 Florian Roth
|
9c8a649e6c
|
fix: FP with suspicious svchost.exe rule
|
2021-11-26 17:12:33 +01:00 |
|
|
Florian Roth
|
d91b925873
|
fix: FPs
|
2021-11-26 14:42:21 +01:00 |
|
|
phantinuss
|
271e8291a5
|
fix: remove unneeded escape
|
2021-11-25 09:24:04 +01:00 |
|
|
frack113
|
960a03eaf4
|
add lobas Binary
|
2021-11-24 19:17:00 +01:00 |
|
|
Florian Roth
|
3e8b43e324
|
Merge pull request #2307 from SigmaHQ/aurora-false-positive-fixing
Aurora false positive fixing
|
2021-11-24 17:31:44 +01:00 |
|
|
Florian Roth
|
f60e8e5d17
|
fix: more false positive filters
|
2021-11-24 16:58:53 +01:00 |
|
|
phantinuss
|
eb8c9c046b
|
rule: download using certreq
|
2021-11-24 16:39:44 +01:00 |
|
|
Florian Roth
|
88cc418b98
|
Merge branch 'rule-devel' into aurora-false-positive-fixing
|
2021-11-24 13:42:00 +01:00 |
|
|
phantinuss
|
b807aba67a
|
fix: key/value
|
2021-11-24 11:41:02 +01:00 |
|
|
phantinuss
|
30b57f33ed
|
rule: rundll calling shell32 with dll in suspicious location
|
2021-11-24 10:56:58 +01:00 |
|
|
Florian Roth
|
2c07bd562f
|
Merge pull request #2301 from SigmaHQ/rule-devel
refactor: reworked psexec / paexec rules
|
2021-11-24 09:27:35 +01:00 |
|
|
Florian Roth
|
33c5e027d3
|
refactor: psexec flags
|
2021-11-23 18:00:48 +01:00 |
|
|
Florian Roth
|
99fc5fc3cc
|
refactor: reworked psexec / paexec rules
|
2021-11-23 16:34:31 +01:00 |
|
|
Florian Roth
|
42571791b3
|
Merge branch 'rule-devel' into aurora-false-positive-fixing
|
2021-11-22 15:24:46 +01:00 |
|
|
Florian Roth
|
2c5631f1bf
|
Merge branch 'master' into aurora-false-positive-fixing
|
2021-11-22 15:23:43 +01:00 |
|
|
Florian Roth
|
68e4864069
|
fix: exclusions in new WinRAR rule
|
2021-11-22 15:23:28 +01:00 |
|
|
Florian Roth
|
75663ceb46
|
rule: file creation LPE CVE-2021-41379
|
2021-11-22 14:15:51 +01:00 |
|
|
Florian Roth
|
9a2e7a23fa
|
docs: tags for CVE-2021-41379
|
2021-11-22 14:06:50 +01:00 |
|
|
Florian Roth
|
023a0f0685
|
Revert "refactor: rule could possible generate to many FPs"
This reverts commit 24c4d51796.
|
2021-11-22 14:03:59 +01:00 |
|
|
Florian Roth
|
24c4d51796
|
refactor: rule could possible generate to many FPs
|
2021-11-22 11:28:32 +01:00 |
|
|
Florian Roth
|
7432aa37a0
|
refactor: lsass query info access
|
2021-11-22 11:02:01 +01:00 |
|
|
frack113
|
ab663f9bcf
|
Add MITTRE Technique
|
2021-11-20 10:56:41 +01:00 |
|
|
frack113
|
8f0cee86ac
|
Add Technique tags
|
2021-11-20 09:53:35 +01:00 |
|
|
frack113
|
1cfca93354
|
Missing status in rules (#2284)
* add missing status
|
2021-11-19 22:32:26 +01:00 |
|
|
frack113
|
264db60c5e
|
Merge pull request #2276 from phantinuss/master
Rule Fix: Paths with Quotes
|
2021-11-19 19:05:36 +01:00 |
|
|
Florian Roth
|
4acbb15713
|
Merge branch 'master' into rule-devel
|
2021-11-19 15:52:21 +01:00 |
|
|
Florian Roth
|
ecc7181d6e
|
fix: FP with Windows Update Client LOLBIN rule
|
2021-11-18 13:34:55 +01:00 |
|
|
phantinuss
|
84476e1dd4
|
fix: prevent possible FPs from non-windows native calls using paths surrounded by quotes
|
2021-11-18 10:06:03 +01:00 |
|
|
Florian Roth
|
7dce83033b
|
rule: Winrar suspicious folder
|
2021-11-17 19:01:48 +01:00 |
|
|
phantinuss
|
0109694e26
|
enhance emotet rundll32 execution pattern for current campaign
|
2021-11-17 15:59:05 +01:00 |
|
|
Florian Roth
|
8d6d8c2c92
|
fix: several FPs
|
2021-11-16 17:30:23 +01:00 |
|
|
Florian Roth
|
4fb833700f
|
Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel
|
2021-11-16 12:17:46 +01:00 |
|
|
Florian Roth
|
3be53dfb72
|
refactor: tightened rule
|
2021-11-16 12:17:43 +01:00 |
|
|
Florian Roth
|
760266ab34
|
Merge branch 'master' into rule-devel
|
2021-11-16 12:13:20 +01:00 |
|
|
Florian Roth
|
4c1fab644d
|
fix: FPs with Windows Update Client LOLBIN rule
|
2021-11-16 12:09:03 +01:00 |
|
|
frack113
|
51744b31b4
|
fix name
|
2021-11-15 13:38:38 +01:00 |
|
|
frack113
|
b9be5b262f
|
Add win_pc_susp_reg_bitLocker
|
2021-11-15 13:24:26 +01:00 |
|
|
Austin Songer
|
5a542431ac
|
Update win_susp_registration_via_cscript.yml
|
2021-11-12 11:12:31 -06:00 |
|
|
Florian Roth
|
5d0c160e41
|
Merge branch 'master' into pr/2228
|
2021-11-11 18:10:05 +01:00 |
|
|
Florian Roth
|
791736cb3e
|
Merge pull request #2243 from SigmaHQ/rule-devel
CobaltStrike DNS beaconing, some FP fixes
|
2021-11-11 17:21:33 +01:00 |
|
|
Florian Roth
|
b61e92ae1d
|
fix: FP with VSCode
|
2021-11-11 16:12:49 +01:00 |
|
|
frack113
|
b7b1ebf772
|
Fix LogonId - SubjectLogonId
|
2021-11-10 19:12:51 +01:00 |
|
|
frack113
|
a4951a29bb
|
Fix detection
|
2021-11-10 18:57:54 +01:00 |
|
|
frack113
|
3c3bf75aa8
|
fix detection from test
|
2021-11-09 17:04:27 +01:00 |
|
|
frack113
|
24f3e9db5b
|
fix detection from ref
|
2021-11-09 16:44:11 +01:00 |
|
|
frack113
|
c5fa73c328
|
fix ProcessCommandLine to ParentCommandLine
|
2021-11-09 16:13:29 +01:00 |
|
|
frack113
|
73e2b5fae6
|
Merge pull request #2233 from frack113/zipexec
Add win_pc_susp_zipexec
|
2021-11-08 22:46:17 +01:00 |
|
|
frack113
|
d3c3cd9930
|
Merge pull request #2230 from frack113/process_creation_clean
Process creation directory clean
|
2021-11-08 21:27:25 +01:00 |
|
|
frack113
|
4672762010
|
add win_pc_susp_zipexec
|
2021-11-07 21:57:40 +01:00 |
|
|
frack113
|
aa8694fdef
|
add missing category
|
2021-11-06 10:17:12 +01:00 |
|