 phantinuss
|
b991a5be52
|
chore: test rules: warn on errors or invalid FP reasons
also adapted the existing rules to pass the tests
|
2022-05-09 16:07:55 +02:00 |
|
|
phantinuss
|
dbd68bf3f0
|
chore: test rules: capitalization on FP list entries
Entires to the false positive list should begin with
a capital letter. e.g. Unkown instead of unkown.
Fixed the existing rules accordingly
|
2022-05-09 16:07:44 +02:00 |
|
|
David ANDRE
|
6c632b1ef0
|
Modified description
|
2022-05-05 17:27:35 +02:00 |
|
|
David ANDRE
|
f3dc78b9da
|
Added various disabling options of defender in posh_ps_tamper_defender.yml\nAdded match on default actions of defender to allow.
|
2022-05-05 17:25:37 +02:00 |
|
|
Florian Roth
|
0a55406444
|
fix: wording on two rules
|
2022-04-26 16:43:44 +02:00 |
|
|
frack113
|
eec8437dc2
|
Add posh_ps_win32_product_install_msi
|
2022-04-24 12:49:00 +02:00 |
|
|
phantinuss
|
13e31e8383
|
fix: FPs found in win2022 domain controller baseline
|
2022-04-21 10:48:59 +02:00 |
|
|
frack113
|
89985b08c8
|
New Redcannary Windows Tests
|
2022-04-09 18:00:15 +02:00 |
|
|
frack113
|
0f4d61d04e
|
Merge pull request #2872 from frack113/redcannay_20220404
Windows Redcannary
|
2022-04-04 13:23:47 +02:00 |
|
|
Florian Roth
|
eaaabf2468
|
Update posh_ps_suspicious_get_current_user.yml
|
2022-04-04 12:19:47 +02:00 |
|
|
frack113
|
aaafef29b4
|
Redcannary
|
2022-04-04 10:57:23 +02:00 |
|
|
Florian Roth
|
b394702748
|
Update posh_ps_suspicious_gettypefromclsid.yml
|
2022-04-04 09:28:56 +02:00 |
|
|
frack113
|
d2b2362ce7
|
Redcannary
|
2022-04-02 11:55:02 +02:00 |
|
|
Florian Roth
|
3f1b8ff727
|
Update posh_ps_susp_get_addefaultdomainpasswordpolicy.yml
|
2022-03-21 12:09:33 +01:00 |
|
|
Florian Roth
|
7ebdfda1b8
|
Update posh_ps_susp_get_addefaultdomainpasswordpolicy.yml
|
2022-03-21 11:54:45 +01:00 |
|
|
frack113
|
ab471b11ae
|
Redcannary
|
2022-03-20 08:36:07 +01:00 |
|
|
frack113
|
45cfdab828
|
Revert "Redcannary"
|
2022-03-20 08:11:11 +01:00 |
|
|
frack113
|
1060009949
|
Redcannary
|
2022-03-18 11:15:05 +01:00 |
|
|
frack113
|
41fce11b76
|
Merge pull request #2820 from frack113/day_off
Windows Redcannary
|
2022-03-18 08:18:18 +01:00 |
|
|
Florian Roth
|
1118189032
|
Update posh_ps_susp_get_adgroup.yml
|
2022-03-17 20:23:14 +01:00 |
|
|
Florian Roth
|
8c69b3977f
|
Update posh_ps_susp_directory_enum.yml
|
2022-03-17 20:22:51 +01:00 |
|
|
Florian Roth
|
a5cfb87ee1
|
Update posh_ps_as_rep_roasting.yml
|
2022-03-17 20:22:11 +01:00 |
|
|
Florian Roth
|
c855a38f98
|
Merge pull request #2819 from frack113/fp_test
posh_ps_remove_item_path fix registry FP
|
2022-03-17 18:44:53 +01:00 |
|
|
frack113
|
829409d29a
|
Redcannary
|
2022-03-17 16:48:41 +01:00 |
|
|
frack113
|
becf3baeb4
|
Merge pull request #2813 from phantinuss/master
Changes to falsepositives metadata
|
2022-03-17 14:31:27 +01:00 |
|
|
frack113
|
6da13f19a6
|
fix registry FP
|
2022-03-17 14:26:12 +01:00 |
|
|
Florian Roth
|
1099c5630e
|
rule: remote thread creation, get-addbaccount
|
2022-03-16 15:21:01 +01:00 |
|
|
phantinuss
|
043747822f
|
fix: more falsepositives harmonization
|
2022-03-16 14:57:06 +01:00 |
|
|
phantinuss
|
6ae28b7a1c
|
fix: legitimate --> Legitimate
|
2022-03-16 14:35:19 +01:00 |
|
|
phantinuss
|
84d0c472ba
|
fix: remove penetration test as valid false positive reason
|
2022-03-16 14:33:18 +01:00 |
|
|
phantinuss
|
4585133325
|
fix: remove penetration testing as a valid false positive
|
2022-03-16 13:51:26 +01:00 |
|
|
phantinuss
|
b23eee6ebf
|
fix: unknown --> Unknown
|
2022-03-16 13:43:54 +01:00 |
|
|
Tim Shelton
|
bda0f3cfe0
|
FP on valid remote call of Powershell Archive.psm1, maybe beneficial to filter all powershell modules in future
|
2022-03-14 22:23:06 +00:00 |
|
|
frack113
|
c6d37d4a78
|
fix yaml
|
2022-03-08 19:14:46 +01:00 |
|
|
frack113
|
5938569d3e
|
Refactor regex
|
2022-03-08 19:07:37 +01:00 |
|
|
frack113
|
143f5fe4e2
|
Fix yml
|
2022-03-07 19:37:33 +01:00 |
|
|
frack113
|
f9c0e21323
|
Refactor regex
|
2022-03-07 19:08:30 +01:00 |
|
|
Florian Roth
|
ec62ec6bbb
|
fix: values missed escaping
|
2022-03-05 10:39:15 +01:00 |
|
|
Florian Roth
|
e57b952455
|
Merge branch 'master' into rule-devel
|
2022-03-04 16:34:52 +01:00 |
|
|
Florian Roth
|
8012efa9b5
|
refactor: some adjustments
|
2022-03-04 16:34:15 +01:00 |
|
|
Florian Roth
|
eb06a6fdd1
|
Merge pull request #2764 from SigmaHQ/rule-devel
refactor: PowerShell Defender modifications
|
2022-03-03 23:29:08 +01:00 |
|
|
Florian Roth
|
b3b5b2cbdd
|
refactor: PowerShell Defender modifications
|
2022-03-03 13:53:06 +01:00 |
|
|
nNipsx
|
b43e37518e
|
update Author contribute
|
2022-03-03 14:34:13 +07:00 |
|
|
frack113
|
19ba2fe16c
|
Update posh_ps_detect_vm_env.yml
|
2022-03-03 08:12:01 +01:00 |
|
|
nNipsx
|
f57bb708bb
|
Update another command line of Get-WmiObject (gwmi)
|
2022-03-03 11:04:26 +07:00 |
|
|
phantinuss
|
8212b1a2ad
|
fix: FP
|
2022-02-23 17:18:53 +01:00 |
|
|
phantinuss
|
329b5aa0eb
|
fix: reduce level, many legitimate usages expected
|
2022-02-23 14:13:12 +01:00 |
|
|
frack113
|
464686e0c5
|
add posh_pm_suspicious_reset_computermachinepassword
|
2022-02-22 13:44:51 +01:00 |
|
|
Florian Roth
|
921d46ca79
|
fix: FPs noticed with Aurora
|
2022-02-21 18:43:18 +01:00 |
|
|
Florian Roth
|
35d4c8bc69
|
fix: FPs noticed in THOR testing
|
2022-02-21 10:15:27 +01:00 |
|