 Florian Roth
|
f60e8e5d17
|
fix: more false positive filters
|
2021-11-24 16:58:53 +01:00 |
|
|
Florian Roth
|
f2585f44da
|
fix: bug in filter
|
2021-11-22 21:30:19 +01:00 |
|
|
Florian Roth
|
7468d495ff
|
fix: FP with LSASS access rule
|
2021-11-22 21:29:21 +01:00 |
|
|
Florian Roth
|
8fc93d3340
|
refactor: generic lsass access filter
|
2021-11-22 15:05:56 +01:00 |
|
|
Florian Roth
|
ff6bb3acea
|
extended filters and descriptions
|
2021-11-22 14:01:30 +01:00 |
|
|
Florian Roth
|
37ff832fda
|
fix: FPs with LSASS access rule
|
2021-11-22 13:43:20 +01:00 |
|
|
Florian Roth
|
a5b7a92d91
|
fix: FPs with Aurora
|
2021-11-22 12:20:21 +01:00 |
|
|
Florian Roth
|
d3ec743906
|
fix: changed modified date
|
2021-11-22 11:38:37 +01:00 |
|
|
Florian Roth
|
fbd8df5768
|
rule: lsass access suspicious flags
|
2021-11-22 11:37:09 +01:00 |
|
|
Florian Roth
|
7432aa37a0
|
refactor: lsass query info access
|
2021-11-22 11:02:01 +01:00 |
|
|
Florian Roth
|
e73816bb22
|
fix: too many false positives with in-memory detection rule
|
2021-11-20 15:07:20 +01:00 |
|
|
Florian Roth
|
15a4938294
|
fix: wrong condition
|
2021-11-20 15:05:06 +01:00 |
|
|
Florian Roth
|
f1d2903ec2
|
fix: FPs with rules
|
2021-11-20 12:32:15 +01:00 |
|
|
Florian Roth
|
6c040f0844
|
fix: more false positives
|
2021-11-20 12:00:18 +01:00 |
|
|
Florian Roth
|
1fffb57df0
|
fix: FPs with different rules
|
2021-11-20 11:33:43 +01:00 |
|
|
frack113
|
1cfca93354
|
Missing status in rules (#2284)
* add missing status
|
2021-11-19 22:32:26 +01:00 |
|
|
Florian Roth
|
7d4e3fd2ed
|
fix: more false positive fixes
|
2021-11-16 23:27:00 +01:00 |
|
|
Florian Roth
|
8d6d8c2c92
|
fix: several FPs
|
2021-11-16 17:30:23 +01:00 |
|
|
frack113
|
b267504708
|
Merge pull request #2179 from frack113/fix_sysmon_in_memory_assembly_execution
Fix sysmon in memory assembly execution
|
2021-10-23 10:11:08 +02:00 |
|
|
frack113
|
1775db7fe8
|
fix cast
|
2021-10-21 09:58:32 +02:00 |
|
|
frack113
|
4394aa685d
|
fix cast
|
2021-10-21 09:47:06 +02:00 |
|
|
frack113
|
6c7d5124f5
|
fix detection
|
2021-10-21 09:28:33 +02:00 |
|
|
frack113
|
216b2d65d9
|
fix SourceImage
|
2021-10-20 19:45:38 +02:00 |
|
|
Thomas Patzke
|
143744bc12
|
Various fixes
* Backslashes in regular expressions
* Casing of condition operators
* Further small errors
|
2021-09-07 23:38:07 +02:00 |
|
|
phantinuss
|
3a9e10d081
|
bulk of new rules to match working UACMe UAC bypasses
|
2021-08-31 12:51:21 +02:00 |
|
|
SomeOne
|
295054dcbe
|
Replace old mitre techniques by new one
|
2021-08-22 13:57:56 +02:00 |
|
|
Austin Songer
|
c9128687ee
|
Spelling Errors on Rules
|
2021-08-18 18:58:20 +00:00 |
|
|
phantinuss
|
246ba0c17f
|
generalise amsi bypass rule to CobaltStrike BOF injection pattern
generalise to CobaltStrike BOF injection pattern
|
2021-08-13 15:34:01 +02:00 |
|
|
phantinuss
|
62eca463ac
|
new rule LittleCorporal generated maldoc process injection
|
2021-08-11 09:25:23 +02:00 |
|
|
Florian Roth
|
eb247704fe
|
Merge pull request #1761 from d4rk-d4nph3/master
Added rule for Cabinet file expansion and Pypykatz
|
2021-08-05 15:50:12 +02:00 |
|
|
phantinuss
|
882ea7ec22
|
fix: remove unnecessary single value list
|
2021-08-04 15:50:39 +02:00 |
|
|
phantinuss
|
994701bd8e
|
CobaltStrike injected AMSI bypass
|
2021-08-04 11:28:58 +02:00 |
|
|
Bhabesh Rai
|
85b88c7646
|
Added rule for pypykatz
|
2021-08-03 15:06:27 +05:45 |
|
|
phantinuss
|
9833cc34e5
|
direct syscall to NtOpenProcess
|
2021-07-28 15:14:30 +02:00 |
|
|
frack113
|
895a2f6154
|
fix 3 times the same name file
|
2021-07-02 11:01:07 +02:00 |
|
|
Bhabesh Rai
|
206adbb2b6
|
Merging upstream updates
|
2021-07-01 12:18:30 +05:45 |
|
|
wagga40
|
11df697cdc
|
Updated rules with modifiers instead of '*' and remove trailing '\\'
|
2021-06-27 14:51:29 +02:00 |
|
|
frack113
|
edfb67ddc7
|
fix TargetImage|endswith
|
2021-06-21 21:21:34 +02:00 |
|
|
frack113
|
6558a5b110
|
fix TargetImage|endswith
|
2021-06-21 21:19:04 +02:00 |
|
|
frack113
|
0bc04605cb
|
fix TargetImage|endswith
|
2021-06-21 21:14:36 +02:00 |
|
|
Florian Roth
|
0377a30893
|
fix: several issues
|
2021-06-14 09:42:25 +02:00 |
|
|
luffynextgen
|
6fd7979659
|
Update sysmon_svchost_cred_dump.yml
|
2021-06-14 08:52:16 +02:00 |
|
|
luffynextgen
|
e170a4a12a
|
Update sysmon_svchost_cred_dump.yml
following the advices given to me I changed the category and the filter to be closer to sysmon field.
|
2021-06-10 14:04:58 +02:00 |
|
|
luffynextgen
|
c75d92410d
|
Create sysmon_svchost_cred_dump.yml
|
2021-06-10 09:30:08 +02:00 |
|
|
Florian Roth
|
5cf7078fb3
|
Merge pull request #1484 from ZikyHD/filter_sysmon_in_memory_assembly_execution
Add filter on sdiagnhost.exe in Suspicious In-Memory Module Execution…
|
2021-05-27 12:55:31 +02:00 |
|
|
Florian Roth
|
8d834cf681
|
Merge pull request #1480 from ZikyHD/fix_sysmon_cred_dump_lsass_access
Add Windows Defender on WL
|
2021-05-27 12:54:15 +02:00 |
|
|
Florian Roth
|
adbdb5b22f
|
Merge branch 'master' into falsepositives_NOT_a_list
|
2021-05-27 10:23:19 +02:00 |
|
|
Florian Roth
|
9b7fb0c0f3
|
Update win_susp_shell_spawn_from_winrm.yml
|
2021-05-22 15:28:50 +02:00 |
|
|
frack113
|
dec9e68876
|
Fix falsepositives list
|
2021-05-21 12:38:44 +02:00 |
|
|
frack113
|
6630ec7c41
|
Fix falsepositives list
|
2021-05-21 12:23:09 +02:00 |
|