signalblur
commented
1 week ago Closing - this pull request has been duplicated by #4884 by myself by mistake and contains all of the files that have been modified.
Closed signalblur closed 1 week ago
signalblur
commented
1 week ago Closing - this pull request has been duplicated by #4884 by myself by mistake and contains all of the files that have been modified.
Summary of the Pull Request
This PR adds 2 new rules:
I've created a new detector based on research done by Datadog based on compiler execution within a container. I believe I saw a tweet a few years back from Florian suggesting to avoid regex to make understanding logic a bit easier, but on the off chance it's preferred over the below I believe this should work:
.*(\-|\_| )?(gcc|g\+\+|clang|javac|make|nasm|yasm)(\-|\_| )?.*This shouldn't happen legitimately (according to best practices) as builds should be immutable. I've set the priority on this to low as even though that is a recommended best practice, I'm sure there will be FP's in reality.
Created a new detector looking for abuse of
xxdfor CLI obfuscation as described - https://daniel-ellis.medium.com/obfuscating-human-readable-text-by-using-hexadecimal-views-bb16341b8cb2Changelog
new: XXD Command Obfuscation new: Compiler Execution Within Kubernetes Containers
Example Log Event
Fixed Issues
N/A
SigmaHQ Rule Creation Conventions