 Nasreddine Bencherchali
|
bf9bfa9a97
|
Add more FP filters
|
2022-10-13 12:36:25 +02:00 |
|
|
Nasreddine Bencherchali
|
bf28e42f01
|
Fix FP Found In Testing
|
2022-10-10 17:33:14 +02:00 |
|
|
Nasreddine Bencherchali
|
2c26614ce4
|
Update Wildcard + Int to Str fields
|
2022-10-05 23:15:20 +02:00 |
|
|
phantinuss
|
b7f20b884c
|
fix: FPs from new evtx-baseline
|
2022-09-21 13:51:19 +02:00 |
|
|
Florian Roth
|
968f0ae11f
|
Merge pull request #3508 from SigmaHQ/aurora-false-positive-fixing
fix: FPs noticed with Aurora
|
2022-09-18 13:24:07 +02:00 |
|
|
Florian Roth
|
34d7ad03f7
|
fix: FPs noticed with Aurora
|
2022-09-18 12:54:37 +02:00 |
|
|
Borna Talebi
|
4ede1b413f
|
Update reference
|
2022-09-16 21:46:45 +04:30 |
|
|
Nasreddine Bencherchali
|
238e0ecd7d
|
Update Ref+Selection
|
2022-07-11 14:11:53 +01:00 |
|
|
Nasreddine Bencherchali
|
b26c28972d
|
Add missing definition fields and references
|
2022-07-07 19:13:01 +01:00 |
|
|
Nasreddine Bencherchali
|
ce8ce2a91d
|
Removed related field
The rule referenced in the field doesn't exist
|
2022-06-21 11:43:18 +01:00 |
|
|
Florian Roth
|
72de90d2aa
|
fix: FPs
|
2022-06-20 12:52:23 +02:00 |
|
|
David ANDRE
|
74b9f97b9c
|
Renamed suspicious in filenames to susp
|
2022-05-19 09:37:04 +02:00 |
|
|
phantinuss
|
6f92a11c02
|
chore: test rules: check for all modifier with single item
|
2022-05-11 11:06:09 +02:00 |
|
|
phantinuss
|
112b715dd6
|
chore: test rules: reactivate single value list check
|
2022-05-10 17:13:04 +02:00 |
|
|
phantinuss
|
dbd68bf3f0
|
chore: test rules: capitalization on FP list entries
Entires to the false positive list should begin with
a capital letter. e.g. Unkown instead of unkown.
Fixed the existing rules accordingly
|
2022-05-09 16:07:44 +02:00 |
|
|
phantinuss
|
13e31e8383
|
fix: FPs found in win2022 domain controller baseline
|
2022-04-21 10:48:59 +02:00 |
|
|
frack113
|
becf3baeb4
|
Merge pull request #2813 from phantinuss/master
Changes to falsepositives metadata
|
2022-03-17 14:31:27 +01:00 |
|
|
Florian Roth
|
1099c5630e
|
rule: remote thread creation, get-addbaccount
|
2022-03-16 15:21:01 +01:00 |
|
|
phantinuss
|
043747822f
|
fix: more falsepositives harmonization
|
2022-03-16 14:57:06 +01:00 |
|
|
phantinuss
|
84d0c472ba
|
fix: remove penetration test as valid false positive reason
|
2022-03-16 14:33:18 +01:00 |
|
|
phantinuss
|
b23eee6ebf
|
fix: unknown --> Unknown
|
2022-03-16 13:43:54 +01:00 |
|
|
Tim Shelton
|
bda0f3cfe0
|
FP on valid remote call of Powershell Archive.psm1, maybe beneficial to filter all powershell modules in future
|
2022-03-14 22:23:06 +00:00 |
|
|
frack113
|
5938569d3e
|
Refactor regex
|
2022-03-08 19:07:37 +01:00 |
|
|
frack113
|
143f5fe4e2
|
Fix yml
|
2022-03-07 19:37:33 +01:00 |
|
|
frack113
|
f9c0e21323
|
Refactor regex
|
2022-03-07 19:08:30 +01:00 |
|
|
frack113
|
464686e0c5
|
add posh_pm_suspicious_reset_computermachinepassword
|
2022-02-22 13:44:51 +01:00 |
|
|
Florian Roth
|
35d4c8bc69
|
fix: FPs noticed in THOR testing
|
2022-02-21 10:15:27 +01:00 |
|
|
Florian Roth
|
51bbe21c70
|
fix: more Aurora FP fixes
|
2022-02-16 17:16:50 +01:00 |
|
|
phantinuss
|
646ce36809
|
fix: use doublequotes instead of ' because of ' in string
|
2022-02-11 16:52:45 +01:00 |
|
|
phantinuss
|
809f7abbb8
|
fix: several FPs against a fresh installed Windows with example applications and basic user interaction 3
|
2022-02-11 16:38:52 +01:00 |
|
|
frack113
|
4631d0c482
|
remove invalid tag
|
2022-01-19 18:23:30 +01:00 |
|
|
frack113
|
6badb13114
|
Rename powershell_module
|
2022-01-15 10:38:27 +01:00 |
|
|
Ahmet Salih
|
9b261a5cb7
|
Update powershell_suspicious_invocation_specific_in_contextinfo.yml
close #2546
|
2022-01-11 18:23:30 +03:00 |
|
|
Florian Roth
|
e055ec1d52
|
refactor: change all " of them" expressions
|
2022-01-11 10:59:57 +01:00 |
|
|
frack113
|
73f258e2d1
|
Change double quote to quote
|
2022-01-06 14:02:35 +01:00 |
|
|
frack113
|
426d8193ad
|
Windows redcannary
|
2021-12-15 19:36:16 +01:00 |
|
|
frack113
|
221f479825
|
Windows Redcannay T1069.001
|
2021-12-12 12:15:27 +01:00 |
|
|
frack113
|
ee67779811
|
Windows T1049 RedCannary
|
2021-12-11 09:38:20 +01:00 |
|
|
phantinuss
|
07a0a37273
|
feat: discourage the usage of 'all of them' and migrate existing rules to use the preferred method 'all of selection*'
|
2021-12-02 14:47:39 +01:00 |
|
|
frack113
|
1cfca93354
|
Missing status in rules (#2284)
* add missing status
|
2021-11-19 22:32:26 +01:00 |
|
|
frack113
|
faa407dacc
|
cleanup list
|
2021-10-18 14:52:35 +02:00 |
|
|
frack113
|
0e1c156ddf
|
fix related
|
2021-10-18 14:26:06 +02:00 |
|
|
frack113
|
19da3ac07f
|
add ps_module version
|
2021-10-18 14:12:52 +02:00 |
|
|
frack113
|
0ca16b18f4
|
Change to category: ps_module
|
2021-10-16 08:05:15 +02:00 |
|
|
frack113
|
1337116d84
|
Cleanup selection name
|
2021-10-10 10:17:24 +02:00 |
|
|
Florian Roth
|
2379907f26
|
docs: extended the description by a word
|
2021-10-09 16:42:42 +02:00 |
|
|
Florian Roth
|
f475b90ee3
|
fix: typo in description
|
2021-10-09 16:41:48 +02:00 |
|
|
frack113
|
5c68c42058
|
order powershell_script
|
2021-10-09 10:30:36 +02:00 |
|
|
frack113
|
41d098b253
|
fix yml error
|
2021-10-09 09:59:21 +02:00 |
|
|
frack113
|
fe7fbfd5fc
|
order powershell_module
|
2021-10-09 09:50:49 +02:00 |
|