c4f6fedb46
Merge pull request #2816 from redsand/fp_antivirus_symantec_file_print_driver
...
Filtering of symantec submission for analysis
2022-03-16 22:29:00 +01:00
c58f3d0351
Filtering of symantec submission for analysis
2022-03-16 19:07:15 +00:00
1ab03bd9f8
Merge pull request #2815 from SigmaHQ/rule-devel
...
rule: remote thread creation, rule: get-addbaccount
2022-03-16 18:47:03 +01:00
bd8306cd28
Merge pull request #2814 from SigmaHQ/aurora-false-positive-fixing
...
fix: sadly still too many fps with this rule
2022-03-16 18:15:23 +01:00
39811e1405
refactor: uppercase values, DropLoader imphash
2022-03-16 17:56:55 +01:00
16cac67751
fix: indentation
2022-03-16 15:35:54 +01:00
426b3a0906
Merge pull request #2796 from d4rk-d4nph3/master
...
Added rule for shellcode injection by Metasploit and Empire
2022-03-16 15:34:03 +01:00
4445ea6baf
fix: sadly still too many fps with this rule
2022-03-16 15:21:27 +01:00
1099c5630e
rule: remote thread creation, get-addbaccount
2022-03-16 15:21:01 +01:00
8acf6431f5
Merge pull request #2809 from SigmaHQ/rule-devel
...
CrackMapExec patterns, minor addition to ncat rule, rar rule adjusted
2022-03-16 11:25:10 +01:00
4d2a4b74cd
Merge pull request #2808 from SigmaHQ/aurora-false-positive-fixing
...
Aurora false positive fixing
2022-03-16 09:58:21 +01:00
0e1945beaa
refactor: rar usage w password & compression level
2022-03-16 09:57:45 +01:00
125359cfbc
Merge pull request #2810 from SigmaHQ/fix
...
Fixes
2022-03-16 07:29:24 +01:00
f022b087e0
Fixed date format in rule
2022-03-15 23:31:14 +01:00
c818e00fc2
Merge branch 'master' into aurora-false-positive-fixing
2022-03-15 18:07:13 +01:00
b2cdb92b11
fix: FPs with THOR
2022-03-15 18:05:42 +01:00
a10561e084
ncat pattern
2022-03-15 18:05:13 +01:00
306bb438e3
CrackMapExec patterns
2022-03-15 18:05:04 +01:00
87600161bf
new rule from thedfirreport.com
2022-03-15 16:39:12 +01:00
3b09f1c9da
new rule from thedfirreport.com
2022-03-15 16:38:27 +01:00
20125d87c2
new rule from thedfirreport.com
2022-03-15 16:36:57 +01:00
df0d93baa0
Merge pull request #2805 from ionsor/patch-4
...
Update win_dcsync.yml
2022-03-15 16:02:17 +01:00
dd5e10c2f5
Merge pull request #2803 from redsand/fp_remote_powershell_valid_call_ms_archive
...
FP on valid remote call of Powershell Archive.psm1, maybe beneficial …
2022-03-15 12:53:40 +01:00
8014c477cd
Update win_dcsync.yml
...
Added a more detailed source on this detection.
Also included the AccessMask corresponding to “control access” that is specifically registered when access is allowed following extended rights verification (typically associated with the use of high level and explicit permissions that are required to initiate the DCSync attack) as is described in the Black Landern Security blog post.
Added 3 other GUIDs that corresponds to:
1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 - DS-Replication-Get-Changes
9923a32a-3607-11d2-b9be-0000f87a36b2 - DS-Install-Replica
89e95b76-444d-4c62-991a-0facbeda640c - DS-Replication-Get-Changes-In-Filtered-Set
2022-03-15 12:37:07 +01:00
bda0f3cfe0
FP on valid remote call of Powershell Archive.psm1, maybe beneficial to filter all powershell modules in future
2022-03-14 22:23:06 +00:00
e3398dbbec
Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel
2022-03-14 12:01:55 +01:00
9beafefe52
rules: suspicious linux patterns
2022-03-14 12:01:52 +01:00
7ee62d7f69
Merge branch 'master' into rule-devel
2022-03-14 11:38:44 +01:00
a9b7c365cd
docs: adjusted description
2022-03-13 23:30:44 +01:00
7e0928233b
refactor: split up lsass access rule in two
...
- one with level medium that contains all access attempts using 0x410, 0x1410 and 0x1040
- all other access masks remain in the original rule
2022-03-13 23:29:54 +01:00
ed8d7b36eb
Merge pull request #2799 from frack113/fp_update
...
WindowsUpdate FP
2022-03-13 23:17:54 +01:00
c5263039ae
Merge pull request #2798 from frack113/moonbounce
...
Add proc_creation_win_wmic_remote_command
2022-03-13 22:22:10 +01:00
c5c72124b1
WindowsUpdate FP
2022-03-13 19:22:08 +01:00
70954c8153
Update proc_creation_win_wmic_remote_command.yml
2022-03-13 13:22:10 +01:00
06f51aecf5
Add proc_creation_win_wmic_remote_command
2022-03-13 12:21:00 +01:00
283246cdd0
Fix selection_tools
2022-03-12 11:15:10 +01:00
0bab1f19a9
Add proc_creation_win_network_scan_loop
2022-03-12 10:53:12 +01:00
52f2b7f966
Merge pull request #2795 from SigmaHQ/rule-devel
...
refactor: lsass dump files names, new: NTDS.dit exfiltration activity
2022-03-11 20:56:06 +01:00
1141f00480
fix: more lists with only one parameter
2022-03-11 20:11:06 +01:00
7c1c5d2789
fix: FP noticed with Aurora
2022-03-11 20:07:18 +01:00
1691f09099
fix: list with one item
2022-03-11 20:00:33 +01:00
c843293e47
rules: NTDS.DIT exfiltration
2022-03-11 18:14:09 +01:00
b96d30acc7
docs: adjustments
2022-03-11 18:13:54 +01:00
d033831e98
refactor: increased level of ntdsutil usage
2022-03-11 17:04:58 +01:00
eb2f620089
fix: FP with Suspicius Schtasks rule
2022-03-11 17:04:33 +01:00
d7d9a19cd4
Added rule for shellcode injection by Metasploit and Empire
2022-03-11 20:05:22 +05:45
1fb583b225
fix: FP fix
2022-03-11 11:46:25 +01:00
94d7ef2e7f
Merge pull request #2790 from frack113/malware_dropper
...
Add file_event_win_susp_dropper
2022-03-11 06:27:49 +01:00
1c9fefc478
refactor: add iocs to lsass dump files names
2022-03-10 21:03:16 +01:00
3cb0640192
Add file_event_win_susp_dropper
2022-03-09 20:56:35 +01:00
Florian Roth