 Florian Roth
|
9595cef06e
|
Merge pull request #2771 from SigmaHQ/rule-devel
Multiple adjustments in different rules
|
2022-03-05 09:57:12 +01:00 |
|
|
frack113
|
36e471dae6
|
Merge pull request #2767 from d4rk-d4nph3/master
Added rule for Gamaredon UltraVNC Execution
|
2022-03-04 20:59:35 +01:00 |
|
|
frack113
|
41f3db6e02
|
Merge pull request #2770 from frack113/fix_win11_fp
Fix FP new win11 installation
|
2022-03-04 20:57:06 +01:00 |
|
|
Florian Roth
|
8b29c2202c
|
rule: hacktool imphashes
|
2022-03-04 19:44:15 +01:00 |
|
|
Florian Roth
|
b90686251f
|
refactor: imphash adjustments
|
2022-03-04 19:43:58 +01:00 |
|
|
Florian Roth
|
85e2419436
|
fix: duplicate UUID
|
2022-03-04 17:12:31 +01:00 |
|
|
frack113
|
7922becd0b
|
Fix FP new install
|
2022-03-04 16:53:30 +01:00 |
|
|
Florian Roth
|
e57b952455
|
Merge branch 'master' into rule-devel
|
2022-03-04 16:34:52 +01:00 |
|
|
Florian Roth
|
05a9a910f4
|
rule: PowerShell Defender base64 MpPreference
|
2022-03-04 16:34:37 +01:00 |
|
|
Florian Roth
|
8012efa9b5
|
refactor: some adjustments
|
2022-03-04 16:34:15 +01:00 |
|
|
phantinuss
|
6c4d0c601b
|
fix: FP with Windows Defender ATP
|
2022-03-04 14:07:29 +01:00 |
|
|
phantinuss
|
4823d7943f
|
fix: exclude hotpotatoes FP
|
2022-03-04 14:07:29 +01:00 |
|
|
phantinuss
|
df48b60cb4
|
fix: FP with Datev SQL Server
|
2022-03-04 14:07:29 +01:00 |
|
|
phantinuss
|
324dca618b
|
fix: filter variant with double quotes
|
2022-03-04 14:07:28 +01:00 |
|
|
Bhabesh
|
d14784510f
|
Added rule for Gamaredon UltraVNC Execution
|
2022-03-04 15:40:33 +05:45 |
|
|
frack113
|
743f0974f9
|
Merge pull request #2766 from frack113/office2019
OfficeClickToRun FP
|
2022-03-04 06:30:31 +01:00 |
|
|
frack113
|
ee5e85a422
|
Merge pull request #2765 from frack113/win11_FP
Fix Windows11-Office FP
|
2022-03-04 06:30:17 +01:00 |
|
|
Florian Roth
|
eb06a6fdd1
|
Merge pull request #2764 from SigmaHQ/rule-devel
refactor: PowerShell Defender modifications
|
2022-03-03 23:29:08 +01:00 |
|
|
frack113
|
ea2b6d8a08
|
Update another command line of Get-WmiObject (gwmi)
|
2022-03-03 20:10:55 +01:00 |
|
|
frack113
|
59067a72d2
|
OfficeClickToRun FP
|
2022-03-03 19:45:03 +01:00 |
|
|
frack113
|
cc956f7dbf
|
Fix Windows11-Office FP
|
2022-03-03 15:20:53 +01:00 |
|
|
Florian Roth
|
b3b5b2cbdd
|
refactor: PowerShell Defender modifications
|
2022-03-03 13:53:06 +01:00 |
|
|
nNipsx
|
b43e37518e
|
update Author contribute
|
2022-03-03 14:34:13 +07:00 |
|
|
frack113
|
19ba2fe16c
|
Update posh_ps_detect_vm_env.yml
|
2022-03-03 08:12:01 +01:00 |
|
|
frack113
|
0649b5d6ea
|
Add proc_creation_win_fsutil_symlinkevaluation
|
2022-03-03 06:27:36 +01:00 |
|
|
frack113
|
53651cdd2f
|
Add Bits-Client rules
|
2022-03-03 06:27:00 +01:00 |
|
|
nNipsx
|
f57bb708bb
|
Update another command line of Get-WmiObject (gwmi)
|
2022-03-03 11:04:26 +07:00 |
|
|
Florian Roth
|
071bcc2923
|
Merge pull request #2761 from SigmaHQ/rule-devel
Minor changes, new PS downloader strings
|
2022-03-02 17:47:11 +01:00 |
|
|
phantinuss
|
b2d68616b5
|
fix: FPs with webex and temp assembly
|
2022-03-02 14:48:37 +01:00 |
|
|
phantinuss
|
952fb07d59
|
fix: remove Aurora filter out, no longer needed
|
2022-03-02 11:14:01 +01:00 |
|
|
Florian Roth
|
5e76089044
|
refactor: additional strings in powershell downloader rule
|
2022-03-02 11:01:28 +01:00 |
|
|
phantinuss
|
3701bdfdbf
|
new rules: Base64 encoded keywords detected by Raccine
|
2022-03-02 10:37:36 +01:00 |
|
|
phantinuss
|
c2a583a950
|
fix: exclude more Teams Addin variants
|
2022-03-02 10:36:07 +01:00 |
|
|
Florian Roth
|
1435171490
|
docs: minor changes to rules
|
2022-03-01 16:02:22 +01:00 |
|
|
phantinuss
|
81e3c105d2
|
fix: trigger also by selection3
|
2022-02-28 17:50:32 +01:00 |
|
|
phantinuss
|
b1fc8b3641
|
fix: Image casing
|
2022-02-28 17:50:32 +01:00 |
|
|
phantinuss
|
3c5535ae41
|
fix: triggering on legitimate diskpart.exe usage
|
2022-02-28 17:50:30 +01:00 |
|
|
Florian Roth
|
313b4d7ca9
|
rule: PowerShell downloader patterns
|
2022-02-28 14:42:56 +01:00 |
|
|
Florian Roth
|
25b414ea09
|
refactor: separating Outlook.exe from other Office processes
|
2022-02-28 13:12:46 +01:00 |
|
|
frack113
|
7fb8272f94
|
Name Normalization
Name Normalization
|
2022-02-27 10:58:14 +01:00 |
|
|
frack113
|
d459483ef6
|
Enable Office dde (#2750)
Add registry_event_win_office_enable_dde
|
2022-02-27 07:40:19 +01:00 |
|
|
frack113
|
ec7319be21
|
Name Normalization
Name Normalization
|
2022-02-27 07:39:46 +01:00 |
|
|
Florian Roth
|
de197e7897
|
Merge pull request #2747 from frack113/fix_detection
Fix detection
|
2022-02-25 19:04:16 +01:00 |
|
|
Florian Roth
|
5f8b16d147
|
Merge pull request #2748 from SigmaHQ/rule-devel
rules: Hermetic Wiper, BlackByte reports
|
2022-02-25 19:03:59 +01:00 |
|
|
Florian Roth
|
f647e45e69
|
Merge pull request #2749 from redsand/fp_msiexec
Filters false positive from msiexec.exe
|
2022-02-25 19:03:45 +01:00 |
|
|
Tim Shelton
|
6d29b4c4a5
|
oof, misspelled detection type 2
|
2022-02-25 16:34:32 +00:00 |
|
|
Tim Shelton
|
f6caaf795a
|
oof, misspelled detection type
|
2022-02-25 16:32:33 +00:00 |
|
|
Florian Roth
|
744813ff87
|
rule: Hermetic Wiper group activity
|
2022-02-25 17:29:32 +01:00 |
|
|
Florian Roth
|
eec5b1458c
|
docs: wording change
|
2022-02-25 17:29:16 +01:00 |
|
|
Tim Shelton
|
9d06c3cfe7
|
Filters false positive from msiexec.exe
|
2022-02-25 16:17:01 +00:00 |
|