Open Source Collaborations
Here you can find some of the collaborations I did at some point with open source projects.
| Project | Purpose | Link |
|---|---|---|
| ATT&CK MITRE | Coverage for APT-C-36 | APT-C-36 |
| ATT&CK MITRE | Coverage for Imminent Monitor RAT | Imminent Monitor RAT |
| Sigma Rules | Detection for Jlaive execution | Jlaive Sigma rule |
| Sigma Rules | Detection for registry key created when desk.cpl executes .scr files | desk.cpl Sigma rule |
| LOLBAS | References added for sigma rule created for desk.cpl | desk.cpl reference added |
| Sigma Rules | Detects when the file "passwd" or "shadow" is copied from tmp path | Copy Passwd Or Shadow From TMP Path |
| Sigma Rules | Detects attempts to force stop the ufw using ufw-init | Ufw Force Stop Using Ufw-Init |
| Sigma Rules | Detect use of iptables to flush all firewall rules, tables and chains and allow all network traffic | Flush Iptables Ufw Chain |
| Sigma Rules | Detects execution of the "mount" command with "hidepid" parameter to make invisible processes to other users from the system | Mount Execution With Hidepid Parameter |
| Sigma Rules | Detects usage of the "touch" process in service file. | Touch Suspicious Service File |
| Sigma Rules | Detects changes to the PSFactory COM InProcServer32 registry. This technique was used by RomCom to create persistence storing a malicious DLL. | Potential PSFactoryBuffer COM Hijacking |
| Sigma Rules | Detects the use of wget to download content to a suspicious directory | Download File To Potentially Suspicious Directory Via Wget |
| Sigma Rules | Detects executions of scripts located in potentially suspicious locations such as "/tmp" via a shell such as "bash", "sh", etc. | Execution Of Script Located In Potentially Suspicious Directory |
| Sigma Rules | Detects execution of shells from a parent process located in a temporary (/tmp) directory | Shell Execution Of Process Located In Tmp Directory |
| Sigma Rules | Detects a potentially suspicious execution of a process located in the '/tmp/' folder | Potentially Suspicious Execution From Tmp Folder |
| Sigma Rules | Detects execution of binaries located in potentially suspicious locations via "nohup" | Suspicious Nohup Execution |
| Sigma Rules | Detects the use of grep to discover specific files created by the GobRAT malware | Potential GobRAT File Discovery Via Grep |
| Sigma Rules | Detects the use of grep to identify information about the operating system architecture. Often combined beforehand with the execution of "uname" or "cat /proc/cpuinfo" | OS Architecture Discovery Via Grep |
| Sigma Rules | Detects the use of wget to download content in a temporary directory such as "/tmp" or "/var/tmp" | Wget Creating Files in Tmp Directory |
| Sigma Rules | Detects the creation of shell scripts under the "profile.d" path. | Potentially Suspicious Shell Script Creation in Profile Folder |