 frack113
|
87a0bed0ec
|
Add missing WinEventLog prefix
|
2022-03-05 11:35:49 +01:00 |
|
|
Florian Roth
|
a6ed1a3fb8
|
fix: missing level
|
2022-03-05 11:24:46 +01:00 |
|
|
Florian Roth
|
335ed24751
|
fix: wrong channel prefix
|
2022-03-05 11:21:00 +01:00 |
|
|
Florian Roth
|
9595cef06e
|
Merge pull request #2771 from SigmaHQ/rule-devel
Multiple adjustments in different rules
|
2022-03-05 09:57:12 +01:00 |
|
|
frack113
|
36e471dae6
|
Merge pull request #2767 from d4rk-d4nph3/master
Added rule for Gamaredon UltraVNC Execution
|
2022-03-04 20:59:35 +01:00 |
|
|
frack113
|
41f3db6e02
|
Merge pull request #2770 from frack113/fix_win11_fp
Fix FP new win11 installation
|
2022-03-04 20:57:06 +01:00 |
|
|
Florian Roth
|
8b29c2202c
|
rule: hacktool imphashes
|
2022-03-04 19:44:15 +01:00 |
|
|
Florian Roth
|
b90686251f
|
refactor: imphash adjustments
|
2022-03-04 19:43:58 +01:00 |
|
|
Florian Roth
|
8c59229728
|
Merge pull request #2769 from phantinuss/master
Fix FPs
|
2022-03-04 19:38:00 +01:00 |
|
|
Florian Roth
|
85e2419436
|
fix: duplicate UUID
|
2022-03-04 17:12:31 +01:00 |
|
|
frack113
|
7922becd0b
|
Fix FP new install
|
2022-03-04 16:53:30 +01:00 |
|
|
Florian Roth
|
e57b952455
|
Merge branch 'master' into rule-devel
|
2022-03-04 16:34:52 +01:00 |
|
|
Florian Roth
|
05a9a910f4
|
rule: PowerShell Defender base64 MpPreference
|
2022-03-04 16:34:37 +01:00 |
|
|
Florian Roth
|
8012efa9b5
|
refactor: some adjustments
|
2022-03-04 16:34:15 +01:00 |
|
|
phantinuss
|
6c4d0c601b
|
fix: FP with Windows Defender ATP
|
2022-03-04 14:07:29 +01:00 |
|
|
phantinuss
|
e7edae7a9a
|
tests: add 1st commandline argument for rules directory selection
|
2022-03-04 14:07:29 +01:00 |
|
|
phantinuss
|
4823d7943f
|
fix: exclude hotpotatoes FP
|
2022-03-04 14:07:29 +01:00 |
|
|
phantinuss
|
df48b60cb4
|
fix: FP with Datev SQL Server
|
2022-03-04 14:07:29 +01:00 |
|
|
phantinuss
|
324dca618b
|
fix: filter variant with double quotes
|
2022-03-04 14:07:28 +01:00 |
|
|
Bhabesh
|
d14784510f
|
Added rule for Gamaredon UltraVNC Execution
|
2022-03-04 15:40:33 +05:45 |
|
|
frack113
|
743f0974f9
|
Merge pull request #2766 from frack113/office2019
OfficeClickToRun FP
|
2022-03-04 06:30:31 +01:00 |
|
|
frack113
|
ee5e85a422
|
Merge pull request #2765 from frack113/win11_FP
Fix Windows11-Office FP
|
2022-03-04 06:30:17 +01:00 |
|
|
Florian Roth
|
eb06a6fdd1
|
Merge pull request #2764 from SigmaHQ/rule-devel
refactor: PowerShell Defender modifications
|
2022-03-03 23:29:08 +01:00 |
|
|
frack113
|
ea2b6d8a08
|
Update another command line of Get-WmiObject (gwmi)
|
2022-03-03 20:10:55 +01:00 |
|
|
frack113
|
59067a72d2
|
OfficeClickToRun FP
|
2022-03-03 19:45:03 +01:00 |
|
|
frack113
|
cc956f7dbf
|
Fix Windows11-Office FP
|
2022-03-03 15:20:53 +01:00 |
|
|
Florian Roth
|
b3b5b2cbdd
|
refactor: PowerShell Defender modifications
|
2022-03-03 13:53:06 +01:00 |
|
|
nNipsx
|
b43e37518e
|
update Author contribute
|
2022-03-03 14:34:13 +07:00 |
|
|
frack113
|
19ba2fe16c
|
Update posh_ps_detect_vm_env.yml
|
2022-03-03 08:12:01 +01:00 |
|
|
frack113
|
0649b5d6ea
|
Add proc_creation_win_fsutil_symlinkevaluation
|
2022-03-03 06:27:36 +01:00 |
|
|
frack113
|
53651cdd2f
|
Add Bits-Client rules
|
2022-03-03 06:27:00 +01:00 |
|
|
nNipsx
|
f57bb708bb
|
Update another command line of Get-WmiObject (gwmi)
|
2022-03-03 11:04:26 +07:00 |
|
|
Florian Roth
|
071bcc2923
|
Merge pull request #2761 from SigmaHQ/rule-devel
Minor changes, new PS downloader strings
|
2022-03-02 17:47:11 +01:00 |
|
|
Florian Roth
|
db76c52ae8
|
Merge pull request #2760 from phantinuss/master
Fix FPs and 2 new Rules
|
2022-03-02 17:45:29 +01:00 |
|
|
phantinuss
|
b2d68616b5
|
fix: FPs with webex and temp assembly
|
2022-03-02 14:48:37 +01:00 |
|
|
phantinuss
|
952fb07d59
|
fix: remove Aurora filter out, no longer needed
|
2022-03-02 11:14:01 +01:00 |
|
|
Florian Roth
|
5e76089044
|
refactor: additional strings in powershell downloader rule
|
2022-03-02 11:01:28 +01:00 |
|
|
phantinuss
|
3701bdfdbf
|
new rules: Base64 encoded keywords detected by Raccine
|
2022-03-02 10:37:36 +01:00 |
|
|
phantinuss
|
c2a583a950
|
fix: exclude more Teams Addin variants
|
2022-03-02 10:36:07 +01:00 |
|
|
Florian Roth
|
1435171490
|
docs: minor changes to rules
|
2022-03-01 16:02:22 +01:00 |
|
|
frack113
|
1fbb9a9b29
|
Add missing fields
Add missing fields
|
2022-03-01 15:36:39 +01:00 |
|
|
Florian Roth
|
02e8e31c44
|
Merge pull request #2756 from phantinuss/master
fix FP and broken condition/selector
|
2022-02-28 19:34:00 +01:00 |
|
|
phantinuss
|
81e3c105d2
|
fix: trigger also by selection3
|
2022-02-28 17:50:32 +01:00 |
|
|
phantinuss
|
b1fc8b3641
|
fix: Image casing
|
2022-02-28 17:50:32 +01:00 |
|
|
phantinuss
|
3c5535ae41
|
fix: triggering on legitimate diskpart.exe usage
|
2022-02-28 17:50:30 +01:00 |
|
|
Florian Roth
|
e7585a50df
|
Merge pull request #2755 from SigmaHQ/rule-devel
refactor: Office Shell Spawn rule, rule: PowerShell downloader pattern
|
2022-02-28 17:31:45 +01:00 |
|
|
Florian Roth
|
313b4d7ca9
|
rule: PowerShell downloader patterns
|
2022-02-28 14:42:56 +01:00 |
|
|
Florian Roth
|
25b414ea09
|
refactor: separating Outlook.exe from other Office processes
|
2022-02-28 13:12:46 +01:00 |
|
|
Wagga
|
0921857230
|
Add basic REGEX support in SQLite Backend (#2754)
|
2022-02-27 16:43:02 +01:00 |
|
|
frack113
|
7fb8272f94
|
Name Normalization
Name Normalization
|
2022-02-27 10:58:14 +01:00 |
|