7679d05706
fix: fp found in testing exchange server
2022-12-20 13:23:32 +01:00
ba3e985bed
feat: multiple update and enhancements
2022-12-19 17:41:40 +01:00
a3f87a10e3
Merge pull request #3796 from nasbench/nasbench-rule-devel
...
feat: add duplicate titles test
2022-12-19 11:19:17 +01:00
972720d42c
fix: apply code review suggestion
...
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2022-12-19 10:17:49 +01:00
ecaf76f661
Merge pull request #1964 from BlackB0lt/patch-14
...
Create CVE-2021-26084 detection
2022-12-18 21:08:48 +01:00
646351808e
Refractor ( #3794 )
...
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com >
2022-12-18 21:00:14 +01:00
1ccee514e2
feat: add duplicate titles test
2022-12-18 20:55:32 +01:00
41d841ada2
Merge pull request #3793 from nasbench/nasbench-rule-devel
...
feat: updates and enhancements
2022-12-18 18:48:06 +01:00
cfc5180865
Merge pull request #3795 from orenebahar/patch-1
...
Update net_connection_win_malware_backconnect_ports.yml
2022-12-18 15:34:47 +01:00
1882a4a0c2
fix: remove unnecessary definition
2022-12-18 15:24:58 +01:00
3f6bcb6cee
fix: fp found in testing
2022-12-18 15:07:47 +01:00
021499e6ef
Update net_connection_win_malware_backconnect_ports.yml
...
Add description about the right event ID in sysmon configuration
2022-12-18 12:13:29 +00:00
a606223568
fix: add missing filename to the logic
2022-12-16 19:47:13 +01:00
dbe3c80dd3
fix: fp found with baseline
2022-12-16 18:50:38 +01:00
b108c1189d
Merge pull request #3717 from redsand/fp_convert_guidcompress
...
FP: ignore calling function Convert-GuidToCompressedGuid, …
2022-12-16 18:44:44 +01:00
7ef1945ce5
Merge pull request #3791 from veramine/patch-6
...
Update proc_creation_win_rundll32_parent_explorer.yml
2022-12-16 18:43:54 +01:00
1e2cd1655e
fix: add more filters and update image field
2022-12-16 17:59:24 +01:00
c67960d162
fix: update logic
2022-12-16 17:46:35 +01:00
2b9048b6c8
fix: update detection logic
2022-12-16 17:09:34 +01:00
f0ff97be9b
fix: update description
2022-12-16 17:07:52 +01:00
3868dd91c6
feat: updates and enhancements
2022-12-16 16:52:12 +01:00
bfa5e4ecf5
Update rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml
...
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com >
2022-12-16 08:28:45 +01:00
b8503a0d40
Merge pull request #3790 from SigmaHQ/aurora-false-positive-fixing
...
Aurora false positive fixing
2022-12-16 00:34:21 +01:00
3b6403fc8a
Update proc_creation_win_rundll32_parent_explorer.yml
...
Remove the false positive of explorer.exe launching rundll32.exe to load a DLL already present on the system. The specific false positive case we encountered was "CommandLine": "\"C:\\Windows\\System32\\rundll32.exe\" C:\\Windows\\System32\\LogiLDA.dll,LogiFetch". The BumbleBee case loaded a DLL from the ISO so that should still be detected.
2022-12-15 14:54:46 -08:00
b1504c7632
fix: wrong condition
2022-12-15 19:02:56 +01:00
8d8d935a42
Merge pull request #3789 from frack113/winlogbeat_space
...
Space remove
2022-12-15 18:00:57 +01:00
0b3a068327
fix: FP with NVIDIA driver installation
2022-12-15 18:00:07 +01:00
2f945478dc
Fix duplicate
2022-12-15 17:54:34 +01:00
a5a74fe55b
Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing
2022-12-15 17:31:39 +01:00
84041dde1f
fix: FPs with wuauclt rule
2022-12-15 17:31:36 +01:00
e2c8d8d6b5
Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing
2022-12-15 13:57:59 +01:00
0f9b2fff71
refactor: NotPetya rule
2022-12-15 13:57:56 +01:00
544081f3c7
Space remove
2022-12-15 12:55:18 +01:00
4253d5a4be
Merge pull request #3788 from frack113/japan
...
Add image_load_side_load_jsschhlp
2022-12-15 06:31:47 +01:00
18132ed085
Merge pull request #3787 from nasbench/nasbench-rule-devel
...
feat: add type lolbin rule and update ldap etw rule
2022-12-15 06:30:43 +01:00
cc658743e6
fix: add additional reference
2022-12-14 23:25:13 +01:00
ec63adb32f
fix: update title
2022-12-14 23:12:23 +01:00
c7e772eff9
Add image_load_side_load_jsschhlp
2022-12-14 19:24:32 +01:00
79e83766eb
feat: update ldap rule with additional strings
2022-12-14 16:52:04 +01:00
a2e818ddca
Merge pull request #3785 from veramine/patch-4
...
Add System to list of built-in Windows processes with no extension
2022-12-14 16:06:48 +01:00
d6d41c12d1
feat: new rule related to using type as lolbin
2022-12-14 15:37:46 +01:00
b41ba894e5
fix: rename rule to follow convention
2022-12-14 15:37:28 +01:00
6a7ae2fb19
Merge pull request #3786 from SigmaHQ/aurora-false-positive-fixing
...
Aurora false positive fixing
2022-12-14 15:27:13 +01:00
c98e9ec3cc
fix: list with one element issue
2022-12-14 13:23:28 +01:00
643a06766e
fix: FP with NVIDIA driver installation
2022-12-14 13:21:54 +01:00
be8338774c
Merge pull request #3784 from veramine/patch-3
...
Add System to list of built-in Windows processes
2022-12-14 13:21:12 +01:00
9af4c20912
Merge pull request #3783 from nasbench/nasbench-rule-devel
...
feat: updates and enhancements
2022-12-14 13:19:46 +01:00
c3863afdc3
Merge pull request #3782 from securepeacock/patch-36
...
Update proc_creation_win_susp_runonce_execution.yml
2022-12-14 13:19:07 +01:00
7365e12478
docs: explanation for filter
2022-12-14 13:08:10 +01:00
232d7f840a
fix: FPs noticed with Aurora
2022-12-14 13:05:58 +01:00
Nasreddine Bencherchali