14fdf75ab5
fix: FPs noticed with THOR
2022-09-29 13:51:09 +02:00
c31fe50f4d
fix: FPs noticed in THOR testing
2022-09-29 13:41:20 +02:00
d9cd98838f
Add descriptions
2022-09-21 12:02:15 +02:00
59530f49d4
Fix more FP in testing
2022-09-21 11:53:39 +02:00
2f7a54cc31
Fix FP
2022-09-20 11:20:33 +02:00
34d7ad03f7
fix: FPs noticed with Aurora
2022-09-18 12:54:37 +02:00
2da0554bed
fix: temporarily disable Kernel-Audit-API-Calls
2022-09-18 09:57:04 +02:00
9f6604cf81
fix: aurora mtach calltrace msedeg.exe
2022-09-18 09:41:51 +02:00
f581d77e5d
Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing
2022-09-13 11:30:37 +02:00
264bc0787d
fix: FP with Malwarebytes
2022-09-13 11:30:27 +02:00
43e0d4fe6a
fix: FP with windows defender
2022-09-09 13:51:53 +02:00
b293a7a181
refactor: SysmonEnte, SharpEvtMute, SysmonQuiet
2022-09-07 16:01:05 +02:00
6ad167a4f3
rule: SysmonEnte usage
2022-09-07 14:33:44 +02:00
0b0190ccb1
Added quotes to strings
2022-09-01 15:22:26 +02:00
8dfe06a33b
Adding Google Chrome FP
2022-08-31 11:35:12 +04:30
11a322f4f0
New + Update
2022-08-26 15:38:43 +01:00
3426dfb6e9
Update backslash
2022-08-13 09:59:31 +02:00
a90ba27a1c
fix: do not use wildcard, where not needed
2022-08-09 10:55:05 +02:00
ef1f2b13ec
fix: use wildcard * instead of plaintext *
...
the changed files seem like they used an esacped * by mistake
2022-08-08 17:54:46 +02:00
a7c5381366
fix: LSASS access wermgr
2022-07-21 18:31:36 +02:00
238e0ecd7d
Update Ref+Selection
2022-07-11 14:11:53 +01:00
c7eb123bc3
Merge branch 'master' into aurora-false-positive-fixing
2022-07-07 18:21:16 +02:00
b58c797c61
fix: FPs with Visual Studio
2022-07-07 18:20:10 +02:00
ce1710a031
fix: FPs found in testing
2022-07-06 15:38:31 +02:00
c95df56222
New Rules
2022-07-01 16:56:45 +01:00
2f19daed62
Merge pull request #3163 from d4rk-d4nph3/master
...
Rule for HandleKatz
2022-07-01 14:29:45 +02:00
15cd71403a
fix: FP found in testing
2022-07-01 11:11:08 +02:00
2da48f5052
Merge pull request #3167 from SigmaHQ/rule-devel
...
Rules: Bitsadmin coverage and minor improvements
2022-06-28 17:25:03 +02:00
1f7e37d2a0
Fixed CallTrace
2022-06-28 10:56:18 +05:45
19ef1c153f
rule: werfault accessing lsass
2022-06-27 15:49:30 +02:00
e0f8506c1b
Rule for HandleKatz
2022-06-27 17:25:21 +05:45
ab5d2ed711
fix: FPs in testing environment
2022-06-27 08:47:27 +02:00
cdfd908627
Merge branch 'master' into rule-devel
2022-06-22 21:16:29 +02:00
a876da1ad7
fix: FP with ProcessExpl
2022-06-22 21:15:21 +02:00
9475153292
fix: FPs found in testing environment
2022-06-20 16:17:54 +02:00
50b2fad091
Merge branch 'master' into aurora-false-positive-fixing
2022-06-20 13:43:36 +02:00
ccd6fc5a7b
fix: FPs
2022-06-20 13:04:49 +02:00
fef851a918
fix: FPs with Aurora
2022-06-20 12:01:25 +02:00
f728893364
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
e56dab0016
False positive: ignore amazon ssm agent setup
2022-06-17 16:33:47 +00:00
3ad0d1bc50
fix: FP and typo
2022-06-03 15:20:07 +02:00
97856b562a
Add "\" to "Image|endswith" modifier
...
- Added the "\\" (backslash) for the "(Parent)Image|endswith" modifiers to avoid possible confusion.
- The modification were mostly done on default windows binaries to avoid changing logic of other rules.
2022-06-02 13:39:07 +01:00
5ec29f38f8
Merge branch 'master' into aurora-false-positive-fixing
2022-05-16 16:05:02 +02:00
55d5766bf9
fix: FPs with lsass as source
2022-05-16 16:04:13 +02:00
ca6b4d7862
FP: fixing error in labels
2022-05-15 17:41:22 +00:00
1019015473
FP: ignoring vmware to systeminfo.exe
2022-05-15 17:35:02 +00:00
71249ff7e0
FP: ignoring microsoft vc redistributable when performing NtOpenProcess
2022-05-15 17:33:31 +00:00
67e78ef455
FP: ignoreing microsoft edge when performing NtOpenProcess
2022-05-15 17:23:53 +00:00
2b0db86440
Merge pull request #3002 from phantinuss/master
...
Various new Rule Tests
2022-05-11 15:49:46 +02:00
112b715dd6
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
Florian Roth