslx.%" or File.Path like r"%xtpp.%")
387
387
GenericProperty1 = File.Path
388
388
389
389
@@ -1157,7 +1157,7 @@ EventType = File.Create
1157
1157
Tag = suspicious-double-extension-files
1158
1158
RiskScore = 75
1159
1159
Annotation = {"mitre_attack": ["T1036.007"]}
1160
-
Query = (File.Path like r"%.exe" or File.Path like r"%.iso" or File.Path like r"%.rar" or File.Path like r"%.svg" or File.Path like r"%.zip") and (File.Path like r"%.doc.%" or File.Path like r"%.docx.%" or File.Path like r"%.gif.%" or File.Path like r"%.jpeg.%" or File.Path like r"%.jpg.%" or File.Path like r"%.mp3.%" or File.Path like r"%.mp4.%" or File.Path like r"%.pdf.%" or File.Path like r"%.png.%" or File.Path like r"%.ppt.%" or File.Path like r"%.pptx.%" or File.Path like r"%.rtf.%" or File.Path like r"%.svg.%" or File.Path like r"%.txt.%" or File.Path like r"%.xls.%" or File.Path like r"%.xlsx.%") or File.Path like r"%.rar.exe" or File.Path like r"%.zip.exe"
1160
+
Query = ((File.Path like r"%.exe" or File.Path like r"%.iso" or File.Path like r"%.rar" or File.Path like r"%.svg" or File.Path like r"%.zip") and (File.Path like r"%.doc.%" or File.Path like r"%.docx.%" or File.Path like r"%.gif.%" or File.Path like r"%.jpeg.%" or File.Path like r"%.jpg.%" or File.Path like r"%.mp3.%" or File.Path like r"%.mp4.%" or File.Path like r"%.pdf.%" or File.Path like r"%.png.%" or File.Path like r"%.ppt.%" or File.Path like r"%.pptx.%" or File.Path like r"%.rtf.%" or File.Path like r"%.svg.%" or File.Path like r"%.txt.%" or File.Path like r"%.xls.%" or File.Path like r"%.xlsx.%") or File.Path like r"%.rar.exe" or File.Path like r"%.zip.exe") and not File.Path like r"/usr/share/icons/%"
1161
1161
GenericProperty1 = File.Path
1162
1162
1163
1163
@@ -7897,15 +7897,15 @@ Query = (Process.CommandLine like r"%.DownloadString(%" or Process.CommandLine l
7897
7897
7898
7898
[ActivityMonitoringRule platform=Windows]
7899
7899
# Detects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence.
7900
-
# This is used as an obfuscation and masquerading techniques.
0 commit comments