b2acd800981e1c8d9f747173eb7803f0405cebd6
4 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
 github-actions[bot]
|
08c52c367c |
Merge PR #5027 from @nasbench - Promote older rules status from experimental to test
chore: promote older rules status from experimental to test Co-authored-by: nasbench <nasbench@users.noreply.github.com> |
||
|
Nasreddine Bencherchali
|
598d29f811 |
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
chore: change tags, date, modified fields to comply with v2 of the Sigma spec. chore: update the related type from `obsoletes` to `obsolete`. chore: update local json schema to the latest version. |
||
|
Nasreddine Bencherchali
|
e052677142 |
Merge PR #4577 from @nasbench - Multiple Fixes & Updates
Create Release / Create Release (push) Has been cancelled
fix: Access To Windows Credential History File By Uncommon Application - Enhance FP filters fix: Access To Windows DPAPI Master Keys By Uncommon Application - Enhance FP filters fix: Amsi.DLL Load By Uncommon Process - Moved to threat hunting folder and update false positive filters to remove hardcoded C: fix: Bad Opsec Defaults Sacrificial Processes With Improper Arguments - Typo in condition fix: Credential Manager Access By Uncommon Application - Enhance FP filters fix: Elevated System Shell Spawned From Uncommon Parent Location - Enhance FP filters fix: Execution of Suspicious File Type Extension - Add new extensions to reduce FP fix: Important Windows Eventlog Cleared - Update selection to remove "Application" log as it was generating a lot of FP in some environments fix: Malicious PowerShell Commandlets - ScriptBlock - Remove some part of the selection due to FP matches as they were generic cmdlet names fix: Potential Direct Syscall of NtOpenProcess - Add "Adobe" filter fix: Potential Shim Database Persistence via Sdbinst.EXE - Update FP filter for "iisexpressshim" sdb fix: Potentially Suspicious AccessMask Requested From LSASS - Add new FP filter for "procmon" process fix: PowerView PowerShell Cmdlets - ScriptBlock - Remove some part of the selection due to FP matches as they were generic cmdlet names fix: PSScriptPolicyTest Creation By Uncommon Process - Add new filter for "sdiagnhost" fix: Relevant Anti-Virus Signature Keywords In Application Log - Update false positive filters fix: Remote Access Tool Services Have Been Installed - Security - Fix typo in field name fix: Suspicious File Creation Activity From Fake Recycle.Bin Folder - Remove RECYCLE.BIN\ as it was added as a typo and is a legitimate location. fix: Uncommon Child Process Of Conhost.EXE - Add new FP filters fix: Uncommon File Created In Office Startup Folder - Add new extension to filter out FP generated with MS Access databases fix: Uncommon PowerShell Hosts - Moved to threat hunting folder and updated false positive filter list fix: Use Of Remove-Item to Delete File - ScriptBlock - Moved to threat hunting folder and Update logic to be more accurate fix: User with Privileges Logon - Move to placeholder rules and update the FP filter to account for different workstations fix: Windows Event Auditing Disabled - Enhance list of false positive filters with additional GUID fix: WMI Module Loaded By Uncommon Process - Moved to threat hunting folder and update and restructure false positive filters new: Communication To Uncommon Destination Ports new: Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension remove: Credential Dumping Tools Service Execution remove: New Service Uses Double Ampersand in Path remove: Powershell File and Directory Discovery remove: PowerShell Scripts Run by a Services remove: Security Event Log Cleared remove: Suspicious Get-WmiObject remove: Windows Defender Threat Detection Disabled update: Access To Browser Credential Files By Uncommon Application - Increase level to medium and enhance filters and selections update: Add Potential Suspicious New Download Source To Winget - Reduce level to medium update: ADFS Database Named Pipe Connection By Uncommon Tool - Enhance coverage by improving paths selection update: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation - Reduce level to low update: Copy From Or To Admin Share Or Sysvol Folder - Enhance selection to be more accurate update: Eventlog Cleared - Update FP filter to remove "Application" log and increase coverage update: Failed Code Integrity Checks - Reduce level to informational update: HH.EXE Execution - Reduce level to low update: Locked Workstation - Reduce level to informational update: Malicious Driver Load By Name - Increase coverage based on LOLDrivers data update: Meterpreter or Cobalt Strike Getsystem Service Installation - Security - Reduce level to high and restructure selections update: Meterpreter or Cobalt Strike Getsystem Service Installation - System - Reduce level to high and restructure selections update: Potential Credential Dumping Activity Via LSASS - Reduce level to medium and comment out noisy access masks update: Potential PowerShell Execution Policy Tampering - Remove "RemoteSigned" as it doesn't fit with the current logic update: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location - Reduce level to medium and update logic update: Potentially Suspicious Malware Callback Communication - Increase coverage by adding new additional ports update: PUA - Nmap/Zenmap Execution - Reduce level to medium update: PUA - Process Hacker Execution - Reduce level to medium update: PUA - Radmin Viewer Utility Execution - Reduce level to medium update: Rundll32 Execution With Uncommon DLL Extension - Enhance DLL extension list update: SASS Access From Non System Account - Reduce level to medium and enhance false positive filters update: Suspicious Executable File Creation - Enhance coverage by removing hardocded "C:" update: Suspicious Program Location with Network Connections - Increase accuracy by enhancing the selection to focus on the start of the folder and partition update: Suspicious Schtasks From Env Var Folder - Reduce level to medium update: Suspicious Shim Database Patching Activity - Add new processes to increase coverage update: Uncommon Extension Shim Database Installation Via Sdbinst.EXE - Reduce level to medium update: Whoami Utility Execution - Reduce level to low update: Whoami.EXE Execution With Output Option - Reduce level to medium update: Windows Defender Malware Detection History Deletion - Reduce level to informational update: WMI Event Consumer Created Named Pipe - Reduce leve to medium --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> Thanks: @Blackmore-Robert Thanks: @swachchhanda000 Thanks: @celalettin-turgut Thanks: @AaronS97 |
||
|
Nasreddine Bencherchali
|
e230acd7ed |
Merge PR #4427 from @nasbench - Multiple Fixes & Enhancements
new: Application Terminated Via Wmic.EXE new: Browser Execution In Headless Mode new: Chromium Browser Headless Execution To Mockbin Like Site new: DarkGate User Created Via Net.EXE new: DMP/HDMP File Creation new: Malicious Driver Load new: Malicious Driver Load By Name new: Potentially Suspicious DMP/HDMP File Creation new: Remote DLL Load Via Rundll32.EXE new: Renamed CURL.EXE Execution new: Vulnerable Driver Load new: Vulnerable Driver Load By Name update: 7Zip Compressing Dump Files - Increase coverage update: Amsi.DLL Loaded Via LOLBIN Process - Reduce level to `medium` update: COM Hijack via Sdclt - Fix Logic update: Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE - Increase coverage update: Creation of an Executable by an Executable - Fix FP update: DLL Load By System Process From Suspicious Locations - Reduce level to `medium` update: DNS Query Request By Regsvr32.EXE - Reduce level to `medium` update: DNS Query To MEGA Hosting Website - DNS Client - Update title and reduce level to `medium` update: DNS Query To MEGA Hosting Website - Reduce level to `low` and update metadata update: DNS Query To Remote Access Software Domain From Non-Browser App - Increase coverage with new domains update: DNS Query To Ufile.io - DNS Client - Update title and reduce level to `low` update: DNS Query To Ufile.io - Update title and reduce level to `low` update: DNS Query Tor .Onion Address - Sysmon - Update title update: DNS Server Discovery Via LDAP Query - Reduce level to `low` and update FP filters update: DriverQuery.EXE Execution - Increase coverage update: File Download From Browser Process Via Inline Link update: Greedy File Deletion Using Del - Increase coverage update: Leviathan Registry Key Activity - Fix logic update: Network Connection Initiated By Regsvr32.EXE - Reduce level to `medium` and metadata update update: Non Interactive PowerShell Process Spawned - Increase coverage update: OceanLotus Registry Activity - Fix Logic update: Office Application Startup - Office Test - Fix Logic update: OneNote Attachment File Dropped In Suspicious Location - Fix FP update: Potential Dead Drop Resolvers - Increase coverage with new domains update: Potential Persistence Via COM Hijacking From Suspicious Locations - Increase coverage and fix logic update: Potential Persistence Via COM Search Order Hijacking - Fix Logic update: Potential Process Hollowing Activity - Update FP filters update: Potential Recon Activity Using DriverQuery.EXE - Increase coverage update: Potential Unquoted Service Path Reconnaissance Via Wmic.EXE - Reduce level to `medium` update: Potentially Suspicious Event Viewer Child Process - Update metadata update: PowerShell Initiated Network Connection - Update description update: PowerShell Module File Created By Non-PowerShell Process - Fix FP update: PsExec Tool Execution From Suspicious Locations - PipeName - Reduce level to `medium` update: Python Image Load By Non-Python Process - Update description and title update: Python Initiated Connection - Update FP filter update: Remote Thread Creation By Uncommon Source Image - Update FP filter update: Renamed AutoIt Execution - Increase coverage update: Suspicious Chromium Browser Instance Executed With Custom Extensions - Increase coverage update: Suspicious WebDav Client Execution Via Rundll32.EXE - New Title update: Sysinternals Tools AppX Versions Execution - Reduce level to `low` update: Sysmon Blocked Executable - Update logsource update: UAC Bypass via Event Viewer - Fix Logic update: UNC2452 Process Creation Patterns - Fix logic update: Usage Of Malicious POORTRY Signed Driver - Deprecated update: Vulnerable AVAST Anti Rootkit Driver Load - Deprecated update: Vulnerable Dell BIOS Update Driver Load - Deprecated update: Vulnerable Driver Load By Name - Deprecated update: Vulnerable GIGABYTE Driver Load - Deprecated update: Vulnerable HW Driver Load - Deprecated update: Vulnerable Lenovo Driver Load - Deprecated update: WebDav Client Execution Via Rundll32.EXE update: Windows Update Error - Reduce level to `informational` and status to `stable` update: Winrar Compressing Dump Files - Increase Coverage --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> |